forensics tool to determine files accessed windows 203 server windows 7

Posted on 2013-09-21
Medium Priority
Last Modified: 2013-09-23
have a client that needs to determine of a user accessed specific files/folders on a windows 2003 server using a windows 7 client to access the data.

need a utility to query either the client or the server and generate a report to determine when/if the user accessed the data.
Question by:jlavery
  • 4
  • 2
  • 2
  • +1
LVL 15

Expert Comment

by:Giovanni Heward
ID: 39512364
And did your client enable auditing on the target file(s) and folder(s)?

Author Comment

ID: 39512367

Author Comment

ID: 39512368
actually not certain
We Need Your Input!

WatchGuard is currently running a beta program for our new macOS Host Sensor for our Threat Detection and Response service. We're looking for more macOS users to help provide insight and feedback to help us make the product even better. Please sign up for our beta program today!


Author Comment

ID: 39512370
how do I verify that?
auditing is an option under security of the folders in question
LVL 15

Expert Comment

by:Giovanni Heward
ID: 39512371
If not you may be limited to MRU lists on the Windows 7 client machine, temp files, and the like.
LVL 14

Accepted Solution

Rob Miners earned 2000 total points
ID: 39512397
Nirsoft have this little app that when opened will give you the last months activity on a system from Windows 2000 and up to Windows 8.

LastActivityView v1.03


Download LastActivityView  http://www.nirsoft.net/utils/lastactivityview.zip

LastActivityView is a tool for Windows operating system that collects information from various sources on a running system, and displays a log of actions made by the user and events occurred on this computer. The activity displayed by LastActivityView includes: Running .exe file, Opening open/save dialog-box, Opening file/folder from Explorer or other software, software installation, system shutdown/start, application or system crash, network connection/disconnection and more...
You can easily export this information into csv/tab-delimited/xml/html file or copy it to the clipboard and then paste into Excel or other software.
LVL 66

Expert Comment

ID: 39512560
Audit enable for "object access" in local policy or GPO. Can check out below

Specifically with audit enabled,  on NT5 systems (Windows Server 2003 and prior), event codes 560 (open object) and 562 (close object) are produced. On NT6 systems (Windows Server 2008 and later), codes 4656 (open object) and 4658 (close object) are created. You can see the person who is accessing the resource, the resource itself and the program used to access the resource are all available. In addition, the Logon ID is available. If you have Account Logon Audit turned on, then a logon EventCode (528, 540, 4624) will have been logged from the same machine with the same Logon ID. In addition, you can see how long the file was opened by looking for a corresponding close from the same host with the same Handle ID.


Can be tough to trace if audit is not enabled though, the link are good places to start sieving the bits and pieces. The tool called CleanAfterMe list out the below as much (but I dont think you are cleaning it since it is evidences...)


Windows Explorer
Recently opened files from Windows Explorer
Network Shortcuts
Items recently ran from the "Run" bar
ComDlg32 recently opened/saved files
ComDlg32 recently opened/saved folders
Recent Docs
EXE to main window title cache
User Assist

Windows General
Temp folder
Recycle Bin
Last logged on user  
Event logs
Last key edited by RegEdit
List of Installed USB devices, both connected and unconnected
List of installed USB storage devices
SetupAPI Device Log
Windows Prefetch

Author Closing Comment

ID: 39515199
actually found this utility on my own but giving it to him/her..
LVL 14

Expert Comment

by:Rob Miners
ID: 39515806
Good to see that you have it sorted out. :)

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

The foremost challenge encountered by an investigator at the very beginning of a forensics investigation is, accessing a file/data to read/view its contents. Owing to the fact, a platform is necessary for both; opening as well as examining any file.…
It all started with a phone call.  The then acting director of the Office of Research Computing, called to ask me to remotely shutdown my computer, it was Yom Kippur, Wednesday October 12, 2016.
The video provides a quick and easy steps to migrate MBOX file to well known Outlook PST and Office 365. Besides this, it also supports and migrates more than 20 email clients of MBOX which include AppleMail, Opera, Thunderbird and SeaMonkey effortl…
Free Data Recovery software is an advanced solution from Kernel Tools to recover data and files such as documents, emails, database, media and pictures, etc. It supports recovery from physical & logical drive after a hard disk crash, accidental/inte…

600 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question