forensics tool to determine files accessed windows 203 server windows 7

have a client that needs to determine of a user accessed specific files/folders on a windows 2003 server using a windows 7 client to access the data.

need a utility to query either the client or the server and generate a report to determine when/if the user accessed the data.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Giovanni HewardCommented:
And did your client enable auditing on the target file(s) and folder(s)?
jlaveryAuthor Commented:
jlaveryAuthor Commented:
actually not certain
Redefining Cyber Security w/ AI & Machine Learning

The implications of AI and machine learning in cyber security are massive and constantly growing, creating both efficiencies and new challenges across the board. Join our webinar on Sept. 21st to learn more about leveraging AI and machine learning to protect your business.

jlaveryAuthor Commented:
how do I verify that?
auditing is an option under security of the folders in question
Giovanni HewardCommented:
If not you may be limited to MRU lists on the Windows 7 client machine, temp files, and the like.
Rob MinersCommented:
Nirsoft have this little app that when opened will give you the last months activity on a system from Windows 2000 and up to Windows 8.

LastActivityView v1.03

Download LastActivityView

LastActivityView is a tool for Windows operating system that collects information from various sources on a running system, and displays a log of actions made by the user and events occurred on this computer. The activity displayed by LastActivityView includes: Running .exe file, Opening open/save dialog-box, Opening file/folder from Explorer or other software, software installation, system shutdown/start, application or system crash, network connection/disconnection and more...
You can easily export this information into csv/tab-delimited/xml/html file or copy it to the clipboard and then paste into Excel or other software.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
btanExec ConsultantCommented:
Audit enable for "object access" in local policy or GPO. Can check out below

Specifically with audit enabled,  on NT5 systems (Windows Server 2003 and prior), event codes 560 (open object) and 562 (close object) are produced. On NT6 systems (Windows Server 2008 and later), codes 4656 (open object) and 4658 (close object) are created. You can see the person who is accessing the resource, the resource itself and the program used to access the resource are all available. In addition, the Logon ID is available. If you have Account Logon Audit turned on, then a logon EventCode (528, 540, 4624) will have been logged from the same machine with the same Logon ID. In addition, you can see how long the file was opened by looking for a corresponding close from the same host with the same Handle ID.

Can be tough to trace if audit is not enabled though, the link are good places to start sieving the bits and pieces. The tool called CleanAfterMe list out the below as much (but I dont think you are cleaning it since it is evidences...)


Windows Explorer
Recently opened files from Windows Explorer
Network Shortcuts
Items recently ran from the "Run" bar
ComDlg32 recently opened/saved files
ComDlg32 recently opened/saved folders
Recent Docs
EXE to main window title cache
User Assist

Windows General
Temp folder
Recycle Bin
Last logged on user  
Event logs
Last key edited by RegEdit
List of Installed USB devices, both connected and unconnected
List of installed USB storage devices
SetupAPI Device Log
Windows Prefetch
jlaveryAuthor Commented:
actually found this utility on my own but giving it to him/her..
Rob MinersCommented:
Good to see that you have it sorted out. :)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Digital Forensics

From novice to tech pro — start learning today.