Imagine someone is trying to keep track of the files that another administrator opens on a windows server by using NTFS auditing. File access is logged and of course log deletion gets logged, too.
Is it possible for an admin to circumvent logging by simply using a hex editor to open the whole drive and jump to a certain address and read out the file contents?
Let's say I know the filename and path and I know its content is plain text. Would I be successful in reading the content with winhex without NTFS auditing logging me?
I see problems in finding the file in winhex.