files accessed by user

Is there an easy way to get a report of all files accessed/opened by a user on a windows 2008 file server from a windows 2008 citrix server (i.e. WYSE terminal no laptop). Where could evidence be pulled from either system? I highly suspect due to the amount of users and files that the local security policies audit configuration is not capturing files accessed opened by I can check.
LVL 3
pma111Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

KimputerCommented:
Open files can be seen in the GUI, start > compmgmt.msc > systemtools > shared folders > open files
Here you can sort on computer name/username/filename

Alternatively, there's the command openfiles, but I like the GUI better. http://technet.microsoft.com/en-us/library/bb490961.aspx
0
Sajid Shaik MSr. System AdminCommented:
0
Manjunath SulladTechnical ConsultantCommented:
Open Server Manager-->Click Roles – File Services – Share and storage management.  Choose Action and then manage open files.
0
What were the top attacks of Q1 2018?

The Threat Lab team analyzes data from WatchGuard’s Firebox Feed, internal and partner threat intelligence, and a research honeynet, to provide insightful analysis about the top threats on the Internet. Check out our Q1 2018 report for smart, practical security advice today!

pma111Author Commented:
"Open files can be seen in the GUI, start > compmgmt.msc > systemtools > shared folders > open files
 Here you can sort on computer name/username/filename
"

Is that only for currently open files? As opposed to a history log of all files opened by a user on a given day?
0
pma111Author Commented:
All of these seem geared towards a list of currently open files, whereas we need a list of all files a user opened at any time during a specific day.
0
btanExec ConsultantCommented:
probably a simple tool on last activity and focus on file operation events may help
http://www.nirsoft.net/utils/computer_activity_view.html

also AFind  lists files by their last access time without tampering the data the way that right-clicking on file properties in Explorer will. AFind allows you to search for access times between certain time frames, coordinating this with logon info provided from ntlast, you can to begin determine user activity even if file logging has not been enabled.
http://www.mcafee.com/sg/downloads/free-tools/forensic-toolkit.aspx

but Windows do have the audit policy and in specific "Audit object access". Simply enabling policy option is not enough. It is also required to designate what folders exactly are to be watched. Usually, we require auditing shared documents and business application data folders (accounting, warehouse databases and so on) – i.e., resources accessible for editing by multiple users.

 E.g. Since it’s not possible to guess who has tampered with a data, we configure auditing for Everyone system group. Thus, information about any user having deleted a watched object is to be captured and stored to the event log. In fact, it’s easy to recover the deleted stuff from Shadow Copies (Previous Versions) or daily backup.

 E.g Do not consider all the Deletes to be done on purpose. This action is frequently used as a part of normal business application standard functionality. For instance, during Save command execution Microsoft Office suite software first creates a new temporary file, saves document to it, then deletes the original document from disk.

It is highly possible that there will be too much events listed, so it is a good idea to configure the Security event log settings. Frankly, the log sizes recommended above are not calculated by any formula but are to be choosed depending on particular computer usage experience.

http://blogs.technet.com/b/mspfe/archive/2013/08/27/auditing-file-access-on-file-servers.aspx
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
pma111Author Commented:
Thanks btan, is there anything in the top 2 tools to determine which user accessed the files or is it just reporting on last access by "someone".
0
KimputerCommented:
Mostly discussed here is enabling auditing. This means your security log in the eventviewer will show ALL activity, but in order of events. You want a different type of report, probably one that needs to run through the whole security log (which will be big) to generate something you like. This tool i have not seen yet (probably in the paid software area).
0
pma111Author Commented:
Enabling auditing is ok after the event we are seeking if anything can be done without auditing.
0
btanExec ConsultantCommented:
for lastActivityView tool, it grabs the activities pertaining to the current user login into the machine. E.g. The files (with this tool executed in the current user login) opened or saved (from the standard Windows Open and Save dialogs, anyway). probably it can be scripted as login script and export csv for each user ... not as clean but it does the grabbing as long as running in that user login context... importantly, LastActivityView doesn’t need to be running to record this information. Rather, it assembles it from Registry keys and their “last modified” times, your event logs, prefetch files, crash dumps and more. One  useful feature of LastActivityView is that you can quickly search for actions by filename, date and file path, allowing you to quickly find what you need.

Worth mentioning is the fact that LastActivityView does come with some limitations related to changes performed to registry keys for example, which could affect the accuracy of the displayed information. Some of these changes can be performed by the user, but even PC maintenance tools could remove records used by the program to display the activity log.

http://www.technibble.com/lastactivityview-create-a-log-of-the-last-actions-made-by-the-user/

for Afind, apparently it does not show the user but is useful for to lists a file's last access time without changing it. SO if there is a file of interest can do the trace back on the access time and correlate with lastViewActivity probably
0
SirtenKenCommented:
The registry has a lot of tracking information in it. The question is whether your citrix server will retain the information. If the user profiles haven't been cleaned from the server, you could parse through them to see what was accessed. See this SANS poster for the File creation/opening section, color coded in green https://blogs.sans.org/computer-forensics/files/2012/06/SANS-Digital-Forensics-and-Incident-Response-Poster-2012.pdf. If you see NTUSER.dat files in the citrix server user profiles, then you may have what you need. If there are any index.dat files, they may also reveal what a user was accessing. Collect a forensic image of the profiles, so that you can prove that any analysis done didn't change the data being analyzed. Tools like regripper can batch process a lot of registry information. See http://code.google.com/p/regripper/downloads/list. Some of the plugins that would help are recentdocs and shellbags, they're meant to work with 2008R2. I suggest checking one of the copied profiles manually to see which artifacts show what you're looking for. Its not an easy way to pull a file report, but if you need the info and auditing isn't already there, then the default tracking in Windows could have some of this information.
0
btanExec ConsultantCommented:
to add I find Autopsy useful as well as has a "Autopsy Forensic Browser" for  live analysis mode with connection to target system (local or remote)
http://www.sleuthkit.org/autopsy/features.php
http://www.sleuthkit.org/autopsy/man/autopsy.html
esp on its File Analysis feature that display the target file in column headers that include "UID: The User ID of the file owner." and "GID: The Group ID of the file owner."
http://www.sleuthkit.org/autopsy/help/index.html
also its keyword search may come in handy. e.g. autopsy will also prompt you to create a file of unallocated data if one does not exist. This obviously is useful for recovering deleted data. If a string is found in this file, Autopsy will also report the location in the original image.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server OS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.