[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

files accessed by user

Posted on 2014-08-19
13
Medium Priority
?
480 Views
Last Modified: 2014-09-05
Is there an easy way to get a report of all files accessed/opened by a user on a windows 2008 file server from a windows 2008 citrix server (i.e. WYSE terminal no laptop). Where could evidence be pulled from either system? I highly suspect due to the amount of users and files that the local security policies audit configuration is not capturing files accessed opened by I can check.
0
Comment
Question by:pma111
  • 4
  • 3
  • 2
  • +3
13 Comments
 
LVL 37

Expert Comment

by:Kimputer
ID: 40269656
Open files can be seen in the GUI, start > compmgmt.msc > systemtools > shared folders > open files
Here you can sort on computer name/username/filename

Alternatively, there's the command openfiles, but I like the GUI better. http://technet.microsoft.com/en-us/library/bb490961.aspx
0
 
LVL 17

Expert Comment

by:Sajid Shaik M
ID: 40269665
0
 
LVL 11

Expert Comment

by:Manjunath Sullad
ID: 40269952
Open Server Manager-->Click Roles – File Services – Share and storage management.  Choose Action and then manage open files.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 3

Author Comment

by:pma111
ID: 40269968
"Open files can be seen in the GUI, start > compmgmt.msc > systemtools > shared folders > open files
 Here you can sort on computer name/username/filename
"

Is that only for currently open files? As opposed to a history log of all files opened by a user on a given day?
0
 
LVL 3

Author Comment

by:pma111
ID: 40269971
All of these seem geared towards a list of currently open files, whereas we need a list of all files a user opened at any time during a specific day.
0
 
LVL 65

Accepted Solution

by:
btan earned 1000 total points
ID: 40270336
probably a simple tool on last activity and focus on file operation events may help
http://www.nirsoft.net/utils/computer_activity_view.html

also AFind  lists files by their last access time without tampering the data the way that right-clicking on file properties in Explorer will. AFind allows you to search for access times between certain time frames, coordinating this with logon info provided from ntlast, you can to begin determine user activity even if file logging has not been enabled.
http://www.mcafee.com/sg/downloads/free-tools/forensic-toolkit.aspx

but Windows do have the audit policy and in specific "Audit object access". Simply enabling policy option is not enough. It is also required to designate what folders exactly are to be watched. Usually, we require auditing shared documents and business application data folders (accounting, warehouse databases and so on) – i.e., resources accessible for editing by multiple users.

 E.g. Since it’s not possible to guess who has tampered with a data, we configure auditing for Everyone system group. Thus, information about any user having deleted a watched object is to be captured and stored to the event log. In fact, it’s easy to recover the deleted stuff from Shadow Copies (Previous Versions) or daily backup.

 E.g Do not consider all the Deletes to be done on purpose. This action is frequently used as a part of normal business application standard functionality. For instance, during Save command execution Microsoft Office suite software first creates a new temporary file, saves document to it, then deletes the original document from disk.

It is highly possible that there will be too much events listed, so it is a good idea to configure the Security event log settings. Frankly, the log sizes recommended above are not calculated by any formula but are to be choosed depending on particular computer usage experience.

http://blogs.technet.com/b/mspfe/archive/2013/08/27/auditing-file-access-on-file-servers.aspx
0
 
LVL 3

Author Comment

by:pma111
ID: 40271954
Thanks btan, is there anything in the top 2 tools to determine which user accessed the files or is it just reporting on last access by "someone".
0
 
LVL 37

Expert Comment

by:Kimputer
ID: 40271978
Mostly discussed here is enabling auditing. This means your security log in the eventviewer will show ALL activity, but in order of events. You want a different type of report, probably one that needs to run through the whole security log (which will be big) to generate something you like. This tool i have not seen yet (probably in the paid software area).
0
 
LVL 3

Author Comment

by:pma111
ID: 40271987
Enabling auditing is ok after the event we are seeking if anything can be done without auditing.
0
 
LVL 65

Expert Comment

by:btan
ID: 40272401
for lastActivityView tool, it grabs the activities pertaining to the current user login into the machine. E.g. The files (with this tool executed in the current user login) opened or saved (from the standard Windows Open and Save dialogs, anyway). probably it can be scripted as login script and export csv for each user ... not as clean but it does the grabbing as long as running in that user login context... importantly, LastActivityView doesn’t need to be running to record this information. Rather, it assembles it from Registry keys and their “last modified” times, your event logs, prefetch files, crash dumps and more. One  useful feature of LastActivityView is that you can quickly search for actions by filename, date and file path, allowing you to quickly find what you need.

Worth mentioning is the fact that LastActivityView does come with some limitations related to changes performed to registry keys for example, which could affect the accuracy of the displayed information. Some of these changes can be performed by the user, but even PC maintenance tools could remove records used by the program to display the activity log.

http://www.technibble.com/lastactivityview-create-a-log-of-the-last-actions-made-by-the-user/

for Afind, apparently it does not show the user but is useful for to lists a file's last access time without changing it. SO if there is a file of interest can do the trace back on the access time and correlate with lastViewActivity probably
0
 
LVL 9

Assisted Solution

by:SirtenKen
SirtenKen earned 1000 total points
ID: 40283774
The registry has a lot of tracking information in it. The question is whether your citrix server will retain the information. If the user profiles haven't been cleaned from the server, you could parse through them to see what was accessed. See this SANS poster for the File creation/opening section, color coded in green https://blogs.sans.org/computer-forensics/files/2012/06/SANS-Digital-Forensics-and-Incident-Response-Poster-2012.pdf. If you see NTUSER.dat files in the citrix server user profiles, then you may have what you need. If there are any index.dat files, they may also reveal what a user was accessing. Collect a forensic image of the profiles, so that you can prove that any analysis done didn't change the data being analyzed. Tools like regripper can batch process a lot of registry information. See http://code.google.com/p/regripper/downloads/list. Some of the plugins that would help are recentdocs and shellbags, they're meant to work with 2008R2. I suggest checking one of the copied profiles manually to see which artifacts show what you're looking for. Its not an easy way to pull a file report, but if you need the info and auditing isn't already there, then the default tracking in Windows could have some of this information.
0
 
LVL 65

Expert Comment

by:btan
ID: 40284666
to add I find Autopsy useful as well as has a "Autopsy Forensic Browser" for  live analysis mode with connection to target system (local or remote)
http://www.sleuthkit.org/autopsy/features.php
http://www.sleuthkit.org/autopsy/man/autopsy.html
esp on its File Analysis feature that display the target file in column headers that include "UID: The User ID of the file owner." and "GID: The Group ID of the file owner."
http://www.sleuthkit.org/autopsy/help/index.html
also its keyword search may come in handy. e.g. autopsy will also prompt you to create a file of unallocated data if one does not exist. This obviously is useful for recovering deleted data. If a string is found in this file, Autopsy will also report the location in the original image.
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this modest contribution, I want to share with the IT community (especially system administrators, IT Support Engineers and IT Help Desks) about Windows crashes/hangs and how to deal with these particular problems.
It all started with a phone call.  The then acting director of the Office of Research Computing, called to ask me to remotely shutdown my computer, it was Yom Kippur, Wednesday October 12, 2016.
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question