Solved

How do I determine who copied a folder to the server?

Posted on 2014-11-17
9
193 Views
Last Modified: 2014-12-03
I am trying to determine who access a user's desktop and copied a folder with confidential information to the general file server.  Unfortunately, when the user whose desktop it came from found it, and the confidential information in the folder, on the file server the user deleted it.  Is there any way to determine who accessed the user's desktop and copied the folder?

Desktop - Windows 7
Server - 03 r2
0
Comment
Question by:Jeremy Tyre
  • 3
  • 2
  • 2
  • +1
9 Comments
 
LVL 25

Expert Comment

by:SStory
ID: 40447931
If auditing is turned on.  Also if you are in a domain.  You should be able to look in the audit events to see which user did things with the file system.  If not, how did they access files on that local PC? Is there a share? Is the user in question an Admin?

http://blogs.technet.com/b/mspfe/archive/2013/08/27/auditing-file-access-on-file-servers.aspx
0
 

Expert Comment

by:Paul Struik
ID: 40447964
Jeremey,

Maybe you can restore the folder with Volume Shadow Copy if enabled to check the file information. I assume that someone else logged on the desktop using their own credentials, so if you have a time frame you could check the security log. Futhermore i don't think you have file-access auditing enabled on the Windows Server.

Thats all i can think of, maybe someone else has a briliant idea.
0
 
LVL 3

Author Comment

by:Jeremy Tyre
ID: 40448361
I am on a domain.  Shadow copy was never configured on the server.  The files were transfered and deleted between backups.  The user was on the computer during the estimated time that the files were transfered.  File access auditing does not appear to be on, only login attempts.

I am looking through the security logs on the local computer to see if I can find any successful logins other then the normal user during that time frame.
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 

Expert Comment

by:Paul Struik
ID: 40448440
I think that's your only bet or maybe the user did it accidently, wouldn't be the first doing that :P.. sorry I couldn't be more of a help.
0
 
LVL 62

Assisted Solution

by:btan
btan earned 333 total points
ID: 40449058
Audit has to be enable to trace back user and object activities, you can see if there are any trails (assuming audit is on)  in http://blog.windowsnt.lv/2011/11/15/tracking-user-activity-english/. Finding the IP may not necessary state is that user per se but at least we can drill into the start of such anomalous activities have been carried out. Actually if the deletion is not the secure erasure type it can still be able to trace if the suspected user machine has traces of that  and correlate the time of those file created and deletion with the file server, but can be pretty tedious too..
0
 
LVL 25

Expert Comment

by:SStory
ID: 40451457
Well, are these files something they user would have opened in a app that keeps track of MRU? Most recently used items? If so there may be history there or in the registry to show it. Also if they opened certain files (which they could only do if they copied them, I assume), they may create temp files or such in %temp%.  

If I knew a user should have access, says they didn't open files or do anything with them and a word doc or whatever temp file was found from that set of files, I'd know they had lied if it was in their temp folder.

If there are files they would have opened with a browser maybe the browser cache might have something.
0
 
LVL 25

Assisted Solution

by:SStory
SStory earned 167 total points
ID: 40451465
There are also undelete programs that might help recover deleted files if not too much has been done after the fact. Check out digital forensic software.

http://www.academia.edu/1342298/Recovering_Deleted_and_Wiped_Files_A_Digital_Forensic_Comparison_of_FAT32_and_NTFS_File_Systems_using_Evidence_Eliminator

http://netsecurity.about.com/od/howtorespondtoincidents/a/Diy-Forensic-Data-Recovery.htm


Undelete, Uneraser, WinUndelete,SoftPerfect
0
 
LVL 62

Accepted Solution

by:
btan earned 333 total points
ID: 40451522
there are also other tools such as LastActivityView (isplays a log of actions made by the user and events occurred on this computer executed) http://www.nirsoft.net/utils/computer_activity_view.html
..and WinLogOnView, FolderTimeUpdate http://www.nirsoft.net/system_tools.html
...and if there is sight of anti-forensic tool (timestomp etc) on the suspect amchine , it does ring the bell as well
0
 
LVL 3

Author Comment

by:Jeremy Tyre
ID: 40479208
Unfortunately, this has been taken out of my hands and pasted to people who specialize in this.  Thanks everyone for the help though.
0

Featured Post

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Changing bootstarp.ini in MDT throws errors 3 29
How to apply the PAC URL and PAC file to a Windows 7 PC 2 39
Windows 7 Lock taskbar 8 35
Questions about DHCP migration 5 55
When you try to extract and to view the contents of a Microsoft Update Standalone Package (MSU) for Windows Vista, you cannot extract the files from the MSU. Here we are going to explain how to extract those hotfix details without using any third pa…
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
This Micro Tutorial will teach you the basics of configuring your computer to improve its speed. It will also teach you how to disable programs that are running in the background simultaneously. This will be demonstrated using Windows 7 operating…
This Micro Tutorial will give you a introduction in two parts how to utilize Windows Live Movie Maker to its maximum capability. This will be demonstrated using Windows Live Movie Maker on Windows 7 operating system.

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now