Solved

How do I determine who copied a folder to the server?

Posted on 2014-11-17
9
180 Views
Last Modified: 2014-12-03
I am trying to determine who access a user's desktop and copied a folder with confidential information to the general file server.  Unfortunately, when the user whose desktop it came from found it, and the confidential information in the folder, on the file server the user deleted it.  Is there any way to determine who accessed the user's desktop and copied the folder?

Desktop - Windows 7
Server - 03 r2
0
Comment
Question by:Jeremy Tyre
  • 3
  • 2
  • 2
  • +1
9 Comments
 
LVL 25

Expert Comment

by:SStory
Comment Utility
If auditing is turned on.  Also if you are in a domain.  You should be able to look in the audit events to see which user did things with the file system.  If not, how did they access files on that local PC? Is there a share? Is the user in question an Admin?

http://blogs.technet.com/b/mspfe/archive/2013/08/27/auditing-file-access-on-file-servers.aspx
0
 

Expert Comment

by:Paul Struik
Comment Utility
Jeremey,

Maybe you can restore the folder with Volume Shadow Copy if enabled to check the file information. I assume that someone else logged on the desktop using their own credentials, so if you have a time frame you could check the security log. Futhermore i don't think you have file-access auditing enabled on the Windows Server.

Thats all i can think of, maybe someone else has a briliant idea.
0
 
LVL 3

Author Comment

by:Jeremy Tyre
Comment Utility
I am on a domain.  Shadow copy was never configured on the server.  The files were transfered and deleted between backups.  The user was on the computer during the estimated time that the files were transfered.  File access auditing does not appear to be on, only login attempts.

I am looking through the security logs on the local computer to see if I can find any successful logins other then the normal user during that time frame.
0
 

Expert Comment

by:Paul Struik
Comment Utility
I think that's your only bet or maybe the user did it accidently, wouldn't be the first doing that :P.. sorry I couldn't be more of a help.
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 61

Assisted Solution

by:btan
btan earned 333 total points
Comment Utility
Audit has to be enable to trace back user and object activities, you can see if there are any trails (assuming audit is on)  in http://blog.windowsnt.lv/2011/11/15/tracking-user-activity-english/. Finding the IP may not necessary state is that user per se but at least we can drill into the start of such anomalous activities have been carried out. Actually if the deletion is not the secure erasure type it can still be able to trace if the suspected user machine has traces of that  and correlate the time of those file created and deletion with the file server, but can be pretty tedious too..
0
 
LVL 25

Expert Comment

by:SStory
Comment Utility
Well, are these files something they user would have opened in a app that keeps track of MRU? Most recently used items? If so there may be history there or in the registry to show it. Also if they opened certain files (which they could only do if they copied them, I assume), they may create temp files or such in %temp%.  

If I knew a user should have access, says they didn't open files or do anything with them and a word doc or whatever temp file was found from that set of files, I'd know they had lied if it was in their temp folder.

If there are files they would have opened with a browser maybe the browser cache might have something.
0
 
LVL 25

Assisted Solution

by:SStory
SStory earned 167 total points
Comment Utility
There are also undelete programs that might help recover deleted files if not too much has been done after the fact. Check out digital forensic software.

http://www.academia.edu/1342298/Recovering_Deleted_and_Wiped_Files_A_Digital_Forensic_Comparison_of_FAT32_and_NTFS_File_Systems_using_Evidence_Eliminator

http://netsecurity.about.com/od/howtorespondtoincidents/a/Diy-Forensic-Data-Recovery.htm


Undelete, Uneraser, WinUndelete,SoftPerfect
0
 
LVL 61

Accepted Solution

by:
btan earned 333 total points
Comment Utility
there are also other tools such as LastActivityView (isplays a log of actions made by the user and events occurred on this computer executed) http://www.nirsoft.net/utils/computer_activity_view.html
..and WinLogOnView, FolderTimeUpdate http://www.nirsoft.net/system_tools.html
...and if there is sight of anti-forensic tool (timestomp etc) on the suspect amchine , it does ring the bell as well
0
 
LVL 3

Author Comment

by:Jeremy Tyre
Comment Utility
Unfortunately, this has been taken out of my hands and pasted to people who specialize in this.  Thanks everyone for the help though.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

First some basics on Windows 7 Backup.  It has 2 components one is a file based backup which is stored in .zip files each zip is split at around 200 Megabytes and there is the Image Backup which is as the name implies a total image of the partition …
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This Micro Tutorial will teach you how to change your appearance and customize your Windows 7 interface to your unique preference. This will be demonstrated using Windows 7 operating system.
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now