How do I determine who copied a folder to the server?

I am trying to determine who access a user's desktop and copied a folder with confidential information to the general file server.  Unfortunately, when the user whose desktop it came from found it, and the confidential information in the folder, on the file server the user deleted it.  Is there any way to determine who accessed the user's desktop and copied the folder?

Desktop - Windows 7
Server - 03 r2
LVL 3
Jeremy TyreDistributed Computer Systems AnalystAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

SStoryCommented:
If auditing is turned on.  Also if you are in a domain.  You should be able to look in the audit events to see which user did things with the file system.  If not, how did they access files on that local PC? Is there a share? Is the user in question an Admin?

http://blogs.technet.com/b/mspfe/archive/2013/08/27/auditing-file-access-on-file-servers.aspx
0
Paul StruikSystem EngineerCommented:
Jeremey,

Maybe you can restore the folder with Volume Shadow Copy if enabled to check the file information. I assume that someone else logged on the desktop using their own credentials, so if you have a time frame you could check the security log. Futhermore i don't think you have file-access auditing enabled on the Windows Server.

Thats all i can think of, maybe someone else has a briliant idea.
0
Jeremy TyreDistributed Computer Systems AnalystAuthor Commented:
I am on a domain.  Shadow copy was never configured on the server.  The files were transfered and deleted between backups.  The user was on the computer during the estimated time that the files were transfered.  File access auditing does not appear to be on, only login attempts.

I am looking through the security logs on the local computer to see if I can find any successful logins other then the normal user during that time frame.
0
ON-DEMAND: 10 Easy Ways to Lose a Password

Learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees in this on-demand webinar. We cover the importance of multi-factor authentication and how these solutions can better protect your business!

Paul StruikSystem EngineerCommented:
I think that's your only bet or maybe the user did it accidently, wouldn't be the first doing that :P.. sorry I couldn't be more of a help.
0
btanExec ConsultantCommented:
Audit has to be enable to trace back user and object activities, you can see if there are any trails (assuming audit is on)  in http://blog.windowsnt.lv/2011/11/15/tracking-user-activity-english/. Finding the IP may not necessary state is that user per se but at least we can drill into the start of such anomalous activities have been carried out. Actually if the deletion is not the secure erasure type it can still be able to trace if the suspected user machine has traces of that  and correlate the time of those file created and deletion with the file server, but can be pretty tedious too..
0
SStoryCommented:
Well, are these files something they user would have opened in a app that keeps track of MRU? Most recently used items? If so there may be history there or in the registry to show it. Also if they opened certain files (which they could only do if they copied them, I assume), they may create temp files or such in %temp%.  

If I knew a user should have access, says they didn't open files or do anything with them and a word doc or whatever temp file was found from that set of files, I'd know they had lied if it was in their temp folder.

If there are files they would have opened with a browser maybe the browser cache might have something.
0
SStoryCommented:
There are also undelete programs that might help recover deleted files if not too much has been done after the fact. Check out digital forensic software.

http://www.academia.edu/1342298/Recovering_Deleted_and_Wiped_Files_A_Digital_Forensic_Comparison_of_FAT32_and_NTFS_File_Systems_using_Evidence_Eliminator

http://netsecurity.about.com/od/howtorespondtoincidents/a/Diy-Forensic-Data-Recovery.htm


Undelete, Uneraser, WinUndelete,SoftPerfect
0
btanExec ConsultantCommented:
there are also other tools such as LastActivityView (isplays a log of actions made by the user and events occurred on this computer executed) http://www.nirsoft.net/utils/computer_activity_view.html
..and WinLogOnView, FolderTimeUpdate http://www.nirsoft.net/system_tools.html
...and if there is sight of anti-forensic tool (timestomp etc) on the suspect amchine , it does ring the bell as well
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Jeremy TyreDistributed Computer Systems AnalystAuthor Commented:
Unfortunately, this has been taken out of my hands and pasted to people who specialize in this.  Thanks everyone for the help though.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Digital Forensics

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.