Solved

How do I determine who copied a folder to the server?

Posted on 2014-11-17
9
197 Views
Last Modified: 2014-12-03
I am trying to determine who access a user's desktop and copied a folder with confidential information to the general file server.  Unfortunately, when the user whose desktop it came from found it, and the confidential information in the folder, on the file server the user deleted it.  Is there any way to determine who accessed the user's desktop and copied the folder?

Desktop - Windows 7
Server - 03 r2
0
Comment
Question by:Jeremy Tyre
  • 3
  • 2
  • 2
  • +1
9 Comments
 
LVL 25

Expert Comment

by:SStory
ID: 40447931
If auditing is turned on.  Also if you are in a domain.  You should be able to look in the audit events to see which user did things with the file system.  If not, how did they access files on that local PC? Is there a share? Is the user in question an Admin?

http://blogs.technet.com/b/mspfe/archive/2013/08/27/auditing-file-access-on-file-servers.aspx
0
 

Expert Comment

by:Paul Struik
ID: 40447964
Jeremey,

Maybe you can restore the folder with Volume Shadow Copy if enabled to check the file information. I assume that someone else logged on the desktop using their own credentials, so if you have a time frame you could check the security log. Futhermore i don't think you have file-access auditing enabled on the Windows Server.

Thats all i can think of, maybe someone else has a briliant idea.
0
 
LVL 3

Author Comment

by:Jeremy Tyre
ID: 40448361
I am on a domain.  Shadow copy was never configured on the server.  The files were transfered and deleted between backups.  The user was on the computer during the estimated time that the files were transfered.  File access auditing does not appear to be on, only login attempts.

I am looking through the security logs on the local computer to see if I can find any successful logins other then the normal user during that time frame.
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 

Expert Comment

by:Paul Struik
ID: 40448440
I think that's your only bet or maybe the user did it accidently, wouldn't be the first doing that :P.. sorry I couldn't be more of a help.
0
 
LVL 63

Assisted Solution

by:btan
btan earned 333 total points
ID: 40449058
Audit has to be enable to trace back user and object activities, you can see if there are any trails (assuming audit is on)  in http://blog.windowsnt.lv/2011/11/15/tracking-user-activity-english/. Finding the IP may not necessary state is that user per se but at least we can drill into the start of such anomalous activities have been carried out. Actually if the deletion is not the secure erasure type it can still be able to trace if the suspected user machine has traces of that  and correlate the time of those file created and deletion with the file server, but can be pretty tedious too..
0
 
LVL 25

Expert Comment

by:SStory
ID: 40451457
Well, are these files something they user would have opened in a app that keeps track of MRU? Most recently used items? If so there may be history there or in the registry to show it. Also if they opened certain files (which they could only do if they copied them, I assume), they may create temp files or such in %temp%.  

If I knew a user should have access, says they didn't open files or do anything with them and a word doc or whatever temp file was found from that set of files, I'd know they had lied if it was in their temp folder.

If there are files they would have opened with a browser maybe the browser cache might have something.
0
 
LVL 25

Assisted Solution

by:SStory
SStory earned 167 total points
ID: 40451465
There are also undelete programs that might help recover deleted files if not too much has been done after the fact. Check out digital forensic software.

http://www.academia.edu/1342298/Recovering_Deleted_and_Wiped_Files_A_Digital_Forensic_Comparison_of_FAT32_and_NTFS_File_Systems_using_Evidence_Eliminator

http://netsecurity.about.com/od/howtorespondtoincidents/a/Diy-Forensic-Data-Recovery.htm


Undelete, Uneraser, WinUndelete,SoftPerfect
0
 
LVL 63

Accepted Solution

by:
btan earned 333 total points
ID: 40451522
there are also other tools such as LastActivityView (isplays a log of actions made by the user and events occurred on this computer executed) http://www.nirsoft.net/utils/computer_activity_view.html
..and WinLogOnView, FolderTimeUpdate http://www.nirsoft.net/system_tools.html
...and if there is sight of anti-forensic tool (timestomp etc) on the suspect amchine , it does ring the bell as well
0
 
LVL 3

Author Comment

by:Jeremy Tyre
ID: 40479208
Unfortunately, this has been taken out of my hands and pasted to people who specialize in this.  Thanks everyone for the help though.
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

By default the complete memory dump option is disabled in windows . If we want to enable the complete memory dump for a diagnostic purpose, we have a solution for it. here we are using the registry method to enable this.
A quick guide on how to use Group Policy to create a custom power plan and set it active on Windows 7.
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…
This Micro Tutorial will teach you the basics of configuring your computer to improve its speed. It will also teach you how to disable programs that are running in the background simultaneously. This will be demonstrated using Windows 7 operating…

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question