Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

How do I determine who copied a folder to the server?

Posted on 2014-11-17
9
Medium Priority
?
235 Views
Last Modified: 2014-12-03
I am trying to determine who access a user's desktop and copied a folder with confidential information to the general file server.  Unfortunately, when the user whose desktop it came from found it, and the confidential information in the folder, on the file server the user deleted it.  Is there any way to determine who accessed the user's desktop and copied the folder?

Desktop - Windows 7
Server - 03 r2
0
Comment
Question by:Jeremy Tyre
  • 3
  • 2
  • 2
  • +1
9 Comments
 
LVL 25

Expert Comment

by:SStory
ID: 40447931
If auditing is turned on.  Also if you are in a domain.  You should be able to look in the audit events to see which user did things with the file system.  If not, how did they access files on that local PC? Is there a share? Is the user in question an Admin?

http://blogs.technet.com/b/mspfe/archive/2013/08/27/auditing-file-access-on-file-servers.aspx
0
 

Expert Comment

by:Paul Struik
ID: 40447964
Jeremey,

Maybe you can restore the folder with Volume Shadow Copy if enabled to check the file information. I assume that someone else logged on the desktop using their own credentials, so if you have a time frame you could check the security log. Futhermore i don't think you have file-access auditing enabled on the Windows Server.

Thats all i can think of, maybe someone else has a briliant idea.
0
 
LVL 3

Author Comment

by:Jeremy Tyre
ID: 40448361
I am on a domain.  Shadow copy was never configured on the server.  The files were transfered and deleted between backups.  The user was on the computer during the estimated time that the files were transfered.  File access auditing does not appear to be on, only login attempts.

I am looking through the security logs on the local computer to see if I can find any successful logins other then the normal user during that time frame.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 

Expert Comment

by:Paul Struik
ID: 40448440
I think that's your only bet or maybe the user did it accidently, wouldn't be the first doing that :P.. sorry I couldn't be more of a help.
0
 
LVL 65

Assisted Solution

by:btan
btan earned 1332 total points
ID: 40449058
Audit has to be enable to trace back user and object activities, you can see if there are any trails (assuming audit is on)  in http://blog.windowsnt.lv/2011/11/15/tracking-user-activity-english/. Finding the IP may not necessary state is that user per se but at least we can drill into the start of such anomalous activities have been carried out. Actually if the deletion is not the secure erasure type it can still be able to trace if the suspected user machine has traces of that  and correlate the time of those file created and deletion with the file server, but can be pretty tedious too..
0
 
LVL 25

Expert Comment

by:SStory
ID: 40451457
Well, are these files something they user would have opened in a app that keeps track of MRU? Most recently used items? If so there may be history there or in the registry to show it. Also if they opened certain files (which they could only do if they copied them, I assume), they may create temp files or such in %temp%.  

If I knew a user should have access, says they didn't open files or do anything with them and a word doc or whatever temp file was found from that set of files, I'd know they had lied if it was in their temp folder.

If there are files they would have opened with a browser maybe the browser cache might have something.
0
 
LVL 25

Assisted Solution

by:SStory
SStory earned 668 total points
ID: 40451465
There are also undelete programs that might help recover deleted files if not too much has been done after the fact. Check out digital forensic software.

http://www.academia.edu/1342298/Recovering_Deleted_and_Wiped_Files_A_Digital_Forensic_Comparison_of_FAT32_and_NTFS_File_Systems_using_Evidence_Eliminator

http://netsecurity.about.com/od/howtorespondtoincidents/a/Diy-Forensic-Data-Recovery.htm


Undelete, Uneraser, WinUndelete,SoftPerfect
0
 
LVL 65

Accepted Solution

by:
btan earned 1332 total points
ID: 40451522
there are also other tools such as LastActivityView (isplays a log of actions made by the user and events occurred on this computer executed) http://www.nirsoft.net/utils/computer_activity_view.html
..and WinLogOnView, FolderTimeUpdate http://www.nirsoft.net/system_tools.html
...and if there is sight of anti-forensic tool (timestomp etc) on the suspect amchine , it does ring the bell as well
0
 
LVL 3

Author Comment

by:Jeremy Tyre
ID: 40479208
Unfortunately, this has been taken out of my hands and pasted to people who specialize in this.  Thanks everyone for the help though.
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
While working, an annoying popup showing below will come and we cannot cancel or close it form the screen. The error message will come again and again.
This Micro Tutorial will give you a basic overview of Windows Live Photo Gallery and show you various editing filters and touches to photos you can apply. This will be demonstrated using Windows Live Photo Gallery on Windows 7 operating system.
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question