How to find file access for audit

What is the best way to get a list of what files were copied/moved/accessed etc off a pretty OEM win2008 server?  Event viewer overwrites itself pretty frequently but they do backup the system state, as well as the file shares where the files are in question.  Trying to look back to a certain date and see what all was accessed.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

What is the best way to get a list of what files were copied/moved/accessed etc off a pretty OEM win2008 server?
You can enable auditing in the file system on particular files; the "Auditing" tab in advanced security permissions provides fine-grained control, once you have enabled the system to audit object access in Group Policy or its local security policy. See for details; article for Windows XP, but steps still apply, with the caveat you can make the Local Security Policy changes apply more globally to multiple machines via Group Policy, if the box is a member of a domain. Logs are written to the Security log.

More thorough write-up available at TechNet:

However, that is not retrospective. If no steps were taken to enable this on the system and the particular file share prior to the event you wish to track, turning it on will not assist you. As you describe, the Security log tends to be fairly noisy and the default settings will cause it to rapidly overwrite old events. Sites which require audit logs for longer than the log typically retains either need to increase the logging time, or come up with an automated strategy to regularly archive the contents of the log to disk, and rotate their archive as retention requirements dictate. Even with a System State backup, if auditing was not enabled when the event took place, nothing specific about access to those data will have been logged.
btanExec ConsultantCommented:
for windows event, the log rotation overrides easily esp when you turn on the audit trail for object changes - in this case of interest is the file movements desired to be tracked, under the Security Settings\Advanced Audit Policy Configuration.
Object Access policy settings and audit events allow you to track attempts to access specific objects or types of objects on a network or computer. To audit attempts to access a file, directory, registry key, or any other object, you must enable the appropriate Object Access auditing subcategory for success and/or failure events. For example, the File System subcategory needs to be enabled to audit file operations, and the Registry subcategory needs to be enabled to audit registry accesses.

You will want to send the event log over to a SIEMS or syslog server etc for log archival. Snare agent
Snare is a program that facilitates the central collection and processing of Windows Event Log information. All three primary event logs (Application, System and Security) are monitored, and the secondary logs (DNS, Active Directory, and File Replication) are monitored if available. Event information is converted to tab delimited text format, then delivered over
UDP to a remote server.

In fact snare (I am not in any connection to this provider) has Enterprise Agents to monitor all file based activity and provide a much greater depth of information
. The SNARE Enterprise agents can track and report on these changes in near real time. So if unauthorized activity is occurring, the events are being captured and sent to the SIEM system as they are occurring with minimal delay. These events can then be processed and real time alerts initiated to warn security staff that changes are occurring.

There are alternative such as syslog_ng agent etc too...primarily objective is the same, enable audit trail using the GPMC and have agent to send the log to SIEMS server, the FIM agent (if any) can go direct like the mentioned Snare Ent agent. Of course there are even those that is standalone tool like Sysmon from Sysinternal that is handy but noisy though you can filter it accordingly to target location you want to view. It monitor the file, process and network activities
It provides detailed information about process creations, network connections, and changes to file creation time. By collecting the events it generates using Windows Event Collection or SIEM agents and subsequently analyzing them, you can identify malicious or anomalous activity and understand how intruders and malware operate on your network.

For case of duplicate copy on file movement, it tends to agent based installed in the machine like "spy agent". Do have the necessary user acceptance policy in place to ensure no dispute on the staff usage. It should be for official purpose use in term of such surveillance depth, and the use case go to helpdesk and sensitive site deployment usually. See this instance of "NFM"
If you have sensitive data on your network and a malicious user modifies it or deletes it - do you have a copy? Would you like to see a copy of every website users visit while they are supposed to be working? Perhaps you need to track a large project directory and need to have copies of all new files and modifications.

Ascendant NFM can watch over all file events and selectively archive files that you specify to a secure location. NFM can archive files by specific names (such as payroll-records.db), by file extensions (such as .htm or .doc), and even directory paths (such as Temporary Internet Data). NFM can be set to retain the most recent modified copy of each file filter you specify, or it can retain every copy that is made, ensuring data is not lost, and tracks are not covered.
.... and another "Spyagent" that not only has those stealthy but also has some interesting features
SpyAgent can be set to automatically archive(backup) your activity logs to a specified location at desired time intervals. Logs can be cleared after the archive process is performed, if needed.
rhwimmersAuthor Commented: possibilities for finding information BEFORE turning all of these options on?  No way, at all?
Active Protection takes the fight to cryptojacking

While there were several headline-grabbing ransomware attacks during in 2017, another big threat started appearing at the same time that didn’t get the same coverage – illicit cryptomining.

btanExec ConsultantCommented:
Tough but possible in not direct evidence to be gather and correlate from restore points, data backup, shadow copies, schedule task and activities...but all these events does not directly map user identity to them. It can be subjected to repudiation unlike chain of custody of the actual audit trail generated with timestamp and action taken.

Forensically tedious to look into the MFT and gathering those deleted file attempts and activities too and need expertise in leveraging those least that is how I see it if time and space is not a urgent matter to investigate this....always good to clone a copy and work on that copy instead...
tigermattCommented: possibilities for finding information BEFORE turning all of these options on?  No way, at all?
Not easily, no. At least, not in a format which doesn't allow the user to repudiate the claims, as btan has already described. All the forensics techniques you would need to employ might be able to prove movement of the file, subsequent deletion, storage in a cache on a local disk in a workstation, etc but that still doesn't conclusively establish accountability to a particular individual.

The audit logs are the ideal mechanism for this, but even they are a technical log of the actions taken which are not 100% foolproof -- they don't prove the user identifier in the logs was the actual person who made the transaction. Most company policy gets around this by making users responsible for all actions under the identifier, but such policies which don't take the human element/social engineering aspect into account make it easy for me to get my boss who I don't like sacked by obtaining his credentials and impersonating him.

Unless the user made the file accesses through some third-party system which maintains its own logs, then you really are out of luck without costly further analysis. I am thinking some web-based document management system so you could interrogate the web server logs -- but it sounds like this was just Windows file sharing you are dealing with.
btanExec ConsultantCommented:
Ideally the auditing is enabled and followed the steps steps 1.1 to 1.4 but (again) it just not going to be easy if those was not minimally enabled before. Even with "Previous Versions" in the file property which you may get files back the file, it still does not tell you who (as example) deleted etc.

The file properties like even using LastWriteTime which is to indicate when a file was last touched also mentioned who did that accept telling the original file owner. The link has some handy file reporting powershell but void of user identity still.

if audit is enabled, fileaudit may be more friendly and intuitive as compared to windows event viewer, to files and folders to be monitored and audited, customize alert settings and schedule reports.

It even has another separate solution called UserLock privileged users are now stringently monitored, audited and archived in a Windows application event log. Additionally an alert can be triggered for any setting or policy modification.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
rhwimmersAuthor Commented:
We do have logs of all USB activities which started our timeline... so if we could see file access matching those times maybe we would have SOMEthing?
btanExec ConsultantCommented:
USB log + User login may gives us close linkage
USB log - USBLogView :
User login - need to enable audit as well, but was thinking if "LastActivityView " ( can help a bit ...however it is still as of current and not to the extend of past activities
displays a log of actions made by the user and events occurred on this computer. The activity displayed by LastActivityView includes: Running .exe file, Opening open/save dialog-box, Opening file/folder from Explorer or other software, software installation, system shutdown/start, application or system crash, network connection/disconnection
rhwimmersAuthor Commented:
Thanks for the info
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.