evidence of file copy

pma111
pma111 used Ask the Experts™
on
If somebody copied a file from a windows file server to elsewhere, e.g. desktop, USB drive, would there be any form of footprint/evidence on the server itself of such an activity taking place. I know windows OS leave many forensics artefacts of file opening, such as jump lists, but I have never heard of forensics artefacts regarding file copies on the source location itself, so without a suspect and then their device its tricky to identify,
Also if file level auditing was enabled on the server, where specifically in the event logs would those actions be captured, and does windows capture copies, or only file creations/deletions/access type events? I presume by default file type auditing is off?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2018
Commented:
Copying is reading, so you will not be able to say "it was just read, but not copied".
So auditing at the server is not useful here.

At the client end, you can audit removable storage in general, so all sticks (anything used now AND in the future) will be audited.
If someone however would copy the file locally, rename it and then copy it to the stick, all you can see is the new name, not the original name.

So auditing alone is not worth much. As for keeping files from being copied to unauthorized USB drives, I would like to show you my concept: https://www.experts-exchange.com/articles/25879/A-new-aspect-to-securing-USB-data-SID-protectors.html
Paul MacDonaldDirector, Information Systems

Commented:
"...would there be any form of footprint/evidence on the server itself of such an activity taking place..."
Only if auditing were enabled somewhere, and what evidence you saw would depend on where auditing was enabled.

"...where specifically in the event logs would those actions be captured..."
In the Security Logs.

"...does windows capture copies, or only file creations/deletions/access type events?"
The logs can capture file access, as well as privilege use, depending on what sort of auditing you're doing and what the user had to do to get to the file.

"I presume by default file type auditing is off?"
Yes.

You may find this link to be useful:  https://www.netwrix.com/how_to_detect_who_read_file_on_windows_file_server.html

Author

Commented:
Is a "copy" though, in the sense of say right clicking a spreadsheet and selecting 'copy' the same thing as access,, in the sense of double clicking the file so its open in the appropriate application, e.g. excel?  I wasn't sure if windows will class them as two differing operations. I will turn on as many audit features on a test device tomorrow and do some trial and error and see what if anything a copy is logged in the event logs, as opposed to actually fully opening a file.
Python 3 Fundamentals

This course will teach participants about installing and configuring Python, syntax, importing, statements, types, strings, booleans, files, lists, tuples, comprehensions, functions, and classes.

Distinguished Expert 2018

Commented:
Copying is reading, no difference to just opening - as said.
Director, Information Systems
Commented:
"Is a "copy"...the same thing as access...in the sense of double clicking the file"
Yes.  It will trigger an "access" event, if auditing is enabled.

"I will turn on as many audit features on a test device tomorrow and do some trial and error..."
You should!  Mind you that depending on what you're auditing and what events you trigger, that audit log can grow quite quickly.

https://www.wikigain.com/configuring-audit-policy-in-windows-server-2016/
Christian KAZADiIT Support Level 2

Commented:
As just the others say, no Windows option allows you to have what you mention.

A third party tools can:

https://temasoft.com/monitor-file-copy/
https://www.visualclick.com/content/monitor-usb-windows-file-system.htm#Workstation%20File%20Auditing
https://www.manageengine.com/products/active-directory-audit/windows-file-integrity-monitoring.html


I did not use his tools personally, I recommended them and some people were satisfied.

Try to see maybe you will find what you are looking for.

In my case I centralized the management of the use of the USB key and only for the reading and not the writing
Is a "copy" though, in the sense of say right clicking a spreadsheet and selecting 'copy' the same thing as access,, in the sense of double clicking the file

no. the file will be cached locally by the app and a second time by the filesystem layer so the server would never know anything was ever copied.

the only way to get notified by such events would be to keep the files copies in the datacenter or office and only allow remote users through remote desktops. which would not make you impervious to OCR, print screens, or manual copies.

there in no way past that as long as the users can view the files
Windows file servers are not sufficient for that type of document management.  You need some other system, such as mastercontrol.com.  Basically, all your files must go to some database that tracks every access, including copying, downloading and/or just reading.  The file server system does not allow for the type of fine grained control that you're asking about.
kevinhsiehNetwork Engineer

Commented:
If you have an EDR (Endpoint Detection and Remediation) product running on your endpoints, you should be able to track such things as they generally record all actions taken such as programs launched, files opened, and files saved. They also log thich program did the access, so they will record whether or not it was Excel, explorer.exe, robocopy, etc.
there is no way any program running on any server could track a user copying data from a spreadsheet using copy+paste.

depending on the cases, tracking the program which accesses the file may or may not be possible.

tracking actions on the user's computers would be more efficient.

some context would be helpful if you expect us to advise. as a general rule, disallowing access is much more efficient than tracking.

Author

Commented:
>tracking actions on the user's computers would be more efficient.
>some context would be helpful if you expect us to advise

 that is the dilemma, nobody knows who copied it, I mentioned in my post I was aware of artefacts on the local machine such as lnk files, jump lists, entries in registry etc but without a suspect its impossible. So I just wanted to rule out the other side of the equation and whether any footprint may be left on the file system it was copied from, which seems not to be the case.
I think it will be impossible to prove given current audit settings, unless we had the time to analyse every device joined to the network.Will have to take it as a lesson learned and review the audit settings moving forwards.
if you know at what moment the file was copied, you should be able to track who was logged on to the computer at that time in event logs.

you should also be able to find events regarding USB keys or other removable media being inserted or removed

if you are lucky enough, you may have program execution auditing on the server. that would let you track copies performed with tools such as robocopy ( but not other ways to copy such as "save as" or copy+paste or even a regular explorer copy )

you are also quite likely to find some useful information in whatever antivirus you are using. some keep a very detailed event log of files access including the user and application name. which may or may not be helpful.
there is no way any program running on any server could track a user copying data from a spreadsheet using copy+paste.
You can't do it on a server that just shares files, but you can do it on a document management system that forces you to open files through their system.

A simple file server does not allow for such in depth tracking.  You can only correlate activity of when the file was accessed and which users had connected.  Then you'd also have to go to each users individual event logs.  You likely won't be able to get much without additional auditing features that aren't turned on by default.  This was why separate document management software was created to better track this type of access.
i'd rather say that's why document management systems tend to sell what they cannot provide. copy + paste from a spreadsheet will NOT be seen by the document management system. print screen neither. at best, they'll know the file was opened/viewed. auditing events on the client, recording the client's screen, etc are the more intrusive but efficient ways to actually track such things. and that won't prevent anyone from taking a picture of the screen with their phone.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial