If somebody copied a file from a windows file server to elsewhere, e.g. desktop, USB drive, would there be any form of footprint/evidence on the server itself of such an activity taking place. I know windows OS leave many forensics artefacts of file opening, such as jump lists, but I have never heard of forensics artefacts regarding file copies on the source location itself, so without a suspect and then their device its tricky to identify,
Also if file level auditing was enabled on the server, where specifically in the event logs would those actions be captured, and does windows capture copies, or only file creations/deletions/access type events? I presume by default file type auditing is off?