|
|
|
Forum Newbie
Group: Forum Members
Last Login: 1/17/2011 10:35:44 PM
Posts: 5,
Visits: 4
|
|
Hi,
I have a task to help determine who has moved a particular folder and its subfolder/files to another location.
For example: User A has moved 'C:\folder2' to 'C:\folder1\folder2'
I've tried searching for related events on 560,567 and 562,which I understand will be generated for such cases, but however,I only see event code 560.
Unable to determine much, I searched for the last event time for C:\folder2, which is 13:00hr, and the next event at 14:00 with file location shown in the log is C:\folder1\folder2. Both of these events are code 560, and I am unable to search for a corresponding code 567,562 and handle ID.
Thus, am suspecting the movement of the folder happens between 13:00 to 14:00...
Please advise?
|
|
|
|
|
Forum Newbie
Group: Forum Members
Last Login: 1/17/2011 10:35:44 PM
Posts: 5,
Visits: 4
|
|
| Also, I like to know what does values like "Delete", "Synchronize","ReadAttributes" mean in the Accesses field?
|
|
|
|
|
Forum Newbie
Group: Forum Members
Last Login: 6/9/2011 6:34:57 PM
Posts: 6,
Visits: 1
|
|
Hello,
I had a similar issue, but found out Windows does not generate event id's when a folder gets copied or moved somewhere. Have you configured the folder for auditing?
Thanks,
Tom
|
|
|
|
|
Forum Newbie
Group: Forum Members
Last Login: 1/17/2011 10:35:44 PM
Posts: 5,
Visits: 4
|
|
Hi,
I've just checked and realized that folder is not enabled for auditing.Does that mean there is no way to check already?
I will probably enable the following attributes from now on:
-create files/write data
-write attributes
-delete subfolders and files
-delete
-change permissions
-take ownership
for successful events.
In this case can I still rely on event codes 560,567,562 to determine if a user has moved a particular folder?
If I want to track folder movement, is there anyway else to do it?
|
|
|
|
|
Expert
Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 326,
Visits: 0
|
|
| The only way you are going to get 560s without corresponding 562s is failed 560s. Also, the security log doesn't provide much help in tracking moved files.
|
|
|
|
|
Forum Newbie
Group: Forum Members
Last Login: 5/12/2011 10:22:54 AM
Posts: 2,
Visits: 1
|
|
Attached is my code for FileWatcher class
I would like to log the domain/username of the users when they are logging in from the network i.e. filesharing
I am currently using Environment.UserName and Environment.DomainName
but this is not able to log if the files are access via filesharing
The Environment.UserName and Environment.DomainName are only useful if the user have logged in the machine (explorer/rdesktop)
Urgent help required!
|
|
|
|
|
Expert
Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 326,
Visits: 0
|
|
| Sorry we don't do programming on this forum
|
|
|
|
|
Forum Newbie
Group: Forum Members
Last Login: 5/12/2011 10:22:54 AM
Posts: 2,
Visits: 1
|
|
| Ofcourse I know no programming here, but I just need some guidance. If someone could please take a look and suggest a workaround?
|
|
|
|
|
Expert
Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 326,
Visits: 0
|
|
| No, I'm saying we don't get into looking at application code. This isn't a developer forum. Folks here are administrators and infosec professionals.
|
|
|
|