How to track user modifications and accesses... Expand / Collapse
Author
Message
Posted 10/5/2010 12:44:59 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 1/17/2011 10:35:44 PM
Posts: 5, Visits: 4
Hi,
I have a task to help determine who has moved a particular folder and its subfolder/files to another location.

For example: User A has moved 'C:\folder2' to 'C:\folder1\folder2'

I've tried searching for related events on 560,567 and 562,which I understand will be generated for such cases, but however,I only see event code 560.

Unable to determine much, I searched for the last event time for C:\folder2, which is 13:00hr, and the next event at 14:00 with file location shown in the log is C:\folder1\folder2. Both of these events are code 560, and I am unable to search for a corresponding code 567,562 and handle ID.
Thus, am suspecting the movement of the folder happens between 13:00 to 14:00...

Please advise?

Post #493
Posted 10/5/2010 12:49:14 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 1/17/2011 10:35:44 PM
Posts: 5, Visits: 4
Also, I like to know what does values like "Delete", "Synchronize","ReadAttributes" mean in the Accesses field?
Post #494
Posted 10/5/2010 12:04:49 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 6/9/2011 6:34:57 PM
Posts: 6, Visits: 1
Hello,

I had a similar issue, but found out Windows does not generate event id's when a folder gets copied or moved somewhere. Have you configured the folder for auditing?

Thanks,
Tom
Post #495
Posted 10/6/2010 4:11:00 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 1/17/2011 10:35:44 PM
Posts: 5, Visits: 4
Hi,
I've just checked and realized that folder is not enabled for auditing.Does that mean there is no way to check already?

I will probably enable the following attributes from now on:
-create files/write data
-write attributes
-delete subfolders and files
-delete
-change permissions
-take ownership
for successful events.

In this case can I still rely on event codes 560,567,562 to determine if a user has moved a particular folder?

If I want to track folder movement, is there anyway else to do it?
Post #496
Posted 11/4/2010 6:01:27 AM
Expert

ExpertExpertExpertExpertExpertExpertExpertExpert

Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329, Visits: 0
The only way you are going to get 560s without corresponding 562s is failed 560s.

Also, the security log doesn't provide much help in tracking moved files.

Post #512
Posted 5/12/2011 5:46:06 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 5/12/2011 10:22:54 AM
Posts: 2, Visits: 1
Attached is my code for FileWatcher class
I would like to log the domain/username of the users when they are logging in from the network i.e. filesharing

I am currently using Environment.UserName and Environment.DomainName
but this is not able to log if the files are access via filesharing

The Environment.UserName and Environment.DomainName are only useful if the user have logged in the machine (explorer/rdesktop)

Urgent help required!


  Post Attachments 
WatchFolder.zip (6 views, 227.77 KB)
Post #680
Posted 5/12/2011 8:29:03 AM
Expert

ExpertExpertExpertExpertExpertExpertExpertExpert

Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329, Visits: 0
Sorry we don't do programming on this forum
Post #681
Posted 5/12/2011 10:24:02 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 5/12/2011 10:22:54 AM
Posts: 2, Visits: 1
Ofcourse I know no programming here, but I just need some guidance.

If someone could please take a look and suggest a workaround?

Post #685
Posted 5/12/2011 3:07:45 PM
Expert

ExpertExpertExpertExpertExpertExpertExpertExpert

Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329, Visits: 0
No, I'm saying we don't get into looking at application code.  This isn't a developer forum.  Folks here are administrators and infosec professionals. 
Post #688
« Prev Topic | Next Topic »


Permissions Expand / Collapse

All times are GMT -5:00, Time now is 8:00am