How can you tell when a file was created??? Expand / Collapse
Author
Message
Posted 5/19/2009 8:43:05 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 5/19/2009 8:40:00 AM
Posts: 2, Visits: 0
It seems that event 560 is given for created or modified. Is there may to tell when a file was created???
Post #93
Posted 5/19/2009 11:40:58 AM
Expert

ExpertExpertExpertExpertExpertExpertExpertExpert

Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329, Visits: 0
You would need to change your audit policy on the folder to audit file creations but not modification to files.  You see, NTFS uses the same permissions names for Create File and Write Data as indicated in the circles in the figure below.  To prevent audits of modifications to file and get audits of file creations you would need to select "This folder and subfolders" as shown below.  I've highlighted each selection in "Apply onto" as yellow, blue or green corresponding to the yellow and blue circles also below.  Hope it makes sense.  Hint: green means yellow + blue.  :-)

Post #94
Posted 5/19/2009 11:47:49 AM
Expert

ExpertExpertExpertExpertExpertExpertExpertExpert

Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329, Visits: 0
Of course, using the suggestion my previous post means that you can't audit both file modifications and file creations.

The only other alternative is this:  When you modify the data of an existing file Windows logs a 567 in between 560 (file open) and 562 (file close).  But when you create a new file, while the 560 and 562 are identical, Windows logs no 567.  So the absence of 567 indicates that out of "WriteData (or AddFile)", it's the AddFile that applies.

Post #95
Posted 5/19/2009 1:45:47 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 5/19/2009 8:40:00 AM
Posts: 2, Visits: 0
I have auditing all setup. But as you know, Windows logs a 560 for file create & appends & anything else i think. Second 567 are ONLY logged on the local drive, it will NOT log a network share. I just want to know if there is a value in the 560 log to say it was created...
Post #96
Posted 8/26/2009 9:27:15 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 8/26/2009 8:57:37 PM
Posts: 2, Visits: 0
Look for the access "write_dac" in event 560. Since a DAC entry must be written when an object is created. Of course you will get a false positive whenever the DAC is changed. I have used this successfully to get an alert whenever an unwanted file type was created. Then to verify it I would go to the file and click properties of the file to verify the owner and date it was created. Of course you must be monitoring the computer where the folder is located.
Post #188
Posted 8/26/2009 9:35:36 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 8/26/2009 8:57:37 PM
Posts: 2, Visits: 0
I have used the access write_dac. This is there when a file is created. However this also gives a false positive when the DAC is changed. Anyone know a better way?
Post #189
Posted 8/27/2009 8:07:24 AM
Expert

ExpertExpertExpertExpertExpertExpertExpertExpert

Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329, Visits: 0
Are there anyother accesses present in the 560 when the file is created that are not present when someone actually changes the permissions?  Or vice versa?  that is about the way to filter the so-called fasle positives.

You might want to look at products from Quest or others that use their own agent to fill the gaps in file access auditing.  Under Webinars you'll find a session on that subject.

Post #190
« Prev Topic | Next Topic »


Permissions Expand / Collapse

All times are GMT -5:00, Time now is 6:14pm