Educause Security Discussion mailing list archives
Re: NTFS file access auditing
From: Mike Lococo <mike.lococo () NYU EDU>
Date: Wed, 28 Apr 2010 15:28:50 -0400
On 04/28/2010 01:56 PM, Brad Judy wrote:
If I instead open the directory in Windows explorer (at least under Windows 7), it will trigger a read audit log for all of the files in the directory. Following both of these actions in process monitor (great tool – learn it) shows that they are indeed very different and the GUI browsing does request a handle for each of the files in the directory and opens them. Presumably this is done to request detailed file information for GUI display. Unfortunately, this means the audit logs are deceiving, showing no difference between browsing into a folder and actually opening the files. Has anyone else tackled this issue? Did you do so natively, or using a third-party audit solution?
While I certainly don't have a turnkey solution for pretty human-readable reports, I can say that the explorer accesses are distinguishable from other types if your tool/analysis is sufficiently intelligent.
My need to parse access audit logs from windows systems is primarily forensic and quite infrequent, so my process is manual and requires more than passing familiarily with interpreting event logs. Psloglist.exe from the sysinternals pstools is a good way to get extracts of windows event logs, and shows that the following artifacts are observable:
1) The process name and number of the process whose activity generated the event is recorded. One very simple indicator that browsing activity is happening is that explorer.exe is the trigger process. Unfortunately, Event Viewer doesn't seem able to display this info as a column or search on it, making it quite difficult to interact with using that tool. 2) The type of access is recorded (also not viewable as a column/search in EV), and you'll typically find that explorer.exe accesses are often grabbing attributes whereas accesses from another program (like notepad) will show reads and writes and a longer list of stuff. This is less trivial to parse, but I believe they tell a fairly rich story about the kind of access that occurred.So I'm sure this isn't the answer you wanted in terms of a recommendation for a rich and user-friendly reporting tool, but it's at least a confirmation that there is some useful data in there if you can find a vendor who does something useful with it.
Also, third-party file-service tools may have less obtuse logging options. We use Xythos, and although I haven't had occasion to review its audit logs much, I believe that they are fairly rich.
Please report back if you find a good answer, as I'm interested as well. Cheers, Mike Lococo
Current thread:
- NTFS file access auditing Brad Judy (Apr 28)
- <Possible follow-ups>
- Re: NTFS file access auditing Mike Lococo (Apr 28)
- Re: NTFS file access auditing Brad Judy (Apr 28)
- Re: NTFS file access auditing Dexter Caldwell (Apr 28)
- Re: NTFS file access auditing Mike Lococo (Apr 28)