Re: NTFS file access auditing

[Mike Lococo <mike.lococo () NYU EDU>]

On 04/28/2010 01:56 PM, Brad Judy wrote:
> If I instead open the directory in Windows explorer (at least under
> Windows 7), it will trigger a read audit log for all of the files in
> the directory. Following both of these actions in process monitor
> (great tool – learn it) shows that they are indeed very different and
> the GUI browsing does request a handle for each of the files in the
> directory and opens them. Presumably this is done to request detailed
> file information for GUI display.
>
> Unfortunately, this means the audit logs are deceiving, showing no
> difference between browsing into a folder and actually opening the
> files. Has anyone else tackled this issue? Did you do so natively, or
> using a third-party audit solution?

While I certainly don't have a turnkey solution for pretty 
human-readable reports, I can say that the explorer accesses are 
distinguishable from other types if your tool/analysis is sufficiently 
intelligent.

My need to parse access audit logs from windows systems is primarily 
forensic and quite infrequent, so my process is manual and requires more 
than passing familiarily with interpreting event logs.  Psloglist.exe 
from the sysinternals pstools is a good way to get extracts of windows 
event logs, and shows that the following artifacts are observable:

  1) The process name and number of the process whose activity
     generated the event is recorded.  One very simple indicator that
     browsing activity is happening is that explorer.exe is the trigger
     process.  Unfortunately, Event Viewer doesn't seem able to display
     this info as a column or search on it, making it quite difficult
     to interact with using that tool.

  2) The type of access is recorded (also not viewable as a
     column/search in EV), and you'll typically find that explorer.exe
     accesses are often grabbing attributes whereas accesses from
     another program (like notepad) will show reads and writes and a
     longer list of stuff.  This is less trivial to parse, but I
     believe they tell a fairly rich story about the kind of access
     that occurred.

So I'm sure this isn't the answer you wanted in terms of a 
recommendation for a rich and user-friendly reporting tool, but it's at 
least a confirmation that there is some useful data in there if you can 
find a vendor who does something useful with it.

Also, third-party file-service tools may have less obtuse logging 
options.  We use Xythos, and although I haven't had occasion to review 
its audit logs much, I believe that they are fairly rich.

Please report back if you find a good answer, as I'm interested as well.

Cheers,
Mike Lococo