Educause Security Discussion mailing list archives
Re: NTFS file access auditing
From: Brad Judy <win-hied () BRADJUDY COM>
Date: Wed, 28 Apr 2010 16:53:45 -0400
Thanks for the response Mike. I'll have to do some more testing, but the tricky part was telling the difference between opening the directory with Windows Explorer versus a drag-and-drop copy of the file(s) with Windows Explorer. Double-clicking the file should trigger an execution audit log (assuming that has been enabled), but my initial look didn't reveal an easy differentiation between opening the folder and copying the file. I'll continue to take a deeper look. Brad Judy Emory University -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mike Lococo Sent: Wednesday, April 28, 2010 3:29 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] NTFS file access auditing On 04/28/2010 01:56 PM, Brad Judy wrote:
If I instead open the directory in Windows explorer (at least under Windows 7), it will trigger a read audit log for all of the files in the directory. Following both of these actions in process monitor (great tool - learn it) shows that they are indeed very different and the GUI browsing does request a handle for each of the files in the directory and opens them. Presumably this is done to request detailed file information for GUI display. Unfortunately, this means the audit logs are deceiving, showing no difference between browsing into a folder and actually opening the files. Has anyone else tackled this issue? Did you do so natively, or using a third-party audit solution?
While I certainly don't have a turnkey solution for pretty human-readable reports, I can say that the explorer accesses are distinguishable from other types if your tool/analysis is sufficiently intelligent. My need to parse access audit logs from windows systems is primarily forensic and quite infrequent, so my process is manual and requires more than passing familiarily with interpreting event logs. Psloglist.exe from the sysinternals pstools is a good way to get extracts of windows event logs, and shows that the following artifacts are observable: 1) The process name and number of the process whose activity generated the event is recorded. One very simple indicator that browsing activity is happening is that explorer.exe is the trigger process. Unfortunately, Event Viewer doesn't seem able to display this info as a column or search on it, making it quite difficult to interact with using that tool. 2) The type of access is recorded (also not viewable as a column/search in EV), and you'll typically find that explorer.exe accesses are often grabbing attributes whereas accesses from another program (like notepad) will show reads and writes and a longer list of stuff. This is less trivial to parse, but I believe they tell a fairly rich story about the kind of access that occurred. So I'm sure this isn't the answer you wanted in terms of a recommendation for a rich and user-friendly reporting tool, but it's at least a confirmation that there is some useful data in there if you can find a vendor who does something useful with it. Also, third-party file-service tools may have less obtuse logging options. We use Xythos, and although I haven't had occasion to review its audit logs much, I believe that they are fairly rich. Please report back if you find a good answer, as I'm interested as well. Cheers, Mike Lococo
Current thread:
- NTFS file access auditing Brad Judy (Apr 28)
- <Possible follow-ups>
- Re: NTFS file access auditing Mike Lococo (Apr 28)
- Re: NTFS file access auditing Brad Judy (Apr 28)
- Re: NTFS file access auditing Dexter Caldwell (Apr 28)
- Re: NTFS file access auditing Mike Lococo (Apr 28)