Re: NTFS file access auditing

[Mike Lococo <mike.lococo () NYU EDU>]

On 04/28/2010 04:53 PM, Brad Judy wrote:
> Thanks for the response Mike.  I'll have to do some more testing, but the
> tricky part was telling the difference between opening the directory with
> Windows Explorer versus a drag-and-drop copy of the file(s) with Windows
> Explorer.  Double-clicking the file should trigger an execution audit log
> (assuming that has been enabled), but my initial look didn't reveal an easy
> differentiation between opening the folder and copying the file.  I'll
> continue to take a deeper look.

That would be a fairly subtle distinction.  The list of access rights
used for display vs copy may still be different in many cases, but some
cases may really be the same from the perspective of file-access
auditing.  I'm thinking of image/media thumbnailing where the file is
opened and processed in a fairly "invasive" way.

For human-mediated forensic analysis, I think one could often make a
fairly good guess based on access-patterns (if for example, explorer
typically gets file attributes for everything in a directory, then gets
additional data for certain filetypes is a semi-predictable way, and you
see that access pattern repeating as the user browses around).  That
might be difficult to apply to an automated report, though.  Maybe some
other folks have ideas, but you've stumped this chump.

Cheers,
Mike Lococo