Educause Security Discussion mailing list archives
Re: NTFS file access auditing
From: Mike Lococo <mike.lococo () NYU EDU>
Date: Wed, 28 Apr 2010 18:13:22 -0400
On 04/28/2010 04:53 PM, Brad Judy wrote:
Thanks for the response Mike. I'll have to do some more testing, but the tricky part was telling the difference between opening the directory with Windows Explorer versus a drag-and-drop copy of the file(s) with Windows Explorer. Double-clicking the file should trigger an execution audit log (assuming that has been enabled), but my initial look didn't reveal an easy differentiation between opening the folder and copying the file. I'll continue to take a deeper look.
That would be a fairly subtle distinction. The list of access rights used for display vs copy may still be different in many cases, but some cases may really be the same from the perspective of file-access auditing. I'm thinking of image/media thumbnailing where the file is opened and processed in a fairly "invasive" way. For human-mediated forensic analysis, I think one could often make a fairly good guess based on access-patterns (if for example, explorer typically gets file attributes for everything in a directory, then gets additional data for certain filetypes is a semi-predictable way, and you see that access pattern repeating as the user browses around). That might be difficult to apply to an automated report, though. Maybe some other folks have ideas, but you've stumped this chump. Cheers, Mike Lococo
Current thread:
- NTFS file access auditing Brad Judy (Apr 28)
- <Possible follow-ups>
- Re: NTFS file access auditing Mike Lococo (Apr 28)
- Re: NTFS file access auditing Brad Judy (Apr 28)
- Re: NTFS file access auditing Dexter Caldwell (Apr 28)
- Re: NTFS file access auditing Mike Lococo (Apr 28)