Examining the Evidence: Taking a Look when You Have Time

< Day Day Up >

If you choose to examine the evidence media itself, without creating a forensic duplication, it is very likely the evidence will be changed and it is possible that changes may subject your actions to vigorous challenges when introduced as evidence. Experienced investigators pursue the most constrained means of evidence collection. When the time arrives to introduce the evidence at a deposition, administrative, or criminal proceedings, it is a higher likelihood there will be few legal challenges to its acceptance.

Evidence on Windows Operating Systems

Investigators should have a plan before they begin to examine the forensically created duplicate. Depending on the details of the case, here are some areas where evidence is likely to be found when conducting an investigation on duplicated media:

Slack space. This is the place where information will reside from previously deleted files and has been partially written over by the current file. This type of evidence will consist of file names, text information, and file extensions. Depending on the size of the slack space will depend on how much information will be retrievable.
Unallocated or free space. This is space where a previous file has been deleted. Usually the file is identified by the lower-case sigma σ character. If the file has not been overwritten, a good file recovery utility should recover the file.
Event logs maintained either on the affected application server or on the target workstation
Windows Registry. Remember that this is the database containing configuration information and may be seen as a type of activity log file. Users usually do not know that applications and activities are making entries and modifying the Registry where their activities may be documented at least in part.
Application logs. These are event logs maintained by the applications running on the system and not managed by the operating system.
History files. These are similar to the event logs mentioned above. These files log the user's activities with a particular Web browsing application. For example, in the case of Microsoft's Internet Explorer, there is a History file containing the URLs visited by the user. Depending on the configuration of this file will determine the length covered by the user's Internet browsing history. While it is possible for the user to delete file entries, they might be recoverable providing they have not been completely overwritten.
Cookie files or caches. These files hold small text entries where the browser has stored accepted cookies from Web sites visited by the user. These text entries, when viewed by a text editor, will often reveal their Web site origin.
Temporary and cache files. These files are created by many applications often at the time of installation. Temporary files may contain application installation files, previously viewed Internet Web pages, and previously viewed image files.
Recycle Bin. This file is a place where logical file structures reside and deleted files may be found. Hidden within this file is the INFO or INFO2 file containing tree structure information of particular deleted files. Recovering the deleted files in the Recycle Bin or the INFO file can provide important information relevant to files that existed on that machine.
E-mail in the Sent, Received, or Inbox, and Deleted files of the e-mail client.
Newsgroup subscriptions. Read postings of newsgroups may reside in cached or temporary files.
Internet Relay Chat rooms that are searched using the IRC client's utilities remain in the pull down menu and are viewable by starting the IRC client and looking at the search menu.

Logical File Review in Windows

When a Windows platform is started, a process is begun on recognizable drives where the metadata file system is updated. Running a Windows platform will typically access and update more than 200 files, depending on the version and whether it is 95, 98, ME, or NT. There are several options to ensure the host operating system does not alter the file system in any way.

In the case of NT, sysinternals.com offers a utility called NTFSDOS. This tool is a read-only driver for DOS on Windows and may be used with most Window 98 and ME platforms. By analyzing a forensically duplicated copy of the evidence, the investigator can navigate, view, and execute programs on NTFS systems without writing to the medium under investigation.

Using Linux is another option. Investigators can mount the media to be scrutinized as read-only, accessing the files on the media without being concerned about changing them. This command will mount an NTFS drive:

 Mount -t ntfs/dev/hdb mnt/nameofdrive

Linux may be used as the host operating system where file analysis, contents inventory, and string searches is done. There is a successful methodology involving Linux and SAMBA. It is possible to set up sharing under SAMBA, as part of the read-only file system, and use a Windows system loaded with file-viewing utilities such as Quickview Plus, Microsoft Word, Microsoft Excel, and Outlook to examine the contents without changing them. Installing Vmware, or another operating system emulator, will allow the Windows, Linux, and SAMBA to be installed on one forensic computer. Vmware is available at www.vmware.com.

Going Native

This is going to seem like a contradiction, but consider that steps taken one at a time usually lead to progress. It is likely at some time during the investigation that investigators will boot a duplicated disk into its native operating system to view configuration files, the desktop and its settings, and obtain a view of the system's state at the time of the original forensic duplication. For individual files, once they are located they may be copied to other media for viewing in the native operating system.

Experience Note

It is a good idea to have multiple operating systems on the forensic machine. This can be accomplished by using an emulator like Vmware available at www.vmware.com.

As part of the analysis, it is going to be necessary to logon to the media that is going to be examined. This will likely be the last step and probably one of the most important steps you take in your investigation. To do this, you'll need the administrator user account name and the password. If the subject-user is cooperating, it is likely she will provide the pertinent information; however, it is quite likely that logging on will not be as easy as someone knowledgeable providing the information.

These are a few alternatives when folks are cooperative:

Obtain the Windows NT SAM database (containing the password hashes) and run a password cracker, preferably a commercial one that has good customer service and a positive legal history.

Experience Note

There are many opinions here, but using sound commercial tools has certain advantages over the tools commonly sponsored by attackers. Imagine testimony being vigorously challenged by knowledgeable attorneys where the witness is accused of using tools she obtained from a Web site that was sponsored by attackers. Using tools of this nature is not necessarily wrong, but it can provide a lot of fuel for cross-examination. Be prepared to justify and defend the tools used in the examination. There are some excellent password tools available at www.accessdata.com. Murphy's Law is usually going to apply to password cracking efforts regardless of the tools the investigator's use.

Matching log entries with file attributes will show the diligence and professionalism of the examiner and avoid challenges to the integrity of the evidence.

Experience Note
In the case of extremely critical investigations, having two examiners performing and logging their analyses will deflect future legal challenges.

Changing User Passwords

It is possible to use an offline tool that is feature-rich like CHNTPW, written by Petter Nordahl available at home.eunet.no/~pnordahl/ntpasswd. This is a Linux-based tool that permits viewing and changing the user passwords in the Windows NT SAM file. It also contains a Registry editor and disk editor. This is not a password cracker per se, rather it is a tool that permits the investigator to change the user's password to another one. Obviously, changing the password is an action that should be thoroughly documented in the investigator's log.

Cracking User Passwords

There are times when using a password cracker to brute force a password is the wisest path to follow. As was mentioned earlier, Access Data is a company that offers password cracking tools and other applications valuable to forensic investigators. NTI, www.forensics-intl.com, has an excellent reputation in providing password cracking tools as well as a host of other applications useful to investigators.

Looking at the Windows Registry

The Windows Registry is the database that contains information about the system's users, configuration preferences, and information about the network configuration. The Registry contains two types of files, system.dat and user.dat. If the system has been used by more than one user, the Registry will contain entries in these two categories for each user. The Registry is optimized for viewing with the native Windows operating system, so the best way to examine it is with the tools incorporated in Windows. This is accomplished with Windows 9x and ME with the command of Run | Regedit or in NT Run | Regedit32.

Although Windows has created a backup of the Registry, it is still a good idea to create one using the Export Registry File selection of the Registry menu. Save it somewhere away from the present location. An exported version to a floppy disk usually works well.

Windows Registry has a visible tree-structure, similar to Explorer. With the Registry window open, there are folder icons on the left side of the pane. These are called Keys and contain either other Keys or values. Next to the + sign, investigators may expand the key and see a list of subkeys.

As an example of the type of information stored in the Registry, if a user were using the Find Files function at the Start button, the investigator may pull down the menu and see the names that were input by the user. These values are stored in the Registry under the Windows, CurrentVersion, Explorer, then DocFindSpecMRU folder. These values should match each other and will provide the investigator with the specific search strings.

Autocomplete Entries in the Registry

Beginning with Microsoft Internet Explorer version 5, there is an option for users to save their passwords. With the AutoComplete option enabled, users may enter portions of their address, telephone numbers, e-mail addresses, etc. The blanks will be completed with data saved in the Registry. This information becomes critical should a user dispute they visited a Web site more than once. Autowhat is a utility that might help investigators view the values stored for each input field name. It supports Windows Internet Explorer browsers installed in Windows 95, 98, ME, and NT. It is available at www.pcmag.com/article2/0,4149,137603,00.asp.

In the Registry, the Explorer/RunMRU key may contain case-relevant information. This file contains the most recent commands launched from the Run window. If an investigator opens the Run window and pulls down the menu, she will see the entries made by the user to launch applications. These Registry entries are maintained in the RunMRU key.

If the user has installed Internet Explorer, its keys are located in the Registry Microsoft folder. These keys store the last downloaded file from the Internet and the user's Internet Start page. The keys may also contain a list of all the URLs typed into Internet Explorer's address field. There are other places that will store the URLs visited by the browser's users. There is a cache directory labeled Temporary Internet Files, where IE stores the URLs of visited Web pages. This file is configurable by the user. The settings for this file may be reviewed by accessing IE, going to Tools, then Internet Options, then General, then Settings.

Accessing the HKEY_LOCAL-MACHINE key will reveal information related to the workstation and its network connection. The Network/Logon key contains the last username used to log onto a network. This is useful knowledge if an investigator were attempting to tie a specific user's activity to a workstation.

Good Places for Evidence

One of the more logical places for investigators to look for files if they have an idea what they are looking for is the My Documents folder. This is a folder that is a default installation of Windows.

Experience Note

There is nothing preventing a user from creating a folder at any location in the operating system, disguising it under some meaningless name, and storing data in it. However, many users stash data in the My Documents folder.

In the case of larger hard drives, it is common for users to partition them allowing for executables to be installed on one logical drive C: with data stored on E: for example.

Recycle Bin

Many users forget their Recycle Bin is used to store files before they are "permanently" emptied or they are overwritten at this location. Until this happens, these files are readily accessible. Although these files are marked for unlinking in the system, they will frequently remain in the Recycle Bin while user thinks they are gone.

There are some interesting features of the Recycle Bin in that it is a file that follows different rules than other Windows folders. In Windows 95 and 98, it is named Recycle, and in NT it is called Recycler. When a user deletes a file, it is moved to the Recycle Bin.

There a few things that happen in this action:

The file is deleted from the file's folder where it resided before deletion
The deleted files' new folder entry is created in the Recycle Bin and the addition of pertinent information about the deleted file in a hidden file called INFO or INFO2 in the Recycle Bin

When a file is deleted, the file, its deletion date, and time are not recorded in the Recycle Bin. However, Windows records its date and time of deletion in the INFO file. There is more important information stored here: the deleted file's location prior to being sent to the Recycle Bin is recorded, its index number in the Recycle Bin (this is the order in the Recycle Bin), and its new file name by which it is labeled in the Recycle Bin. Files once entered in the Recycle Bin receive a new file name. For example, a file originally named "Testsample.doc" and stored at C:\My Test Documents is sent to the Recycle Bin. It would be renamed as DC0.DOC. The file's original name and path, along with its date and time of deletion, would be appended to the INFO file.

INFO maintains each file entry in 280 byte lengths. The part of the deleted file sent to the Recycle Bin is stored at offset 0 of the file's record in the Recycle Bin. The file's date and time of deletion are stored in eight bytes starting at offset 268 of the file's record in the Recycle Bin.

INFO files actually have very useful information about file histories and the intention and action of the computer's users. On Windows NT, when a user puts a file in the Recycle Bin, a subfolder is created in the C:\Recycler file. The subfolder is named with the user's SID and contains its INFO subfile. Knowing this system function allows investigators to determine which user account was used to delete the file.

Files that are deleted by the operating system do not have their information stored in the INFO file. Consequently, for a file to be recorded in the INFO subfile, it meant the user deliberately deleted the file. File deletion dates and times may lend credibility to statements made by the system's user.

Experience Note

Noting the location of a downloaded file can provide the investigator with extremely valuable information. For example, if a computer user claimed she was not downloading pirated applications and an examination of her workstation revealed a directory named "Warez S.W." from which she had deleted the files, it would be very difficult for her to deny the existence of this directory and the existence of the deleted programs.

When the Recycle Bin is completely emptied, the Windows operating system deletes the files and the INFO subfile. If the INFO subfile is not overwritten completely, the deleted INFO subfile is available for investigators to undelete, recover, and review. If there are remaining portions of the INFO subfile in the slack space, it is possible there might be information fragments remaining, allowing the investigator to see the deleted file's name, extension indicating what type of file it was, and the former location of the file in the computer.

In attempting to locate INFO entries, on a FAT system, relating to a Recycle Bin file that has been emptied, examiners may locate the deleted folder by the first character E5h and possibly the rest of the entry intact. Of course, this depends on if it has been overwritten and how much was overwritten.

An investigator's challenge may be found when an INFO subfile is located in unallocated space that has been partially overwritten. In this case unique file characteristics may be difficult to find. In this situation, the investigator should attempt to find the individual INFO subfile records by looking in the unallocated area of the volume for their unique characteristics. For example, an investigator may wish to conduct an examination using the unique characteristics of the INFO subfile or other known file characteristics such as the original file path. Such an examination may be performed using a forensic suite such as EnCase or by using a hex editor and its Find function.

Experience Note

If investigators review the INFO subfile and find it contains a reference to a volume (partition or attached drive) from which the file was deleted and the drive letter is not present in the seized system, they may deduce that the computer user had a drive that was not part of the seizure. In today's world of multi-meg USB and Firewire drives the size of matchbooks, investigators must be creative in their search for all relevant media.

Partitions

Windows and UNIX-based systems use the word partition or "volume" to mean a divided portion of disk media. When the computer is turned on, the boot firmware stored in the CMOS chip launches the BIOS process where the machine's basic configuration information is stored. When the BIOS is finished checking the hardware, the boot-operation transfers startup execution to the boot sector (Master Boot Record) of the bootable disk partition. The Master Boot Record contains information relevant to the defined partitions and transfers control to the operation system address. The Master Boot Record occupies all 512 bytes of sector zero with 466 bytes comprising the bootstrap program and 66 bytes left. Of this amount, 64 bytes are dedicated to defining the fdisk partitions where the disk's partitioning information is contained.

There is a somewhat universal utility known by the name of "fdisk" used for creating, hiding, and "unhiding" partitions. There are many versions of fdisk with some allowing users to set values that others misread or ignore. Not all partition editors have the same feature-set, while some commercial programs (like Partition Magic, www.powerquest.com) can edit the MBR partition table itself.

Experience Note

Examiners can look for hidden partitions using the DOS utility of fdisk and "unhide" them.

Partition Status

Partitions can be listed in three ways:

Status: Active or Inactive. In this case active means bootable. The status of any given partition is determined by whether "0" or "128" are written into the first variable "bootid" of the partition entry.
Primary, extended, or logical.
Visible or Hidden. This refers to the ability of the operating system to see the partition and assign a drive letter to it. It is important for investigators to note that fdisk programs can usually see "hidden" partitions.

Fdisk is a utility that should be made part of the investigator's initial boot disk. When a restore or rescue boot disk is made, Fdisk is usually one of those tools loaded to it. Fdisk may be launched from most DOS-based machines by launching the DOS Window and entering fdisk.

Partitions made by fdisk are destructive partitions in that data that is written in a disk is destroyed when fdisk creates partitions. However, when a program like Partition Magic creates partitions, disks retain data after being partitioned.

Experience Note

If investigators discover their target machine has a partitioning program installed, it would be prudent to look for hidden partitions containing data.

Norton's Ghost 2002 and Symantec Ghost version 7.5 include a tool by the name Gdisk. These are very useful tools in displaying partition information in the cylinder/head/sector format. Gdisk is capable of "unhiding" partitions that are ignored by Windows NT systems. It is available at www.symantec.com.

In the investigation of the target media, it is a prudent step for investigators to use an fdisk type program to see if there are any hidden partitions where information is stored. It may only been seen by the user who knows of its existence.

Password-Protected and Encrypted Files

The purpose of encryption is to preserve the content of a file or traffic from being read by any one other than the intended party.

Many investigations will involve employees and other persons who have encrypted or placed a password on a document or application.

Experience Note

If investigators are in the possession of significant computing power, time, money, and well-educated mathematicians, they are in a good position to tackle the task of breaking encrypted material. Absent an abundance of these elements, investigators are best advised to find a good program that will crack the guarding-application's password or obtain the password from the data's owner.

There are many free and commercial products targeting password cracking to decrypt documents and messages. Some applications are intended for specific operating systems and applications.

Here is a sample of a few commercial password cracking applications:

Elcom: www.elcomsoft.com/
AccessData: www.accessdata.com
L0phtcrack: www.atstake.com/research/lc/index.html
Lost Passwords: www.lostpassword.com

Here is a sample of a few shareware or freeware password cracking applications:

John the Ripper: www.openwall.com/john/
Lilo password cracker: www.cgsecurity.org/lilo.html
FTP password cracker: members.ams.chello.nl/a.boros/fpr/index.htm

Here are Web pages dedicated to password cracking:

www.password-crackers.com/pwdcrackfaq.html
directory.google.com/Top/Computers/Security/Products_and_Tools/Password_Recovery/
www.password-crackers.com/
members.aol.com/jpeschel/crack.htm

Print Spooler Files

Printing files can deposit temporary files on a computer system that can provide the investigator with valuable information. Print spooling is accomplished by the operating system creating temporary files containing the data to be printed and information necessary to print the job.

For reference, there are two methods to spool print jobs, RAW and EMF. In both RAW and EMF formats, files with the extensions .SPL and .SHD are created for each print job. EMT and RAW are terms for spool file formats used in the Windows operating system. When a job is sent to the printer, if it is printing another file, the computer reads the new file and stores it usually on the hard drive for printing at a later time. Spooling permits multiple print jobs to be delivered to the printer one at a time. The EMF format is the 32-bit version of the Windows metafile format (WMF). The EMF format was created to solve deficiencies of the WMF format in printing graphics from some graphics programs. The EMF format is device-independent. This means the dimensions of the graphic are maintained on the printed copy regardless of the resolution in dots-per-inch of the printer.

A RAW spool file is sent to the Windows spooler unprocessed. The RAW file may also be used to send Postscript commands to a Postscript printer. Postscript commands are actually understood by the printer but are merely data to the Windows spooler. The RAW format is device-dependent and slower than the EMF.

In the RAW format, the file with the extension of .SPL contains names in the format EMFxxxxx.TMP. In the EMF format, the .SPL file has the name of the file printer, the method, and the data to be printed. The .SHD, .SPL, and .TMP files are deleted after the job is printed.

Experience Note

With careful analysis, it is possible to restore and recover these deleted files.

Both .SPL and .SHD files may be found on both the target workstation and print server. Investigators are well advised to carefully examine the target media for allocated and deleted files with the extensions .SHD, .SPL, and ~EMFxxxxx.TMP. If investigators find the existence of files with these extensions, it indicates the user was deliberately engaged in printing a job. It is possible that if the original print job does not exist on the target machine, it exists in the enhanced metafile format.

Windows NT Logging

Logs in NT constitute event records for the target system and should show which users were accessing specific files, which users were attempting and successful at logging on to the system, which users were attempting to alter logging policy, and which changes were made to user privileges.

In all, there are three levels of log files in Windows NT systems:

System log
Application log
Security log

System log entries record system processes and device driver activity. Included in system logs are devices that fail to start properly; hardware failures; and services that stop, start, and pause.

Application logs record activities related to user programs and commercial applications. Application events recorded by NT include errors or information that an application is specifically configured to report. Accordingly, application logs may contain events watched by the Performance Monitor including the number of failed logons and disk usage.

Security log entries record system auditing and security processes used by NT, including changes in user privileges, changes in audit policy, directory and file access, logins and logouts, and printer activities. Users can access and review the Application and System logs, but only users with administrator-level access can look at the Security logs.

Experience Note

In the event of a critical incident, the Security logs are going to be the most useful logs to responders.

In the case of reviewing the logs while the system is connected to the network, NT has a utility called the Event Viewer that permits users to view the audit logs on a local machine. It is found going to Start | Programs | Administrative Tools | Event Viewer. In the Event Viewer, investigators see logged activities that are listed in a pane that are self-explanatory. However, there is a pane column labeled "Event" followed by a series of three digit numbers. The key to some of the more common activity codes is shown in Exhibit 11.

Exhibit 11: Common Activity Codes

Identification Number	Information
516	Audit event records discarded
517	Audit log cleared
528	Successful logon
529	Failed logon
538	Successful logoff
576	Assignment and use of rights
578	Privileged service use
608	Rights policy change
610	New trusted domain
612	Audit policy change
624	New account added
626	User account enabled
630	User account deleted
636	Account group change
642	User account change
643	Domain policy change

Windows NT is capable of logging the creation and termination of each process on the system; however, it is not a default configuration. To enable this feature, set the Audit policy to monitor the success and failure detailed tracking. Each process is assigned a unique identification called a PID or process identification. With detailed tracking enabled, each process executed on the system can be revealed by following the event identification.

Offline Log Reviews

By copying the logs from the evidence disk, investigators will see the secevent.evt, appevent.evt, and sysevent.evt files. Write them to a separate disk for examination. These files are generally located in the \WINNT\System32\Config file. Once recovered, these files are viewable by configuring the forensic workstation's NT in this fashion: Event Viewer | select log | Open and select the path to the copied .evt file to be viewed.

Experience Note

It is prudent to disable the Security log on the forensic machine to avoid writing to the media holding the evidence. Windows NT restricts each log file to a maximum of 512 kb and a length of seven days. These are default settings. With the default installation, NT is set to log almost nothing at all. Consequently, if NT were installed at default, there would be very little for investigators to review in the way of logging.

When investigators are viewing NT logs offline, there are some considerations to be made. NT system logs are dependent on the DLL, dynamic link library, files and if the forensic machine does not have the same applications installed on it, it is possible that much of the information relevant to the description field of the Application log may be missing. This should not affect the Security log, however.

Experience Note

By running Dumpel on the forensic system, and saving the output to a spreadsheet, the investigator can sort, search, and group data. Dumpel, Dump Event Log, is a command line tool outputting an event log for local or remote systems into a tab-separated text file. This tool can filter certain types of events aiding searches. More information and the dumpel utility are available at www.microsoft.com/windows2000/techinfo/reskit/tools/existing/dumpel-o.asp.

Looking for Specific Words

There are times when investigators will be provided with information relative to unlawful acts such as pornography, trafficking in pirated software, stolen proprietary information, narcotics dealing, and so on. In these cases, investigators will be looking for "key" word strings usually at the physical level of media. Many disk editors and searching tools are marketed as being able to conduct physical level string searches of the target drive. Using these tools, investigators input the key words to be searched and the tool locates them on the drive. Often these tools require the target system to be booted from a boot-floppy disk or other control media holding the search tool.

There are many search tools; for example, EnCase, NTI's DS2, and most hex editors also have string search capabilities.

Experience Note

It is still wise to record all string search commands in a written investigative log, so they can be recalled in the future.

Searching for key words can literally be like "looking for a needle in a haystack." Investigators can reduce the time they spend looking at media if they spend a bit of time interviewing witnesses. Collecting enough information, narrowing allegations to specific terms about how the attacker was doing her "thing," can save many hours of fruitless disk searching.

Looking at Relevant Files

It's a lot like an old movie line when the police chief says, "round up the usual suspects." Investigators can save time by looking in the obvious storage locations on the target machine. Reviewing the forensically copied contents of the cookie cache, history file, temporary directories, recycle bin, and specific file extensions can provide significant amounts of relevant information. For example, if investigators responding to allegations that an employee has sent an obscene e-mail to another employee, investigators would likely start by reviewing the employee's e-mail client on his workstation.

Experience Note

Go with the facts of the allegation before branching into other lesser-related areas.

The usual file "suspects" depend on the nature of the allegations but usually include files with the extensions of .png, .jpg, .gif, .vbs, .exe, log, .tmp, .wpd, .doc, and .txt. Obviously, it is not possible for the forensic machine to have all the necessary programs to open and see the files with all these extensions. However, there is a very useful program that will help in this effort; JASC's Quickview Plus supports more than 200 different file formats and allows users to view files including images, documents, spreadsheets, databases, presentations, and zip files. It is available from www.jasc.com/products/qvp/.

Here is a very valuable resource for researching file extensions: www.library.mcgill.ca/edrs/services/file_extensions.html.

Here's a handy Palm OS utility for listing and searching file extensions: www.free-warepalm.com/educational/file'snameextensionsdictionary.shtml.

Chronology of Events

There are many common elements between the investigation of a critical incident and a criminal act. A history of events must be established as one of the basic elements of any investigation. Establishing the timeline of created, modified, deleted, and accessed times will go a long way to determining the critical incident's sequence of events. Carefully scrutinize logs, listen to relevant witnesses, and by all means, consider the totality of the circumstances.

Critical incidents are rarely single-step happenings; rather they are like a good novel in that they have a beginning, middle, and end. The most effective and efficient means of establishing a timeline is the careful review of time-stamp information contained in the operating system logs as well as the application logs.

There is another aspect of event history that is worth detailing and that is the process of documenting the access privileges for affected directories and files. For example, investigators need to identify who placed unauthorized files on a server. There are two basic options, use a network based sniffer to monitor access to the file server. This depends on being able to know a significant amount of information before hand. Otherwise, a large data file is created with little chance of being productive.

The second alternative is to implement host logging on the affected machines where NT file access auditing is enabled through Local Security auditing. With the target directory or file selected, NT will log relevant events. Enable auditing for "success and failure" actions in the NT Audit policy.

Legal Cautions

Before installing network sniffers or any other type of traffic monitoring device/software, make certain that it is legally sound. This procedure can easily run afoul of an employee's reasonable expectation of privacy and can result in civil and possibly criminal charges.

< Day Day Up >