What's new
By:
Filters
ClioSport.net

Register a free account today to become a member!
Once signed in, you'll be able to participate on this site by adding your own topics and posts, as well as connect with other members through your own private inbox!

  • When you purchase through links on our site, we may earn an affiliate commission. Read more here.

Trace a file on a network



Stuart.Atkinson

Stuart.Atkinson

  Mondeo ST TDci
Is it possible, to trace a file that was .. copied to a local computer from a network share, even if the file was deleted from the local pc months ago?
 
FiDoDiDo

FiDoDiDo

  RB 182
Do you know where the file is and what to know if it is the same file?

If they are the exactly the file and haven't been changed in anyway then you can hash the file on both places and compare the hash values.
 
D

dk

  911 GTS Cab
the way i read that is that a file that was located on a share on the network was downloaded to a local PC by someone and then deleted at some point, can it be proved that the file was located on the local pc at some point, maybe it contained sensitive data and shouldn't have been downloaded?
 
Stuart.Atkinson

Stuart.Atkinson

  Mondeo ST TDci
dave182 said:
the way i read that is that a file that was located on a share on the network was downloaded to a local PC by someone and then deleted at some point, can it be proved that the file was located on the local pc at some point, maybe it contained sensitive data and shouldn't have been downloaded?
Click to expand...

Possibly....;)

is it possible to trace that?
 
Stuart.Atkinson

Stuart.Atkinson

  Mondeo ST TDci
ROFL.
the only way i can think of is packet tracing? but that wont be available unless you are specifically lookingk for it? at that point in time when it was copied??
 
D

dk

  911 GTS Cab
if you do this you have to be clever about it, if you have an admin password and have access to servers I would normally log into the server via the administrators account using RDP, then open the file on there, then it could have been opened by anyone!

Not that i have done this obviously ;)
 
Rob.

Rob.

I Don't belive you can do this, Unless you have a computer running as a gateway, Monitoring all network data either as raw packets or some kind of software ( That logs all packets in a organised groups/dates/ips)

Other then this 'MOST' routers don't log this much info.
 
D

dk

  911 GTS Cab
Stuart.Atkinson said:
ROFL.
the only way i can think of is packet tracing? but that wont be available unless you are specifically lookingk for it? at that point in time when it was copied??
Click to expand...
unless anyone is hell bent on finding out i doubt it would be easy to detect, i think they would really have to WANT to find out!
 
Daz

Daz

dave182 said:
Daz said:
Depends what OS the "server" was running and it's configuration, but yes, it can be done.

Windows server OS's, for example, have auditting, which can log success/failure of object access for example (amongst other things)

http://windows.stanford.edu/docs/security2000.html#audit
Click to expand...
surely that wouldn't be set to on though unless they were looking for something specific?
Click to expand...

Well, only the administrators would know that. :)
It's perfectly possible that it may be set.. heh.
 
Stuart.Atkinson

Stuart.Atkinson

  Mondeo ST TDci
server 2003.
so in theory you CAN trace this activity then? i thought if a copy was taken and dumped locally that the server wouldn't register it?
 
gazzrenn

gazzrenn

  172 Cup (2003)
Daz said:
Depends what OS the "server" was running and it's configuration, but yes, it can be done.

Windows server OS's, for example, have auditting, which can log success/failure of object access for example (amongst other things)

http://windows.stanford.edu/docs/security2000.html#audit
Click to expand...

We have this in place on our fileserver.

Stuart.Atkinson said:
server 2003.
so in theory you CAN trace this activity then? i thought if a copy was taken and dumped locally that the server wouldn't register it?
Click to expand...


The server won't log that it was deleted from your local PC, but it will / can know that you got it from the server.

This is an example from our log...

1/19/2006,16:30:36,8,3,560,Security,DOMAIN\user,SERVERNAME,Security File,D:\shared\Development\folder\folder2\Projects\filename.tmp 608,0,286051200,8,SERVERNAME,DOMAIN

date
time
your domain
your username

The rest is the filename and some other crazy microsoft codes.

Hope this is helpful.
 
Rob Clark

Rob Clark

  Trophy #267
depends on whether you have given admin a reason to check the logs (should they exist)
I know most of us are geeks but there are better things to spend your spare time on than checking access logs....
 
C

cornburn

  Ph1 172 / Ph1 Valver
Could you not just run a file recovery program on the local machine and see if it picks up the file you reckon they downloaded as ever being on the local drive? Even if it can't recover it it should give you the file size for comparison?
 
You must log in or register to reply here.

Similar threads

Donny_Dog
The 'I work in I.T' thread
6 7 8
Replies
317
Views
13K
charltjr
charltjr
Ray Gin
Ethernet splitter
Replies
7
Views
987
G. Brzęczyszczykiewicz
G. Brzęczyszczykiewicz
Andy_con
Electronic / Computer / Software People get in here!
Replies
2
Views
306
Andy_con
Andy_con
Danith
Cheap original 172 Cup with extras!
Replies
16
Views
1K
Danith
Danith
B
Clio 200 - Mobile CAN reprogramming?
Replies
0
Views
214
BeardedWebb
B


Top