If you’ve ever been tasked with recovering a lost file or folder and had to explain exactly what happened (Who moved or deleted it? When did it happen? Why?), you know how annoyingly time-consuming it can be. And sometimes you simply don’t have any good answers. All you can do is restore from backup.
How do we fix this?
Having an audit trail can help tremendously, but native auditing on Windows, UNIX, and many other platforms is resource intensive, provides too much data, eats up storage, and slows servers down. It’s easy to see why auditing is rarely enabled.
Performing Forensic Investigations the Hard Way
Let’s see what it really takes to perform forensic investigations on Windows using native auditing.
Windows auditing for file access first requires that successful object access attempts be enabled, via the local or domain security policy settings.
Next, each folder’s auditing settings must be modified to include the users you wish to audit. The image below shows that “everyone” who accesses the finance folder will be audited.
Once auditing is enabled, events will show up in the security event container:
Get the Free PowerShell and Active Directory Essentials Video Course
The events must be opened up individually to inspect their contents.
There are some filtering abilities if you know which user you’re interested in, but not for directory name, file type, delete events. So, what can we do next?
Give Varonis’ DatAdvantage a try if you’re on the help desk, doing forensics for security, and auditing data use – you’ll be able to quickly answer these frequently asked questions:
- Who has been accessing this folder?
- What data has this user been accessing?
- Who sent emails to whom?
- Who deleted these files?
- Where did those files go?
To learn more: download our Whitepaper – Accelerating Audits with Automation
What you should do now
Below are three ways we can help you begin your journey to reducing data risk at your company:
- Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
- Download our free report and learn the risks associated with SaaS data exposure.
- Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.
Michael Buckbee
Michael has worked as a sysadmin and software developer for Silicon Valley startups, the US Navy, and everything in between.