As part of theft detection where in data remains as it is but file is copied, is there a mechanism wherein we can monitor all copy operations in the system( these can be then classified using data mining algorithms, which is out of scope of this discussion) the first issue is to identify and monitor system calls invoked during copy operation. i have tried tools like sysinternals, wmi to get such info and also googled about copy operations in windows but not much info is available.
Please suggest some approach how to monitor all copy operations on a system.
You mean *something* like this?
http//
Which OS?
File and Folder access auditing
http//
jaclaz
I am looking at windows OS. basically problem on hand is theft detection when someone copies the file without accessing it and it need not be shared. Copy invoked by a user on a pen drive or any other location such as shared folder or network. is there a way to monitor such events??
I am looking at windows OS. basically problem on hand is theft detection when someone copies the file without accessing it and it need not be shared. Copy invoked by a user on a pen drive or any other location such as shared folder or network. is there a way to monitor such events??
"Windows OS" means NOTHING.
There are MANY versions of "Windows OS" and something that works on one may not work (or not work the same) on another.
But I would have thought that in order to copy a file it must be accessed. ?
http//
Events 560, 567 and 570 seem to me like interesting options.
Re-check the already given link about Auditing and these ones
http//
http//
You have to understand how you cannot rely on "copy" information.
Say the you open a .txt in Notepad.
Then you do "Save as" to a USB stick.
You have effectively copied it without using any "copy" tool/API/command/whatever.
Of course if direct disk access is used, there won't be any trace, but still to provide to the direct disk access tool the location of the file, the object needs to be accessed.
jaclaz