Join Us!

Notifications
Clear all

windows file server  

  RSS
taurean25
(@taurean25)
Member

Hey guys

My group has been tasked with determining what user made unauthorized permission changes on a file server.

The server does not have auditing enabled we think based on past cases.

What tracking artifacts could we potentially look for?

I am thinking of looking at the $ usnjrnl and index files to see maybe we can narrow down a user changing files around the time of the of the incident.

The file server is windows

Quote
Posted : 08/02/2013 2:43 am
keydet89
(@keydet89)
Community Legend

My group has been tasked with determining what user made unauthorized permission changes on a file server.

Ok.

The server does not have auditing enabled we think based on past cases.

Don't ever assume…check. As an incident responder, I could see 50 systems in a row that didn't have auditing enabled, and if I assumed that number 51 was the same, I might be wrong. I wouldn't risk it. Check.

What tracking artifacts could we potentially look for?

I would do this…sit down with whomever reported this, and try to get a better idea of what it was that led to this "discovery".

Many times, technical incidents are reported by non-technical people. Years ago, I was working at a company, and HR thought that their systems had been hacked…a layoff list for an office in AZ had been leaked. We sat with HR and asked what happened, where the list had been created and stored, etc. Examining the HR rep's system, we found that the file in question had been sent to a network printer. The _real_ compromise was the fact that the rep had sent the file to the printer and gone to lunch…someone else had come along, found the file, and faxed a copy of it to the AZ office.

My point is that sometimes what is assumed to be the issue really isn't.

I am thinking of looking at the $ usnjrnl and index files to see maybe we can narrow down a user changing files around the time of the of the incident.

Again, look at what would need to be done in order to accomplish something like this…did a user login remotely and make the change via a GUI? You might find this in the UserAssist data, or in the shellbags, depending upon the version of Windows you're looking at. Did they do it using a CLI tool? Do you find indications that something like cacls.exe was run?

The file server is windows

Which version? One that supports Volume Shadow Copies?

HTH

ReplyQuote
Posted : 10/02/2013 6:07 pm
Share: