Can I detect when a file is copied on Windows? Will it create an event in the Windows log? Or can I not? I know you can detect when a file is created due to the file pointers and stuff, but can you detect a file being copied?
Asked
Active
Viewed 3,553 times
1 Answers
4
Copying is just reading a file's contents and writing them somewhere else. If a user can read a file, they can copy its contents to somewhere where they have write access.
On Windows, there are copy hooks that you could use to log or block the operation, but those only apply to the shell (i.e. Explorer). Using the command prompt would bypass such hooks.
If you want to log file access, you should set up auditing. Basically, you'll need to change the SACL on the file(s) in question to log reads (use the Auditing tab of the advanced security dialog) and also change the system audit policy to record object access. To log the creation of the new file, you'll need to audit Create files / write data in the directory that will receive the copy.
It will still be very difficult to correlate a read operation with the writing of a copy if the user is even a little clever. They could read the contents into memory and wait for a while before writing it out; they could compress or encipher the data to make the copy not be the same on-disk; they could send the file over the Internet to avoid writing any new files at all. You can't really distinguish a pure read from the first part of a copy.
Ben N
- 2,491
- 1
- 12
- 22
-
2Also won't tell you if the file was read outside of the OS, via live Linux or pulling the drive. – Alexander O'Mara Jun 20 '16 at 18:07