Share your knowledge at the LQ Wiki.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 10-01-2007, 10:02 AM   #1
LQ Newbie
Registered: Oct 2007
Posts: 2

Rep: Reputation: 0
Question How to tell which files have been copied or modified

Greetings all:

I would like to know if there is a way to determine which files have been copied and/or modfied or deleted. We suspect a former co-worker has copied certain files from the Linux file server before he left the company. Is there a way to determine this?
Old 10-01-2007, 12:24 PM   #2
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
As far as I've encountered filesystems don't have a concept of logging user access, only "basic" stuff like MAC times get changed. What logging you will be able to extract depends on how authentication and auditing was configured on the server and how the user was able to access it. For instance if you're talking Samba server, then if the (extd_)audit module was enabled there could be more information to go on. But all bets are off if the user was able to elevate rights to root account.

As for forensic value (as in court admissability) that could for instance depend on how finegrained auditing is and how it is stored and acquired. For instance if all auditing is sent to a central logserver, chances are the user wasn't aware or wasn't able to tamper with it. Pefect. But if OTOH the only thing you have is his ~/.bash_history or DE application history files you'll have a hard time proving he or anyone else didn't tamper with it or if another user used his account for whatever purpose. Same goes for logging that only includes a workstation's IP address. If it's used by more than one user it won't be convincing. But single sources that aren't any good on their own may however be valuable if linked together.

One other thing. This is just one side of the story: I *know* there exist ways to gain custody of data in posession of other parties if there is a strong suspicion of theft (think for instance Intellectual Property). If the data is valuable, then if your company has not conferred with a lawyer (the horror, the horror), I'd suggest you suggest they do before you or anyone else irreversibly changes things and shuts the door on any (legal) action.

Posting more detailed info would be appreciated.

//If the data isn't that valuable forget about the legal part. Thought I'd better point it out just in case.

Last edited by unSpawn; 10-01-2007 at 12:34 PM.
Old 10-02-2007, 09:51 AM   #3
LQ Newbie
Registered: Oct 2007
Posts: 2

Original Poster
Rep: Reputation: 0
Thank you unSpawn for your insight. I will gather more info and post it.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
gnu make recompiles the source files fully even though the files are not modified yasothamani Linux - Software 4 02-07-2007 06:36 AM
Root cannot modify files in any way. Copied files from slackware. CrAzY G Fedora 1 01-08-2007 09:18 AM
Samba Files Have to be Copied? digitalc Linux - Software 2 01-08-2006 01:59 AM
The 'modified times' of files and folders is reset when copied from windows to linux? crazyswede Linux - Newbie 7 03-02-2004 08:53 AM
No files are copied to disk capodan Slackware 2 05-19-2003 03:54 AM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:16 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration