|
As far as I've encountered filesystems don't have a concept of logging user access, only "basic" stuff like MAC times get changed. What logging you will be able to extract depends on how authentication and auditing was configured on the server and how the user was able to access it. For instance if you're talking Samba server, then if the (extd_)audit module was enabled there could be more information to go on. But all bets are off if the user was able to elevate rights to root account.
As for forensic value (as in court admissability) that could for instance depend on how finegrained auditing is and how it is stored and acquired. For instance if all auditing is sent to a central logserver, chances are the user wasn't aware or wasn't able to tamper with it. Pefect. But if OTOH the only thing you have is his ~/.bash_history or DE application history files you'll have a hard time proving he or anyone else didn't tamper with it or if another user used his account for whatever purpose. Same goes for logging that only includes a workstation's IP address. If it's used by more than one user it won't be convincing. But single sources that aren't any good on their own may however be valuable if linked together.
One other thing. This is just one side of the story: I *know* there exist ways to gain custody of data in posession of other parties if there is a strong suspicion of theft (think for instance Intellectual Property). If the data is valuable, then if your company has not conferred with a lawyer (the horror, the horror), I'd suggest you suggest they do before you or anyone else irreversibly changes things and shuts the door on any (legal) action.
Posting more detailed info would be appreciated.
//If the data isn't that valuable forget about the legal part. Thought I'd better point it out just in case.
Last edited by unSpawn; 10-01-2007 at 12:34 PM.
|
How to tell which files have been copied or modified
