LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 10-01-2007, 10:02 AM   #1
stagnitto
LQ Newbie
 
Registered: Oct 2007
Posts: 2

Rep: Reputation: 0
Question How to tell which files have been copied or modified


Greetings all:

I would like to know if there is a way to determine which files have been copied and/or modfied or deleted. We suspect a former co-worker has copied certain files from the Linux file server before he left the company. Is there a way to determine this?
 
Old 10-01-2007, 12:24 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3596Reputation: 3596Reputation: 3596Reputation: 3596Reputation: 3596Reputation: 3596Reputation: 3596Reputation: 3596Reputation: 3596Reputation: 3596Reputation: 3596
As far as I've encountered filesystems don't have a concept of logging user access, only "basic" stuff like MAC times get changed. What logging you will be able to extract depends on how authentication and auditing was configured on the server and how the user was able to access it. For instance if you're talking Samba server, then if the (extd_)audit module was enabled there could be more information to go on. But all bets are off if the user was able to elevate rights to root account.

As for forensic value (as in court admissability) that could for instance depend on how finegrained auditing is and how it is stored and acquired. For instance if all auditing is sent to a central logserver, chances are the user wasn't aware or wasn't able to tamper with it. Pefect. But if OTOH the only thing you have is his ~/.bash_history or DE application history files you'll have a hard time proving he or anyone else didn't tamper with it or if another user used his account for whatever purpose. Same goes for logging that only includes a workstation's IP address. If it's used by more than one user it won't be convincing. But single sources that aren't any good on their own may however be valuable if linked together.

One other thing. This is just one side of the story: I *know* there exist ways to gain custody of data in posession of other parties if there is a strong suspicion of theft (think for instance Intellectual Property). If the data is valuable, then if your company has not conferred with a lawyer (the horror, the horror), I'd suggest you suggest they do before you or anyone else irreversibly changes things and shuts the door on any (legal) action.


Posting more detailed info would be appreciated.

//If the data isn't that valuable forget about the legal part. Thought I'd better point it out just in case.

Last edited by unSpawn; 10-01-2007 at 12:34 PM.
 
Old 10-02-2007, 09:51 AM   #3
stagnitto
LQ Newbie
 
Registered: Oct 2007
Posts: 2

Original Poster
Rep: Reputation: 0
Thank you unSpawn for your insight. I will gather more info and post it.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
gnu make recompiles the source files fully even though the files are not modified yasothamani Linux - Software 4 02-07-2007 06:36 AM
Root cannot modify files in any way. Copied files from slackware. CrAzY G Fedora 1 01-08-2007 09:18 AM
Samba Files Have to be Copied? digitalc Linux - Software 2 01-08-2006 01:59 AM
The 'modified times' of files and folders is reset when copied from windows to linux? crazyswede Linux - Newbie 7 03-02-2004 08:53 AM
No files are copied to disk capodan Slackware 2 05-19-2003 03:54 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 03:31 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration