|
Posted by =?Utf-8?B?V29uZyBUdWNrIFdhaA== on July 21, 2005, 1:40 am
If you were Registered and logged in, you could reply and use other advanced thread options
These might be due to different scenarios. Lets tackle it case by case.
Scenario 1
------------
These are genuine file required and saved by users that are job related. If
you are not using any 3rd-party tools for the monitoring, you can use the
standard file and folder searching capabilities. This feature allows you to
search for hidden files, modified date, file size (look out for huge file
like mp3 or video) etc.
From the search results, you can then deduce the owner by looking at the
ownership of the file/folder (provided you are using NTFS)
Scenario 2
----------
This is a more paranoid thinking - your system is being hacked.
NTFS support something knwon as Alternate Data Stream (ADS). ADS allows a
file to be attach as hidden to another file. The normal file (the carrier) is
used as a hide out for the hidden file. The size of the carrier seems normal
but the capacity of the disk reduce tremendously. You are not able to search
or access these hidden files as they are - just hidden.
Tool such as LNS (http://ntsecurity.nu/cgi-bin/download/lns.exe.pl) can be
used to detect any ADS exist on your system. Once detected, just copy/move it
to a FAT partition and then copy/move it back to NTFS. ADS attribute will be
lost in FAT.
HTH.
| 
XML site map