A Study on the Setting Method of the File System Audit Function of Windows for Enhancing Forensic Readiness

Vol. 27, No. 1, pp. 79-90, Feb. 2017
10.13089/JKIISC.2017.27.1.79, Full Text:
Keywords: File Access Audit, System Access Control List, SACL, Digital Forensics, Forensic Readiness
Abstract

If digital forensic investigators can utilize file access logs when they audit insider information leakage cases or incident cases, it would be helpful to understand user's behaviors more clearly. There are many known artifacts related to file access in MS Windows. But each of the artifacts often lacks critical information, and they are usually not preserved for enough time. So it is hard to track down what has happened in a real case. In this thesis, I suggest a method to utilize SACL(System Access Control List) which is one of the audit functions provided by MS Windows. By applying this method of strengthening the Windows's audit settings, even small organizations that cannot adopt security solutions can build better environment for conducting digital forensic when an incident occurs.

Statistics
Show / Hide Statistics

Statistics (Cumulative Counts from December 1st, 2017)
Multiple requests among the same browser session are counted as one view.
If you mouse over a chart, the values of data points will be shown.


Cite this article
[IEEE Style]
M. Lee and S. Lee, "A Study on the Setting Method of the File System Audit Function of Windows for Enhancing Forensic Readiness," Journal of The Korea Institute of Information Security and Cryptology, vol. 27, no. 1, pp. 79-90, 2017. DOI: 10.13089/JKIISC.2017.27.1.79.

[ACM Style]
Myeong-Su Lee and Sang-Jin Lee. 2017. A Study on the Setting Method of the File System Audit Function of Windows for Enhancing Forensic Readiness. Journal of The Korea Institute of Information Security and Cryptology, 27, 1, (2017), 79-90. DOI: 10.13089/JKIISC.2017.27.1.79.