General discussion

Locked

Unable to display current owner

By Jon Pratt ·
That is what displays under the owner tab of a file that we have under the heading "Current owner of this item:". Here's the problem I need to find out who that owner is. Taking ownership of course replaces this value in the file properties. This is on a Windows Server 2000 partition and does not have auditing enabled for the files in question. Without going into a lengthy explanation for why we need to have the current owner/author suffice it to say that it is an apparent security violation and this appears to be the only forensic evidence that we might be able to gather against the suspect. In summary we have files that have deny permissions for everyone except a particular user, without overwriting the owner attribute and effectively deleting the evidence that we have, we need a way to view the owner/author attribute of the files or any other clever way of determining who created the files in question (bear in mind that the files are already extant). Thanks.

This conversation is currently closed to new comments.

3 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

by HAL 9000 Moderator In reply to Unable to display current ...

OK you have the files listed and Can Not afford to mess them up right?

Start off with a Backup and restore them to a different machine not connected to the LAN and then see if you can access the files and see the author.

If you can't see who created them this way you can then start to play around with various settings but always do this on a remote machine not connected to anything and always use a backup so that if you require this for Legal Action you have an unbroken Chain Of Evidence that can be called into Court at a moments notice.

Personally if it was me I would be cloning the Drive/s in question and removing them and storing the originals so there is no possibility of the data becoming corrupt. You can always work off the copies without any possible breach of collecting evidence or more importantly loosing evidence.

If this goes to court you need hard evidence and not Well We Had This Then But Now It's Gone! A judge will not accept this as evidence as it is Here-say and nothing more Case Closed Immediately!

Make at least 2 x copies/clones and then return the first clone to general use and the second to forensic evaluation while the originals stay safe in a fire proof safe or bank Deposit Box or anywhere else where they can not be accessed buy anyone unauthorised.

Depending on what's involved here you may need to call in the local authorities and be guided by their demands to maintain a chain of evidence nd if you don;'t want to involve the Authorities you'll at the very least need your own companies Legal Advice on how to continue to protect the company from any adverse legal action that may be brought against them for Unfair Dismissal or some other suit.

No matter what you need to clone the drive/s and remove them from general use now before any damage can be done to the data stored on them.

Col

Collapse -

by sylvain.drapeau In reply to Unable to display current ...

You may wish to check on this:

http://support.microsoft.com/default.aspx?scid=kb;en-us;320046

That scripting tool may allow you to get the information you seek.

Collapse -

by sgt_shultz In reply to Unable to display current ...

did u see this one?
HOW TO: Use the File Ownership Script Tool (Fileowners.pl) in Windows 2000
http://support.microsoft.com/default.aspx?scid=kb;en-us;320046

had to google to find it. is it just me or is the mskb search even worser now?

Back to Windows Forum
3 total posts (Page 1 of 1)  

Operating Systems Forums