WEBVTT

00:00:00.240 --> 00:00:02.159
in this video i want to show you how to

00:00:02.159 --> 00:00:04.319
find out who accessed your files and

00:00:04.319 --> 00:00:05.040
folders

00:00:05.040 --> 00:00:07.200
or even try to access your files and

00:00:07.200 --> 00:00:08.880
folders in windows 10

00:00:08.880 --> 00:00:11.759
by enabling object auditing on your

00:00:11.759 --> 00:00:16.080
files and folders

00:00:16.080 --> 00:00:18.160
before we begin please note that this

00:00:18.160 --> 00:00:20.000
applies only to windows 10

00:00:20.000 --> 00:00:23.439
pro enterprise and education

00:00:23.439 --> 00:00:26.800
and the file system should be ntfs

00:00:26.800 --> 00:00:29.119
so if you have windows 10 home it

00:00:29.119 --> 00:00:30.960
doesn't work on windows 10 home

00:00:30.960 --> 00:00:33.600
now that being said and because what i'm

00:00:33.600 --> 00:00:35.520
going to show you uses group policy

00:00:35.520 --> 00:00:38.079
management or security policy management

00:00:38.079 --> 00:00:39.760
which is a subset of group policy

00:00:39.760 --> 00:00:42.239
management there are out there some

00:00:42.239 --> 00:00:44.160
batch files and some scripts

00:00:44.160 --> 00:00:46.879
that can enable this on windows 10 home

00:00:46.879 --> 00:00:48.800
but this is not officially supported by

00:00:48.800 --> 00:00:49.760
microsoft

00:00:49.760 --> 00:00:51.680
so here i'm gonna show you only the

00:00:51.680 --> 00:00:53.199
supported method

00:00:53.199 --> 00:00:55.199
there are three easy steps to achieve

00:00:55.199 --> 00:00:56.399
this the first step

00:00:56.399 --> 00:00:59.280
is to enable object access auditing on

00:00:59.280 --> 00:01:00.800
your windows 10 pc

00:01:00.800 --> 00:01:02.960
the second step is to configure auditing

00:01:02.960 --> 00:01:05.199
on the selected files and folders

00:01:05.199 --> 00:01:08.159
and the third step is simply viewing the

00:01:08.159 --> 00:01:09.360
audit log

00:01:09.360 --> 00:01:11.439
so let's start with step 1 which is

00:01:11.439 --> 00:01:13.840
enabling object access auditing in

00:01:13.840 --> 00:01:15.040
windows 10

00:01:15.040 --> 00:01:17.360
so on your windows 10 pc start group

00:01:17.360 --> 00:01:18.400
policy editor

00:01:18.400 --> 00:01:21.200
so click in your search box and type

00:01:21.200 --> 00:01:21.759
group

00:01:21.759 --> 00:01:26.880
space poll and here you see group policy

00:01:26.880 --> 00:01:28.560
alternatively you can start only

00:01:28.560 --> 00:01:30.479
security policy which leads

00:01:30.479 --> 00:01:32.159
only to the security settings of the

00:01:32.159 --> 00:01:34.400
computer but here i'm showing you group

00:01:34.400 --> 00:01:35.040
policy

00:01:35.040 --> 00:01:37.040
so let me enlarge this a little bit so

00:01:37.040 --> 00:01:39.439
that you can see

00:01:39.439 --> 00:01:42.079
and here under group policy you see that

00:01:42.079 --> 00:01:44.000
you have local computer policy which is

00:01:44.000 --> 00:01:45.119
your computer

00:01:45.119 --> 00:01:46.640
and you have two branches computer

00:01:46.640 --> 00:01:48.960
configuration and user configuration

00:01:48.960 --> 00:01:51.200
the one that is of interest to us is

00:01:51.200 --> 00:01:52.960
computer configuration

00:01:52.960 --> 00:01:54.799
and then under computer configuration

00:01:54.799 --> 00:01:56.399
you have windows settings

00:01:56.399 --> 00:01:59.439
click on it to expand it and then you

00:01:59.439 --> 00:02:01.200
have security settings

00:02:01.200 --> 00:02:04.079
also click on it to expand it and you

00:02:04.079 --> 00:02:05.680
have under security settings

00:02:05.680 --> 00:02:07.920
something called advanced audit policy

00:02:07.920 --> 00:02:09.200
configuration

00:02:09.200 --> 00:02:12.560
so here also click on the small arrow

00:02:12.560 --> 00:02:15.680
next to it just to expand it

00:02:15.680 --> 00:02:19.280
and then click on system audit policies

00:02:19.280 --> 00:02:22.640
and you have a bunch of things here

00:02:22.640 --> 00:02:25.040
the one that is of interest to us is

00:02:25.040 --> 00:02:25.760
object

00:02:25.760 --> 00:02:30.720
access so double click object access

00:02:32.000 --> 00:02:34.160
and under object access we have to

00:02:34.160 --> 00:02:35.360
enable audit

00:02:35.360 --> 00:02:37.760
file system only so double click on it

00:02:37.760 --> 00:02:39.680
once again

00:02:39.680 --> 00:02:42.000
and here you see click on configure the

00:02:42.000 --> 00:02:44.640
following audit events

00:02:44.640 --> 00:02:47.840
and then select success and failure

00:02:47.840 --> 00:02:51.680
success means that if someone succeeds

00:02:51.680 --> 00:02:54.400
in accessing the file that or the folder

00:02:54.400 --> 00:02:56.080
that you have audited

00:02:56.080 --> 00:02:59.440
it will show you and if someone tried to

00:02:59.440 --> 00:03:01.200
access but couldn't do it

00:03:01.200 --> 00:03:03.840
it will also show you this is a failure

00:03:03.840 --> 00:03:05.680
so click ok here

00:03:05.680 --> 00:03:07.599
and with the group policy we have

00:03:07.599 --> 00:03:10.080
finished so this was the first part

00:03:10.080 --> 00:03:13.200
the second part is to apply

00:03:13.200 --> 00:03:15.840
the security policy that we just enabled

00:03:15.840 --> 00:03:18.080
to a certain file or folder

00:03:18.080 --> 00:03:21.680
so here i'm gonna open documents

00:03:21.760 --> 00:03:24.000
and let's say under documents i have

00:03:24.000 --> 00:03:25.680
folder called personal

00:03:25.680 --> 00:03:28.080
so let's say we have these under

00:03:28.080 --> 00:03:28.799
personal

00:03:28.799 --> 00:03:31.360
and i want to audit all accesses to

00:03:31.360 --> 00:03:32.239
personal

00:03:32.239 --> 00:03:36.480
so right click on it click properties

00:03:36.480 --> 00:03:39.599
and then click security

00:03:39.599 --> 00:03:43.200
under security click advanced

00:03:43.200 --> 00:03:46.640
under advanced click auditing

00:03:46.640 --> 00:03:50.000
click continue and then here you have to

00:03:50.000 --> 00:03:50.720
select

00:03:50.720 --> 00:03:53.760
the users you want to audit so

00:03:53.760 --> 00:03:57.680
click on add

00:03:57.680 --> 00:04:00.799
and then click on select principle and

00:04:00.799 --> 00:04:02.560
if you have a user in mind that you want

00:04:02.560 --> 00:04:03.439
to audit

00:04:03.439 --> 00:04:05.840
you can select it here so let me click

00:04:05.840 --> 00:04:07.040
advanced

00:04:07.040 --> 00:04:10.080
and find now so you can select either a

00:04:10.080 --> 00:04:10.959
user

00:04:10.959 --> 00:04:14.319
or you can select a group so we have all

00:04:14.319 --> 00:04:15.360
these groups here

00:04:15.360 --> 00:04:17.759
and all the users let's say we want to

00:04:17.759 --> 00:04:18.959
audit everyone

00:04:18.959 --> 00:04:20.880
so if we want to audit everyone we have

00:04:20.880 --> 00:04:22.560
to select

00:04:22.560 --> 00:04:25.520
the built-in group everyone and then

00:04:25.520 --> 00:04:27.120
click ok

00:04:27.120 --> 00:04:30.080
and then click ok again and then under

00:04:30.080 --> 00:04:31.040
type you notice

00:04:31.040 --> 00:04:33.919
that success was selected by default so

00:04:33.919 --> 00:04:34.320
click

00:04:34.320 --> 00:04:36.960
the drop down list and you see you have

00:04:36.960 --> 00:04:37.360
all

00:04:37.360 --> 00:04:40.479
fail and success so select all

00:04:40.479 --> 00:04:43.280
so this way you will audit the succeeded

00:04:43.280 --> 00:04:44.080
attempts

00:04:44.080 --> 00:04:46.720
on your files and folders and also the

00:04:46.720 --> 00:04:48.479
failed attempts in case

00:04:48.479 --> 00:04:51.040
someone who doesn't have access to this

00:04:51.040 --> 00:04:53.440
folder try to access it or to this file

00:04:53.440 --> 00:04:54.400
of course

00:04:54.400 --> 00:04:56.320
and then afterwards here click on full

00:04:56.320 --> 00:04:58.400
control

00:04:58.400 --> 00:05:01.360
and then click ok

00:05:01.440 --> 00:05:04.000
now if you select everyone please note

00:05:04.000 --> 00:05:04.479
that

00:05:04.479 --> 00:05:07.360
also your user access will be audited so

00:05:07.360 --> 00:05:08.880
it's better to select

00:05:08.880 --> 00:05:11.360
a group that doesn't contain your user

00:05:11.360 --> 00:05:12.160
or select

00:05:12.160 --> 00:05:14.479
only one user but here for the purpose

00:05:14.479 --> 00:05:16.880
of this video i selected everyone

00:05:16.880 --> 00:05:20.080
so here click ok and then

00:05:20.080 --> 00:05:23.440
ok again and now personal

00:05:23.440 --> 00:05:25.520
is being audited and everything under

00:05:25.520 --> 00:05:27.680
personal also is being audited

00:05:27.680 --> 00:05:29.919
so let's try to access something under

00:05:29.919 --> 00:05:31.120
personal

00:05:31.120 --> 00:05:33.840
so i just entered into personal so this

00:05:33.840 --> 00:05:34.720
should be

00:05:34.720 --> 00:05:36.560
logged into the event log so i'm gonna

00:05:36.560 --> 00:05:38.639
show you also how to see the event

00:05:38.639 --> 00:05:39.840
viewer log

00:05:39.840 --> 00:05:42.720
and let me create a new document so let

00:05:42.720 --> 00:05:45.199
me create a bitmap image

00:05:45.199 --> 00:05:48.479
and let me delete this new text document

00:05:48.479 --> 00:05:51.600
let me go into test and let me also

00:05:51.600 --> 00:05:53.280
create

00:05:53.280 --> 00:05:57.039
here a rich text document

00:05:57.199 --> 00:05:59.759
and let's see now if all these actions

00:05:59.759 --> 00:06:00.560
were logged

00:06:00.560 --> 00:06:02.880
so to see the actions you need to go

00:06:02.880 --> 00:06:04.000
into something called

00:06:04.000 --> 00:06:06.720
event viewer so event viewer you have

00:06:06.720 --> 00:06:07.840
many ways to

00:06:07.840 --> 00:06:09.600
launch it so either in the search box

00:06:09.600 --> 00:06:11.360
you can type event

00:06:11.360 --> 00:06:13.840
and it will show here you can also right

00:06:13.840 --> 00:06:15.440
click the windows logo

00:06:15.440 --> 00:06:17.840
and here it is event viewer you can

00:06:17.840 --> 00:06:20.160
start computer management

00:06:20.160 --> 00:06:23.280
by typing computer

00:06:23.280 --> 00:06:27.039
management into the search box

00:06:27.039 --> 00:06:29.039
and selecting computer management it is

00:06:29.039 --> 00:06:30.800
also under computer management so let's

00:06:30.800 --> 00:06:34.720
go with computer management

00:06:34.720 --> 00:06:36.639
and here you have something called event

00:06:36.639 --> 00:06:37.840
viewer

00:06:37.840 --> 00:06:40.080
click on the arrow next to it to expand

00:06:40.080 --> 00:06:41.039
it

00:06:41.039 --> 00:06:44.160
and under windows logs you have

00:06:44.160 --> 00:06:45.680
something called security

00:06:45.680 --> 00:06:48.240
and this is a security log where all

00:06:48.240 --> 00:06:50.000
accesses should be logged

00:06:50.000 --> 00:06:52.319
so let me click on it so here you have

00:06:52.319 --> 00:06:54.000
all the accesses that were done on the

00:06:54.000 --> 00:06:56.080
folder and the files in the folder

00:06:56.080 --> 00:06:58.240
so let's see them let me double click

00:06:58.240 --> 00:07:00.080
the first one

00:07:00.080 --> 00:07:02.400
you see here under subject you have

00:07:02.400 --> 00:07:03.759
first account name

00:07:03.759 --> 00:07:06.800
so this is a account that accessed the

00:07:06.800 --> 00:07:08.000
object

00:07:08.000 --> 00:07:10.880
if you here scroll down a little bit you

00:07:10.880 --> 00:07:12.240
see that

00:07:12.240 --> 00:07:14.479
the folder test was accessed and what

00:07:14.479 --> 00:07:18.479
was the access type keep on scrolling

00:07:18.479 --> 00:07:20.240
and you see that the access was reading

00:07:20.240 --> 00:07:22.479
the attributes so here you can click on

00:07:22.479 --> 00:07:23.919
the next arrow

00:07:23.919 --> 00:07:26.160
so here this is important this is an

00:07:26.160 --> 00:07:27.360
event saying that

00:07:27.360 --> 00:07:30.000
data was written or a file was added you

00:07:30.000 --> 00:07:32.000
can click on details to see further

00:07:32.000 --> 00:07:33.759
information here

00:07:33.759 --> 00:07:37.039
so we have everything here so this is

00:07:37.039 --> 00:07:39.120
here the new file that we created

00:07:39.120 --> 00:07:42.560
the new rich text document

00:07:42.560 --> 00:07:44.639
and this is also important here you see

00:07:44.639 --> 00:07:46.560
that we found the event

00:07:46.560 --> 00:07:49.360
that is delete event and also if you

00:07:49.360 --> 00:07:51.039
click on details you see what was

00:07:51.039 --> 00:07:52.080
deleted

00:07:52.080 --> 00:07:54.800
so this is a text document was deleted

00:07:54.800 --> 00:07:57.280
and by whom it was deleted also and this

00:07:57.280 --> 00:07:59.440
is the most important thing

00:07:59.440 --> 00:08:02.479
so you can see here who deleted the file

00:08:02.479 --> 00:08:06.160
if you scroll up it is this user

00:08:06.160 --> 00:08:08.400
and you have the time and you have the

00:08:08.400 --> 00:08:10.319
file and you have all the information

00:08:10.319 --> 00:08:11.199
you need

00:08:11.199 --> 00:08:13.680
but as you noticed it writes lots of

00:08:13.680 --> 00:08:14.400
events

00:08:14.400 --> 00:08:16.319
so now you have to make a compromise

00:08:16.319 --> 00:08:17.680
between selecting

00:08:17.680 --> 00:08:21.120
one user only to audit or a small group

00:08:21.120 --> 00:08:21.919
of users

00:08:21.919 --> 00:08:24.400
or everyone so if you suspect that your

00:08:24.400 --> 00:08:26.000
system is under attack

00:08:26.000 --> 00:08:29.039
it's always better to audit the everyone

00:08:29.039 --> 00:08:29.599
group

00:08:29.599 --> 00:08:31.919
for a short period of time and you can

00:08:31.919 --> 00:08:33.919
always increase the size of the security

00:08:33.919 --> 00:08:35.279
log in event viewer

00:08:35.279 --> 00:08:38.560
so that older entries don't get

00:08:38.560 --> 00:08:40.560
overwritten if you don't see them for a

00:08:40.560 --> 00:08:41.760
couple of days

00:08:41.760 --> 00:08:43.760
but i don't advise you to keep the

00:08:43.760 --> 00:08:44.880
everyone group

00:08:44.880 --> 00:08:47.519
auditing all the time so let me show you

00:08:47.519 --> 00:08:49.120
a little bit how to increase

00:08:49.120 --> 00:08:51.519
the volume of the security log so here

00:08:51.519 --> 00:08:53.200
let me click on close

00:08:53.200 --> 00:08:56.080
right click the security log here and

00:08:56.080 --> 00:08:56.880
then

00:08:56.880 --> 00:09:00.000
click on properties

00:09:00.000 --> 00:09:01.920
and then under properties here you can

00:09:01.920 --> 00:09:04.399
see you have the maximum log size

00:09:04.399 --> 00:09:07.360
so here it's in kilobytes so this is 20

00:09:07.360 --> 00:09:09.920
meg so if you want to put it

00:09:09.920 --> 00:09:13.680
200 max so just put it here

00:09:13.680 --> 00:09:15.920
200 megs so here you have also the

00:09:15.920 --> 00:09:18.399
option to overwrite events as needed

00:09:18.399 --> 00:09:21.600
meaning if you reach the maximum volume

00:09:21.600 --> 00:09:22.000
it will

00:09:22.000 --> 00:09:25.600
start overwriting other events and also

00:09:25.600 --> 00:09:27.839
you can archive the log when full

00:09:27.839 --> 00:09:30.080
or do not overwrite events but clear

00:09:30.080 --> 00:09:31.920
load manually but this will block your

00:09:31.920 --> 00:09:33.200
system from working

00:09:33.200 --> 00:09:35.200
if the event log reaches the maximum

00:09:35.200 --> 00:09:37.839
value and you don't clear it

00:09:37.839 --> 00:09:40.000
so i advise you to keep it overwrite

00:09:40.000 --> 00:09:43.600
events as needed and keep it like this

00:09:43.600 --> 00:09:46.880
and let's click ok here so it's only

00:09:46.880 --> 00:09:47.760
telling me that

00:09:47.760 --> 00:09:51.200
it will set the nearest multiple of 64k

00:09:51.200 --> 00:09:54.399
so i'm gonna click on ok so on top of

00:09:54.399 --> 00:09:55.839
accessing each event

00:09:55.839 --> 00:09:58.160
and then scrolling to see the next one

00:09:58.160 --> 00:09:59.440
you can also

00:09:59.440 --> 00:10:01.680
either find an event or filter the event

00:10:01.680 --> 00:10:02.800
so let me show you both

00:10:02.800 --> 00:10:05.120
very quickly so if you right click on

00:10:05.120 --> 00:10:06.399
security here

00:10:06.399 --> 00:10:09.040
and then select filter current log and

00:10:09.040 --> 00:10:10.959
here you have a bunch of options that

00:10:10.959 --> 00:10:12.800
you can choose to find the information

00:10:12.800 --> 00:10:14.240
you want

00:10:14.240 --> 00:10:17.120
and the second method is to right click

00:10:17.120 --> 00:10:19.440
security and then click on find

00:10:19.440 --> 00:10:21.600
and here also you can put a string and

00:10:21.600 --> 00:10:22.640
try to find it

00:10:22.640 --> 00:10:25.760
in the log so that was it i hope you

00:10:25.760 --> 00:10:27.519
enjoyed this video and found it useful

00:10:27.519 --> 00:10:28.240
if you did

00:10:28.240 --> 00:10:30.399
please share it subscribe to my channel

00:10:30.399 --> 00:10:32.000
and give this video a thumbs up

00:10:32.000 --> 00:10:36.160
until next time thank you for watching