Detecting High Volume Copy Operations on Windows File Systems with LT Auditor+ 2013

Why Audit High-Volume Copy Operations?

One of the most common methods to extract or steal information is to copy large volumes of critical information from file shares to either flash drives or other USB devices that can be easily removed from the environment. There have been several examples of high-volume data theft. Here are some of the most famous incidents:

1. Edward Snowden was able to gain access to classified National Security Agency (NSA) files and copy hundreds of thousands of sensitive documents to USB devices and hard drives and leave the environment. The impact of his actions has severely damaged U.S. intelligence-gathering capabilities.
2. Bradley Manning was able to walk out of the U.S. State Department with thousands of digital documents that got published on WikiLeaks.

What is the Risk?

Any time an organization detects that large volumes of files and folders have been accessed, the event should be treated like any other critical incident management report and investigated for the reasons stated above. The investigation should get to the bottom of who accessed this information, the purpose of accessing large volumes of that information, and ensure that the organization’s reputation has not been compromised.

How does Blue Lance help Mitigate this Risk?

If LT Auditor+ is used to monitor files and folders on Windows file systems, we can make use of a Windows feature to detect this type of activity. Any time large numbers of files are copied, the access timestamp on files being accessed is changed to the time of the copy operation. By analyzing the access time stamp of audited files and folders, LT Auditor+ can give a clear indication that a large volume transaction has taken place.

An example of this type of activity is shown in the report below. A large number of files were copied from a workstation to a flash drive. The files that were copied were being audited, and the report below shows 75 files accessed with the same timestamp. This is a clear indication something happened – in this case, a copy operation.