Detecting the Copying/Dragging of Files and Folders
ObserveIT can detect every insertion of a single file/folder or multiple files/folders to the clipboard (via Copy or Cut menu items, icons, keyboard shortcuts, or any other method). This also applies to the mouse-dragging of files and folders (using the left or right mouse click) in order to copy or move them. Any such operation is recognized together with the names of all the copied or dragged files/folders, their parent folder, the number of files and the total file size. Furthermore, copying or dragging large files/folders can be differentiated easily from standard copy operations by setting the minimal file size and minimal file count required for a large operation.
Attempts to copy files or folders can also be detected by ObserveIT’s reporting and alerting mechanisms, and will be reflected in the Endpoint/User diaries and the Session Player. Using the ObserveIT Search mechanism, you can search for files or folders that were copied and view the results within the context of the user activity.
The detection mechanism enables security and risk analysts to:
-
Receive an immediate alert (and email notification) upon copying a sensitive file (or folder) with a specific string in its name or extension, allowing analysts to respond quickly (for example, approach the employee, lock an account).
-
Search for the copying or dragging of specific files/folders by the name/extension of the copied files as part of forensic analysis.
-
Search for the copying or dragging of any file from a specific folder.
-
Generate detailed reports on all file copy/drag operations for audit and compliance requirements.
-
Increase the risk score of users in the ObserveIT User Risk Dashboard, allowing administrators to quickly pinpoint users who put the business at risk and understand why.
- Export file copy and file dragging activities to SIEM platforms in order to get a broader context and integrate information injected from other security platforms.
You can use any of the following methods to detect the copying of a file or folder to the clipboard:
-
Right-click menu items: Copy, Cut
-
Keyboard shortcuts: Ctrl+C, Ctrl+X, CTRL+Insert
-
Menu items: Edit > Copy, Edit > Cut and equivalent right-click menu items
-
Dragging an item with the mouse (applies also to multi select using the CTRL or SHIFT keys)
After a file/folder copy is detected, a screenshot is created with the Window title displaying the following information:
-
The text FILECOPY or LARGEFILECOPY to help the search, alert, and report mechanisms easily identify the action.
-
Total number of files which were copied/dragged.
-
Total size (in MB) of the files which were copied/dragged.
-
Names of the files which were copied/dragged.
-
Full paths of the original (containing) folder from which the files and folders were copied/dragged.
For example:
FILECOPY (2, 9MB) – file1.ext, file2.ext, origin=C:\My Documents\Revenues
If the total file size exceeds one of the thresholds defined in the Server Policy (e.g., 30 MB), the prefix LARGEFILECOPY is used. For example:
LARGEFILECOPY (4, 31MB) – file1.ext, file2.ext, folder1.ext, folder2.ext, origin=C:\My Documents\Revenues
Note the following:
-
If the number of characters in the window title exceeds 256, additional screenshots are created prefixed with a "+" sign (e.g., "+FILECOPY" or "+LARGEFILECOPY"). This might happen when copying multiple files/folders and the name of all the files/folders exceeds the total limit of 256 characters.
-
If a single alert is generated upon any FILECOPY operation, it must be defined by the condition: "Window Title" "starts with" "FILECOPY". This will prevent an excessive number of alerts being generated by subsequent screenshots with the same window title, as these screenshots are created by the system in order to document the names of all copied files/folders.
Viewing Results in the Web Console Diaries
Following is an example of how the detection of large file copy operations, standard file copy operations, and multiple screenshots of file copy operations, are displayed in the Endpoint Diary within the ObserveIT Web Console.