International Journal on Future Revolution in Computer Science & Communication Engineering ISSN: 2454-4248

Volume: 4 Issue: 5 58 – 60
_______________________________________________________________________________________________
Monitoring File System for Windows
Information Security

Prof. Nirmala Shinde1 Prof. Smita Sankhe2

Assistant Professor: Department of Computer Engineering Assistant Professor: Department of Computer Engineering
K. J. Somaiya College of Engineering K. J. Somaiya College of Engineering
Mumbai, India Mumbai, India
e-mail: nirmalashinde@somaiya.edu e-mail: smitasankhe@somaiya.edu

Abstract— Every organization’s asset is its data and data are stored in files which are maintained by file systems. Therefore, it is an important
role of an organization to keep its File System secure. There is huge amount of changes that are made on daily basis in these files by different
users. Hidden among these changes can be the few that are illegitimate and can cause harm to organization. So, File System Monitoring becomes
necessary.
While many such monitoring tools are available for UNIX/Linux systems [1], very little is done for Windows system. We have developed a File
System Monitoring application for Windows operating system which monitors auditing of file systems – specifically, you want to know who
read, modified, deleted or created files in a shared area.
While there were many options available for implementing such an application, the most appropriate way of doing so is by exploiting native
compatibility of C.
Keywords- Interop, File Monitoring, Logs.
__________________________________________________*****_________________________________________________

I. INTRODUCTION common, but hidden within a large volume of daily changes

A file system or filesystem is used to control how data can be the few that impact file or configuration integrity.
is stored and retrieved. Without a file system, information There are many motives for altering files. Intruders could
placed in storage medium would be one large body of data modify system databases and programs to allow future access.
with no way to tell where one piece of information stops and Logs could be removed to cover their tracks. These
the next begins. By separating the data into pieces and modifications can heavily affect the integrity of the company
giving each piece a name, the information is easily isolated
and cause harmful damage to the company’s data and assets.
and identified. Taking its name from the way paper-based
information systems are named, each group of data is called Therefore, the administrator needs to closely track activities of
a "file". The structure and logic rules used to manage the users who are using the system. File System monitoring is
groups of information and their names are called a "file very critical for enterprises to monitor for attempted,
system". Most modern windows architecture was shown in unauthorized or unexpected modifications. It gives the system
figure 1. administrator the valuable data for processing and maintaining
the system which are called Logs. The chosen Files and
Folders are monitored by system and upon detecting changes;
detailed event summary of those changes is logged. This will
help administrator to Know Who Made What Changes when
and where. The administrator can approve or disapprove
changes as desired. Secure drive is a host-based intrusion
detection system which is targeted for the use of organizations
and/or institutions for performing File System monitoring on
Windows System and reversing any changes that can cause
damage. This software can be applied on local drive as well as
shared drive like in the situations where certain sensitive files
are being simultaneously accessed by many employees of the
organization and the administrator wants to keep track of the
Figure 1 Windows Architecture changes made by all the employees and at the same time
prevent any faulty/unethical manipulations to the files.
These files typically contain user data and application Determining which files to monitor is a challenging question.
data, organization’s important information such as trade Different types of files that can be monitored are configuration
secrets, system executables and databases. Changes to files, log files, digital keys and credentials and content driven
configurations, files and file attributes across the enterprise are files. Monitoring all files will create huge amount of data and

58
IJFRCSCE | May 2018, Available @ http://www.ijfrcsce.org
_______________________________________________________________________________________
International Journal on Future Revolution in Computer Science & Communication Engineering ISSN: 2454-4248
Volume: 4 Issue: 5 58 – 60
_______________________________________________________________________________________________
thus waste storage space. Hence, the administrator needs to changes can be observed on a local computer, a network drive,
carefully choose the directories and files to monitor. The or a remote computer.
software will detect the events of creating, renaming, deleting We have used File System Watcher [4] to track the changes
in a specified directory. It works by creating component to
or changing file attributes such as last access, last write and
watch files on local computer, network drive or remote
log the detail summary of event. The logs of each file or computer. It has a “Filter” property to specify which files to
directory will be saved as report which can be accessed by monitor, it can be kept blank to watch all the files. We can
admin whenever required. The reports can also be printed and select specific types of events to monitor on files and
stored in pdf formats. Admin can approve or disapprove directories. It has an “Include Subdirectory” check option to
changes from logs based on whether the change was desired or enable monitoring events on sub directories. File System
not. This means that the changes of users will not be reflected Watcher also monitors events on hidden files.
permanently.

When the user tries to modify some file, it will get modified
temporarily for the user but in actual, the file will not be
affected unless the respective generated log gets approved by
administrator. Content level changes, that is changes made
within the file will also be detected and logged with detailed
summary including who made what changes to which section
or line number. The administrator can revoke or commit these
changes. The trace of this software will be hidden from the
Task Manager, that is it will work at kernel level, and hence
the users will not know that they are being tracked. This will
prevent the users from shutting down the software and
covering their track. The software will be implemented using
.Net Software Framework by Microsoft. It provides the best
platform today for delivering Windows software. It has Native Figure 2 Information Security
Interoperability with Windows Operating System. We have
used C# for development which is general purpose; object-  Content Level Changes
oriented programming language within .Net Framework as it The main aim of this project lies in this part as there are a lot
provides native support with windows operating system. of changes made within the files and many users collaborate on
the same file and make multiple changes, making it important
to keep a track of the content level change activities done by
II. ARCHITECTURE the users. The project accomplishes this content level change
Information Security of File System is functionally divided monitoring with the help of Office Interop API. Microsoft
into two parts as shown in figure 2: Monitoring and Reporting. Office Interop [7] is an API compatible with MS Office
Monitoring deals with detecting the changes that are performed products through programming. We can access various Office
on the files whereas reporting deals with notifying the features like adding/ removing a word, formatting/ generating
administrator about the changes that have taken place. tables and reports, etc. Interop has a Revisions interface whose
objects store the attributes of revisions made in the word file.
A. Monitoring We can accept or reject changes by accessing revisions through
objects by calling the Revisions.Accept() or the
The system aims to monitor in real time access to sensitive Revisions.Reject() methods [8].
files and folders stored on Windows System such as creating For the content level changes in the excel files, there is no
files in a directory, deleting, renaming and change in contents Revision Class available. So, the List Changes on New Sheet
of the file. The change monitoring is divided into file level feature is used to keep a track of the changes made within the
changes and content level changes. Work Book. All the modifications made in the cells across the
 File Level Changes sheets within that workbook are listed cell wise in the new
All the basic file level operations such as creating, deleting sheet that has the following details: Old Value; New Value;
and renaming a file are monitored. These changes can be Cell; Date-Time; User, Type of the change, etc. If a change
accepted/rejected later by the administrator. In order to allow made in a particular cell has to be rejected, it is done by
the functionality of bringing back the deleted file (in case of selecting the cell-change record and programmatically set the
disapproval), all the files are backed up to a different directory. value of that cell to the old value using the Interop.
These basic file level changes are detected using the
FileSystemWatcher class. The System.IO.FileSystemWatcher B. Reporting
component class can be used in .NET applications to watch for The changes done by the users are detected and are notified
changes in a specified directory. One can watch for changes in to the administrator in the Reporting area of the system. File
files and subdirectories of the specified directory. These level changes and content level changes are displayed
59
IJFRCSCE | May 2018, Available @ http://www.ijfrcsce.org
_______________________________________________________________________________________
International Journal on Future Revolution in Computer Science & Communication Engineering ISSN: 2454-4248
Volume: 4 Issue: 5 58 – 60
_______________________________________________________________________________________________
separately. These changes can be accepted/rejected by the highest percentage of content level changes. And User 1 has
administrator. Once the changes are accepted/ rejected the performed zero deletion operations.
records of those changes are removed from the reporting area.
Changes done in multiple selected files are displayed at the
same place which makes it convenient for tracking. All the
reports can be saved in pdf or doc format.
III. RESULTS
Information Security successfully detects the content level
changes on Word documents and Excel sheet using Interop’s
functionality and file level changes on all the files under
selected directory using FileSystemWatcher. To overcome
manual approval and disapproval of each user’s modification
always, user activities can be recorded and extracted from the
application. This can be done by generating User specific
reports in the same way the software is generating File specific
reports. User specific reports records user actions like types of
files accessed, types of changes made on file, and number of
changes approved and disapproved by admin for that user.
These reports can be analysed to infer suspicious users, for
example, there could be a policy that states the user having his
Graph. 2: Types of changes done by user
most modifications disapproved can be labelled suspicious.
And such a user can be denied access to file structure to
The current data is static and manually recorded from
prevent further harm and admin overhead. Different other
software for Word and Excel file structures only. Further, the
types of analysis can be exercised like which type of the file is
software can be expanded for other types of file systems
most accessed, which kind of operation is frequently
whose data can also be recorded and analyzed in a similar
performed by user, number and type of changes that are
manner.
mostly approved or disapproved, etc. Below are two examples
of analysis carried out over static data extracted manually from IV. CONCLUSION
the software.
Future scope for the file system will be ownership rights can
be monitored for file and directory, here the File Contents are
tracked which allows the details of the actual changes made to
a text-based configuration file. Rather than text based file
image contented file can be monitored.
REFERENCES
[1] Gene H. Kim, Eugene H. Spafford, “he design and
implementation of tripwire: a file system integrity checker,”
ACM Conference, 1994.
[2] Jean-Marc Boucqueau, “Digital Rights Management,” IEEE .
2006=2012.
[3] Tripwore Product.
https://www.tripwire.com/products/tripwire-file-integrity-
manager/
[4] FileSystemWathcer
https://msdn.microsoft.com/en-
us/library/system.io.filesystemwatcher(v=vs.110).aspx
[5] File Integrity Monitoring and its Need
Graph. 1: Approval and Disapproval percentage of changes per user https://www.alienvault.com/blogs/security-essentials/what-is-
file-integrity-monitoring-and-why-you-need-it-part-2
[6] Existing File System Monitoring For Windows
Graph 1 shows the percentage of approval and disapproval https://www.raymond.cc/blog/3-portable-tools-monitor-files-
of changes performed on the Y-axis and 5 users on the X-axis. folders-changes/
Through this we can infer that the changes made by User 1 [7] Interop Namespace
and User 4 have been disapproved more than they have been https://msdn.microsoft.com/en-
approved. Thus, these users are prone to be involved in us/library/microsoft.office.interop.word.aspx?f=255&MSPPE
suspicious activities. The managers can take actions such as rror=-2147217396
restricting their rights to perform sensitive changes. [8] Revision Interface in C#
Graph 2 shows the percentage of each type of change done [9] https://msdn.microsoft.com/en-
by the users on the Y-axis and 5 users on the X-axis. With the us/library/microsoft.office.interop.word.revisions.aspx
help of this we can infer that which user performs what kind of [10] Mayur Mehta, “Design and Implementation of a File System
operation frequently. For example, the User 2 performs Integrity Monitoring System”, March 2016
60
IJFRCSCE | May 2018, Available @ http://www.ijfrcsce.org
_______________________________________________________________________________________