Claimsman logs all file handle creation on Windows systems, and logs to both a local file and centralized log management system. The goal is to collect information that helps in answering the following two questions:
- What files has user X accessed within defined time frame?
- Who has accessed file X within defined time frame?
The application consists of a kernel driver, and an application (windows service) that forwards the data to log management system.