{"id":1364,"date":"2014-07-30T02:44:54","date_gmt":"2014-07-30T07:44:54","guid":{"rendered":"http:\/\/swildow.darktech.org\/wp\/?p=1364"},"modified":"2014-07-30T02:44:54","modified_gmt":"2014-07-30T07:44:54","slug":"how-to-audit-and-track-file-deletions","status":"publish","type":"post","link":"https:\/\/www.wildow.com\/blog\/?p=1364","title":{"rendered":"How to audit and track file deletions"},"content":{"rendered":"<h3 class=\"post-title\" style=\"margin: 0.25em 0px 0px; padding: 0px 0px 4px; font-size: 18.200000762939453px; font-weight: normal; line-height: 1.4em; color: #333333; font-family: 'Trebuchet MS', serif; font-style: normal; font-variant: normal; letter-spacing: normal; orphans: auto; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: #ffffff;\"><a href=\"http:\/\/sogeeky.blogspot.sg\/2006\/07\/how-to-audit-and-track-file-deletions.html\" target=\"_blank\">How to audit and track file deletions<\/a><\/h3>\n<div class=\"post-body\" style=\"background-image: url('http:\/\/www.blogblog.com\/harbor\/divider.gif'); background-color: #ffffff; padding-top: 12px; color: #333333; font-family: 'Trebuchet MS', serif; font-size: small; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 20.796875px; orphans: auto; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-position: 50% 0%; background-repeat: no-repeat no-repeat;\">\n<ul>\n<li><span style=\"text-decoration: underline;\">Enable Audit Policy<\/span>: On the machine where you want to track file deletion, go to<span class=\"Apple-converted-space\">\u00a0<\/span><b>Administrative Tools-&gt;Local Security Policy-&gt;Audit Policy<\/b><span class=\"Apple-converted-space\">\u00a0<\/span>, double click<span class=\"Apple-converted-space\">\u00a0<\/span><b>&#8220;Audit Object Access&#8221;<\/b><span class=\"Apple-converted-space\">\u00a0<\/span>on the right pane and switch-on &#8220;Success&#8221; &amp; &#8220;Failure&#8221;.<\/li>\n<li><span style=\"text-decoration: underline;\">Enable auditing for user\/group<\/span>: You&#8217;ll need to enable and add user\/security group for auditing on the folder which needs to be captured for file deletion.\n<ul>\n<li>Right click on the target folder (ex. C:\\Program Files\\Honeywell), select<span class=\"Apple-converted-space\">\u00a0<\/span><b>Properties<\/b><span class=\"Apple-converted-space\">\u00a0<\/span>and go to<b>Security<\/b><span class=\"Apple-converted-space\">\u00a0<\/span>Tab.<\/li>\n<li>Click on<span class=\"Apple-converted-space\">\u00a0<\/span><b>Advanced<\/b><span class=\"Apple-converted-space\">\u00a0<\/span>, and select<span class=\"Apple-converted-space\">\u00a0<\/span><b>Auditing<\/b><span class=\"Apple-converted-space\">\u00a0<\/span>Tab.<\/li>\n<li>Add here the security group which would include the user who you think might be deleting the file. If you are not sure, include<span class=\"Apple-converted-space\">\u00a0<\/span><b>EVERYONE<\/b><span class=\"Apple-converted-space\">\u00a0<\/span>.<\/li>\n<li>On the next screen select &#8220;Successful&#8221; &amp; &#8220;Failed&#8221; on &#8220;Delete subfolders and files&#8221; &amp; &#8220;Delete&#8221;. Apply new settings and exit from properties.<\/li>\n<\/ul>\n<\/li>\n<li>These configurations will generate file\/folder access audit logs for the configured folder in<span class=\"Apple-converted-space\">\u00a0<\/span><b>Securit Event Logs<\/b><span class=\"Apple-converted-space\">\u00a0<\/span>. Since we are interested in only the logs that show details of file\/folder deletions, we&#8217;ll need to look for Security Logs with event ID<span class=\"Apple-converted-space\">\u00a0<\/span><b>560<\/b><span class=\"Apple-converted-space\">\u00a0<\/span>.<\/li>\n<li>Any file deletion operation will generate two events with event ID 560. After you&#8217;ve realized that your target file has been deleted, you&#8217;ll need to filter the security log view to show only logs with event ID 560 (right click on Event Viewer-&gt;Security, select Filter&#8230;).<\/li>\n<li>If you quickly want to find out if your configured machine generated any file deletion event log, run the following command on your own (networked) machine. This will work only on XP and above, therefore, you can use this to query for security logs from Windows 2000 machines. Run<span class=\"Apple-converted-space\">\u00a0<\/span><span style=\"font-family: courier new,courier,mono;\"><b>cscript \/\/h:cscript \/\/s \/\/nologo<\/b><span class=\"Apple-converted-space\">\u00a0<\/span><\/span>at least once on your system before executing the following command.<\/li>\n<\/ul>\n<blockquote dir=\"ltr\" style=\"margin-right: 0px;\">\n<blockquote dir=\"ltr\" style=\"margin-right: 0px;\">\n<p style=\"margin: 0px 0px 0.75em;\"><span style=\"font-family: courier new,courier,mono;\">eventquery.vbs \/S<span class=\"Apple-converted-space\">\u00a0<\/span><i>&lt;Target_System_Name&gt;<\/i><span class=\"Apple-converted-space\">\u00a0<\/span>\/FI &#8220;ID eq 560&#8221; \/L Security \/V<span class=\"Apple-converted-space\">\u00a0<\/span><br \/>\n\/FI : Filter<span class=\"Apple-converted-space\">\u00a0<\/span><br \/>\n\/L : Log name {Application | Security | System}<span class=\"Apple-converted-space\">\u00a0<\/span><br \/>\n\/V : Verbose output<span class=\"Apple-converted-space\">\u00a0<\/span><\/p>\n<p><span style=\"font-family: Verdana,Arial,Helvetica,sans-serif;\">To know more about the above command, read<span class=\"Apple-converted-space\">\u00a0<\/span><\/span><a style=\"color: #776644; text-decoration: none;\" href=\"http:\/\/www.microsoft.com\/resources\/documentation\/windows\/xp\/all\/proddocs\/en-us\/eventquery.mspx?mfr=true\" target=\"_blank\"><b><span style=\"font-family: Verdana,Arial,Helvetica,sans-serif;\">here<\/span><\/b><\/a><\/span><span style=\"font-family: Verdana,Arial,Helvetica,sans-serif;\">.<\/span><\/p>\n<\/blockquote>\n<\/blockquote>\n<ul>\n<li>A typical security log with file deletion details will look something like this:<\/li>\n<\/ul>\n<blockquote dir=\"ltr\" style=\"margin-right: 0px;\">\n<blockquote dir=\"ltr\" style=\"margin-right: 0px;\">\n<p dir=\"ltr\" style=\"margin: 0px 0px 0.75em;\"><span style=\"font-family: courier new,courier,mono;\">Event Type: Success Audit<span class=\"Apple-converted-space\">\u00a0<\/span><br \/>\n<\/span><span style=\"font-family: courier new,courier,mono;\">Event Source: Security<span class=\"Apple-converted-space\">\u00a0<\/span><br \/>\nEvent Category: Object Access<span class=\"Apple-converted-space\">\u00a0<\/span><br \/>\nEvent ID: 560<span class=\"Apple-converted-space\">\u00a0<\/span><br \/>\nUser: GKY\\Raj<span class=\"Apple-converted-space\">\u00a0<\/span><br \/>\nComputer: GKY<span class=\"Apple-converted-space\">\u00a0<\/span><br \/>\nDescription:<span class=\"Apple-converted-space\">\u00a0<\/span><br \/>\nObject Open:<span class=\"Apple-converted-space\">\u00a0<\/span><br \/>\nObject Server: Security<span class=\"Apple-converted-space\">\u00a0<\/span><br \/>\nObject Type: File<span class=\"Apple-converted-space\">\u00a0<\/span><br \/>\nObject Name:<span class=\"Apple-converted-space\">\u00a0<\/span><span style=\"color: #ff0000;\">D:\\Test\\testdoc.txt<\/span><span class=\"Apple-converted-space\">\u00a0<\/span><br \/>\nHandle ID: 1756<span class=\"Apple-converted-space\">\u00a0<\/span><br \/>\nOperation ID: {0,3190200}<span class=\"Apple-converted-space\">\u00a0<\/span><br \/>\nProcess ID: 4040<span class=\"Apple-converted-space\">\u00a0<\/span><br \/>\nImage File Name: C:\\WINDOWS\\explorer.exe<span class=\"Apple-converted-space\">\u00a0<\/span><br \/>\nPrimary User Name: Raj<span class=\"Apple-converted-space\">\u00a0<\/span><br \/>\nPrimary Domain: GKY<span class=\"Apple-converted-space\">\u00a0<\/span><br \/>\nPrimary Logon ID: (0x0,0x40C41)<span class=\"Apple-converted-space\">\u00a0<\/span><br \/>\nClient User Name: &#8211;<span class=\"Apple-converted-space\">\u00a0<\/span><br \/>\nClient Domain: &#8211;<span class=\"Apple-converted-space\">\u00a0<\/span><br \/>\nClient Logon ID: &#8211;<span class=\"Apple-converted-space\">\u00a0<\/span><br \/>\nAccesses:<span class=\"Apple-converted-space\">\u00a0<\/span><span style=\"color: #ff0000;\">DELETE<span class=\"Apple-converted-space\">\u00a0<\/span><br \/>\nSYNCHRONIZE<\/span><span class=\"Apple-converted-space\">\u00a0<\/span><br \/>\nReadAttributes<\/span><\/p>\n<\/blockquote>\n<\/blockquote>\n<p dir=\"ltr\" style=\"margin: 0px 0px 0.75em;\">NOTE:<\/p>\n<ul>\n<li>Ensure that security log is set not to overwrite itself, and has sufficient size to hold logs spanning many days. You can configure these settings by right-clicking on<span class=\"Apple-converted-space\">\u00a0<\/span><b>Security<\/b><span class=\"Apple-converted-space\">\u00a0<\/span>subfolder inside Event Viewer.<\/li>\n<li>You might want to test these settings by deleting few files yourself before assuming it&#8217;ll deliver what you expect!<\/li>\n<\/ul>\n<p style=\"margin: 0px 0px 0.75em;\"><b>Update:<\/b>Just found a better alternative to built-in Event Viewer &#8211; http:\/\/www.eventlogxp.com\/<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>How to audit and track file deletions Enable Audit Policy: On the machine where you want to track file deletion, go to\u00a0Administrative Tools-&gt;Local Security Policy-&gt;Audit Policy\u00a0, double click\u00a0&#8220;Audit Object Access&#8221;\u00a0on the right pane and switch-on &#8220;Success&#8221; &amp; &#8220;Failure&#8221;. Enable auditing &#8230; <a class=\"more-link\" href=\"https:\/\/www.wildow.com\/blog\/?p=1364\">Read More &raquo;<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-1364","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/www.wildow.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/1364","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.wildow.com\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.wildow.com\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.wildow.com\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.wildow.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1364"}],"version-history":[{"count":1,"href":"https:\/\/www.wildow.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/1364\/revisions"}],"predecessor-version":[{"id":1365,"href":"https:\/\/www.wildow.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/1364\/revisions\/1365"}],"wp:attachment":[{"href":"https:\/\/www.wildow.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1364"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.wildow.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1364"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.wildow.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1364"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}