Windows Audit Part 3: Tracing file deletions | Michael Firsov

1 of 6

https://michaelfirsov.wordpress.com/windows-audit-part-3-tracing-file-de...

WindowsAudit

Theresanewversionofthisarticleavailable:
WindowsAuditPart4:TracingfiledeletionsinMSPowerShell(https://michaelfirsov.wordpress.com
/windowsauditpart4tracingfiledeletionsinmspowershell/)
WindowsAuditPart1(https://michaelfirsov.wordpress.com/windowsauditpart1tracing
fileopenings/)
WindowsAuditPart2(https://michaelfirsov.wordpress.com/windowsauditpart2gettingthetime
itervalinwhichthefilewasopen/)
Nowitstimetoanswerthemostimportantquestion:howwecantracefile/folderdeletions?
InthisarticleIdliketooersystemadministratorsapictorialguidewithwichtheycouldeasilyand
quicklyfindallnecessaryinformationinWindowsEventViewersecuritylog.
Thetask:
Tofindoutwhat,bywhom,whenandatwhatlocationwasdeleted.
(ontheexampleofWindowsServer2008R2)
Prerequisites:FirstofallweshouldenableObjectAccessauditwithFileSystem,FileShareand
HandleManipulationsubcategories(Win2008)orjustFileSystemcategoryforWin2003.
Letsconsiderthisscheme:
(uppereventidsareforWin2008,loweronesareforWin2003)

(https://michaelfirsov.files.wordpress.com/2012/03/filedeletion.jpg)
FileDeletionScheme
Thu 19 May 2016 12:46 AM

Windows Audit Part 3: Tracing file deletions | Michael Firsov

2 of 6

https://michaelfirsov.wordpress.com/windows-audit-part-3-tracing-file-de...

IAnobjectwasdeletedlocally(Localdeletion)
21)OpenHandleIDe.g.afileisopen.
(payattentiontothelist(*)ofuserpermisionsfortheobjectandLogonID.)
22)RegistrationoftheexercisedDELETEpermission**(010000)
(theProcess/ImageFileNamefieldwillshowtheapplicationbywichtheobjectwasdeleted.)
23)Objectdeletion
(thenameofthedeletedobjectmightbeknownfrom22
orfrom21byitsHandleID).
24)HandleIDClosee.g.thefileisclosed.
*:permissionsmentionedheremeanwhatuserCANdobutnotnecessaryWILLdo!
**:thispermissionhasbeenrealyexercised.
IIAnobjectwasdeletedfromthesharedfolder(Networkdeletion)
11)NetworkLogon(payattentiontousername,workstation,LogonID)
12)ShareFolderAccess(onlyforWin2008)
21)OpenHandleIDe.g.afileisopen.
(payattentiontothelist(*)ofuserpermissionsfortheobjectandLogonID.)
22)RegistrationoftheexercisedDELETEpermission**(010000)
(theemptyProcess/ImageFileNamefieldmeansnetworkdeletion)
23)Objectdeletion
(thenameofthedeletedobjectmightbeknownfrom22orfrom21byitsHandleID).
24)HandleIDClosee.g.thefileisclosed.
3)

Networklogo(withthesameLogonIDasin11).

AnswerI
Note:ForfutureuseIprefertosavetheLogParseroutputtoatextfile,
forinstancetoH:\LogParser\.
a)Wellgetstartedbyfindingoutiftherewasanyfiledeletion:
LogParsero:csvtabs:ONSELECTTimeGenerated,EventID,Extract_Token(Strings,1,|)ASUSER,
Extract_Token(Strings,3,|)ASLogonID,Extract_Token(Strings,5,|)ASHandleIDINTO
H:\LogParser\Event4660.txtFROMSecurityWHEREEventID=4660ORDERBYTimeGenerated
DESC
Theoutput:
TimeGenerated,EventID,USER,LogonID,HandleID

Thu 19 May 2016 12:46 AM

Windows Audit Part 3: Tracing file deletions | Michael Firsov

3 of 6

https://michaelfirsov.wordpress.com/windows-audit-part-3-tracing-file-de...

2010012013:09:58,4660,hdesk1,0x138b8d8,0xe4c
Wecanseethatuserhdesk1deletedsomefileon20.01.2010at13:09:58.
b)Thenweshouldfindoutwhatexactlywasdeleted,whenandbywhom:(notethatLogonIDand
HandleIDshouldbethesameasinthepreviousoutput)
LogParsero:csvtabs:ONSELECTTimeGenerated,EventID,Extract_Token(Strings,1,|)ASUSER,
Extract_Token(Strings,3,|)ASLogonID,Extract_Token(Strings,6,|)ASObjectName,
Extract_Token(Strings,7,|)ASHandleID,Extract_Token(Strings,11,|)ASProcessName,
Extract_Token(Strings,9,|)ASAccessTYPEINTOH:\LogParser\Event4663.txtFROMSecurity
WHEREEventID=4663ANDAccessTYPELIKE%%010000%%ORDERBYTimeGeneratedDESC
Theoutput:
TimeGd,EventID,USER,LogonID,ObjectName,HandleID,ProcessName,AccessTYPE
13:09:58,4663,hdesk1,0x138b8d8,H:\Test\Doc1.txt,0xe4c,C:\Windows\explorer.exe,
010000
13:09:58,4663,hdesk1,0x138b8d8,H:\Test\Doc1.txt,0xe4c,C:\Windows\explorer.exe,
010000
Attention!Intheoutputabovetherearetwosimultaneousevents4663forthegivenLogonIDand
HandleID.DuetoMicrosoftsdocumentationthiseventshouldbegeneratedwiththefirstpermission
utilizationonly.ThereasonforthisisunknowntomesoIprefertocountdeletioneventsbyID4660.
JudgingbythefieldProcessName=C:\Windows\explorer.exe,weknowthatthefilewasdeleted
locally.

Theanswer:
On20.01.2010at13:09:58userhdesk1deletedthefileH:\Test\Doc1.txtlocallyonserverserv1.

AnswerII
a)Onceagainwegetstartedbyfindingoutiftherewasanyfiledeletion::
LogParsero:csvtabs:ONSELECTTimeGenerated,EventID,Extract_Token(Strings,1,|)ASUSER,
Extract_Token(Strings,3,|)ASLogonID,Extract_Token(Strings,5,|)ASHandleIDINTO
H:\LogParser\Event4660.txtFROMSecurityWHEREEventID=4660ORDERBYTimeGenerated
DESC
Theoutput:
TimeGenerated,EventID,USER,LogonID,HandleID
2010012015:35:52,4660,jane,01605225,05414
Thu 19 May 2016 12:46 AM

Windows Audit Part 3: Tracing file deletions | Michael Firsov

4 of 6

https://michaelfirsov.wordpress.com/windows-audit-part-3-tracing-file-de...

Weseethatuserjanedeletedsomefile/folderon20.01.2010at15:35:52.
)Andagainwefindoutwhatexactlywasdeleted,whenandbywhom:(notingthatLogonIDand
HandleIDshouldbethesameasinthepreviousoutput)
TimeGenerated,EventID,USER,LogonID,ObjectName,HandleID,ProcessName,
AccessTYPE
15:35:52,4663,jane,01605225,H:\Test\DocNet.txt,05414,,
010000
Hereweseethenameofdeletedobject(H:\Test\DocNet.txt)andhowitwasdeleted.
AsthefieldProcessName(orImageNameinWin2003)isemptyweknowtherewaswhatIcalla
networkdeletion.
Look!Thistimetheresnoevent4663dublication!
Inbothprecedingexampleswedidntusetheevent4656(HandleOpen)becausewealreadyknowwhat
exactlyhasbeendeletedfromtheevent4663.
Thenextstepistotrytofindoutfromwhatworkstationthedeletionhasoccurred.
Atfirstweshouldsearchforthenetworklogonevent(4624)withthesameLogonID(01605225)asin
theevents4660and4663:
LogParsero:csvtabs:ONSELECTTimeGenerated,EventID,Extract_Token(Strings,3,|)AS
LogonID,Extract_Token(Strings,5,|)ASUSER,Extract_Token(Strings,8,|)ASLogonTYPEINTO
H:\LogParser\Event4624NetworkLogon.txtFROMSecurityWHEREEventID=4624ORDERBY
TimeGeneratedDESC
:
TimeGenerated,EventID,LogonID,USER,LogonTYPE,
ClientAddress

2010012015:45:18,4624,0x161475c,SERV1$,3,127.0.0.1
2010012015:35:47,4624,01605225,jane,3,10.1.2.102
2010012015:35:45,4624,0x16051d5,jane,3,10.1.2.102

Note:Ifweadd[ANDLogonIDLIKE%0x1605225%]expressiontothecodeabove
wellgettheoutputwiththesingleresultingstring:
LogParsero:csvtabs:ONSELECTTimeGenerated,EventID,Extract_Token(Strings,3,|)AS
LogonID,Extract_Token(Strings,5,|)ASUSER,Extract_Token(Strings,8,|)ASLogonTYPEINTO
H:\LogParser\Event4624NetworkLogon.txtFROMSecurityWHEREEventID=4624ANDLogonID
Thu 19 May 2016 12:46 AM

Windows Audit Part 3: Tracing file deletions | Michael Firsov

5 of 6

https://michaelfirsov.wordpress.com/windows-audit-part-3-tracing-file-de...

LIKE%01605225%ORDERBYTimeGeneratedDESC
Theoutput:
TimeGenerated,EventID,LogonID,USER,LogonTYPE,
ClientAddress
2010012015:35:47,4624,0x1605225,jane,3,10.1.2.102
So,theansweris:On20.01.2010at15:35:52userjanedeletedthefile
H:\Test\DocNet.txtonserverSERV1fromtheworkstation
withip=10.1.2.102.
Moreover,wecanmakeuseoftheneweventinWin20085140toknowfromwhatsharedfolderthis
filewasdeleted:
LogParserfullText:OFFo:csvtabs:ONSELECTTimeGenerated,EventID,Extract_Token(Strings,1,
|)ASUSER,Extract_Token(Strings,2,|)ASDOMAIN,Extract_Token(Strings,5,|)ASSourceIP,
Extract_Token(Strings,7,|)ASSHAREINTOH:\LogParser\SERV1FileShare5140.txtFROM
SECURITYWHEREEventID=5140ANDSHARENOTLIKE%IPC%orderbyTimeGenerateddesc
Theoutput:
TimeGenerated,EventID,USER,SourceIP,SHARE
2010012016:12:50,5140,secretary,10.1.2.49,\\*\DiskD
2010012015:35:47,5140,jane,10.1.2.102,\\*\Test
andtoseewhenthegivenuserloggedofromtheserverServ1(e.g.atwhattimehasthenetwork
session(withLogonID=01605225)oftheuserjanefromip=10.1.2.102toServ1beenended):
TimeGenerated,EventID,USER,LogonID,LogonTYPE
2010012016:32:12,4634,jane,01605225,3
2010012016:16:24,4634,Consuser1,0x14d6257,3
2010012016:16:00,4634,OLGASR$,0x16708c3,3
2010012016:14:25,4634,secretary,0x166e3b3,3
2010012016:13:01,4634,ELENACHE$,0x166e3a1,3
2010012016:12:58,4634,jane,0x15d8694,3
2010012015:45:18,4634,SERV1$,0x161475c,3
2010012015:44:47,4634,manager,0x1469e11,3
2010012015:35:46,4634,jane,0x16051d5,3
Sohereitisthefinalanswer:
Thu 19 May 2016 12:46 AM

Windows Audit Part 3: Tracing file deletions | Michael Firsov

6 of 6

https://michaelfirsov.wordpress.com/windows-audit-part-3-tracing-file-de...

On20.01.2010at15:35:47userjaneconnectedtothesharedfolder\\serv1\testfromtheworkstationwith
ip=10.1.2.102,at15:35:52shedeletedthefileH:\Test\DocNet.txtfrom\\serv1\testandclosedthe
sessionat16:32:12(forexample,closedthe\\serv1\testsharedfolderswindow).
Theresanewversionofthisarticleavailable:
WindowsAuditPart4:TracingfiledeletionsinMSPowerShell(https://michaelfirsov.wordpress.com
/windowsauditpart4tracingfiledeletionsinmspowershell/)

DenialParl November18,2014at9:53am | Reply

Itsreallyanawesomeandveryinformativeblogpost.
Though,duetonotmuchtechnicalawareness,IuseanautomatedsolutionnamedLepideauditorfor
fileserver(http://www.lepide.com/fileserveraudit/)thatworksgreatformeandauditsallchanges
madeinfileserverevenatgranularlevel.Itprovidesthecollecteddataintorealtime.
However,Iamsurethisblogcouldbeafantasticapproachinfutureprospective.
MichaelFirsov November18,2014at10:34am | Reply
DenialParl,thankyousomuchImhappymyarticlescanbeofsomehelp!
AndIdliketothankyoufortheLepideauditorIdidnotknowaboutit.Itsalwaysmore
pleasanttoworkwithagraphicaltoolthantypecommandsintoaconsole.

BlogatWordPress.com. TheRetroFittedTheme.

Thu 19 May 2016 12:46 AM