Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
1 of 6
https://michaelfirsov.wordpress.com/windows-audit-part-3-tracing-file-de...
WindowsAudit
Theresanewversionofthisarticleavailable:
WindowsAuditPart4:TracingfiledeletionsinMSPowerShell(https://michaelfirsov.wordpress.com
/windowsauditpart4tracingfiledeletionsinmspowershell/)
WindowsAuditPart1(https://michaelfirsov.wordpress.com/windowsauditpart1tracing
fileopenings/)
WindowsAuditPart2(https://michaelfirsov.wordpress.com/windowsauditpart2gettingthetime
itervalinwhichthefilewasopen/)
Nowitstimetoanswerthemostimportantquestion:howwecantracefile/folderdeletions?
InthisarticleIdliketooersystemadministratorsapictorialguidewithwichtheycouldeasilyand
quicklyfindallnecessaryinformationinWindowsEventViewersecuritylog.
Thetask:
Tofindoutwhat,bywhom,whenandatwhatlocationwasdeleted.
(ontheexampleofWindowsServer2008R2)
Prerequisites:FirstofallweshouldenableObjectAccessauditwithFileSystem,FileShareand
HandleManipulationsubcategories(Win2008)orjustFileSystemcategoryforWin2003.
Letsconsiderthisscheme:
(uppereventidsareforWin2008,loweronesareforWin2003)
(https://michaelfirsov.files.wordpress.com/2012/03/filedeletion.jpg)
FileDeletionScheme
Thu 19 May 2016 12:46 AM
2 of 6
https://michaelfirsov.wordpress.com/windows-audit-part-3-tracing-file-de...
IAnobjectwasdeletedlocally(Localdeletion)
21)OpenHandleIDe.g.afileisopen.
(payattentiontothelist(*)ofuserpermisionsfortheobjectandLogonID.)
22)RegistrationoftheexercisedDELETEpermission**(010000)
(theProcess/ImageFileNamefieldwillshowtheapplicationbywichtheobjectwasdeleted.)
23)Objectdeletion
(thenameofthedeletedobjectmightbeknownfrom22
orfrom21byitsHandleID).
24)HandleIDClosee.g.thefileisclosed.
*:permissionsmentionedheremeanwhatuserCANdobutnotnecessaryWILLdo!
**:thispermissionhasbeenrealyexercised.
IIAnobjectwasdeletedfromthesharedfolder(Networkdeletion)
11)NetworkLogon(payattentiontousername,workstation,LogonID)
12)ShareFolderAccess(onlyforWin2008)
21)OpenHandleIDe.g.afileisopen.
(payattentiontothelist(*)ofuserpermissionsfortheobjectandLogonID.)
22)RegistrationoftheexercisedDELETEpermission**(010000)
(theemptyProcess/ImageFileNamefieldmeansnetworkdeletion)
23)Objectdeletion
(thenameofthedeletedobjectmightbeknownfrom22orfrom21byitsHandleID).
24)HandleIDClosee.g.thefileisclosed.
3)
Networklogo(withthesameLogonIDasin11).
AnswerI
Note:ForfutureuseIprefertosavetheLogParseroutputtoatextfile,
forinstancetoH:\LogParser\.
a)Wellgetstartedbyfindingoutiftherewasanyfiledeletion:
LogParsero:csvtabs:ONSELECTTimeGenerated,EventID,Extract_Token(Strings,1,|)ASUSER,
Extract_Token(Strings,3,|)ASLogonID,Extract_Token(Strings,5,|)ASHandleIDINTO
H:\LogParser\Event4660.txtFROMSecurityWHEREEventID=4660ORDERBYTimeGenerated
DESC
Theoutput:
TimeGenerated,EventID,USER,LogonID,HandleID
3 of 6
https://michaelfirsov.wordpress.com/windows-audit-part-3-tracing-file-de...
2010012013:09:58,4660,hdesk1,0x138b8d8,0xe4c
Wecanseethatuserhdesk1deletedsomefileon20.01.2010at13:09:58.
b)Thenweshouldfindoutwhatexactlywasdeleted,whenandbywhom:(notethatLogonIDand
HandleIDshouldbethesameasinthepreviousoutput)
LogParsero:csvtabs:ONSELECTTimeGenerated,EventID,Extract_Token(Strings,1,|)ASUSER,
Extract_Token(Strings,3,|)ASLogonID,Extract_Token(Strings,6,|)ASObjectName,
Extract_Token(Strings,7,|)ASHandleID,Extract_Token(Strings,11,|)ASProcessName,
Extract_Token(Strings,9,|)ASAccessTYPEINTOH:\LogParser\Event4663.txtFROMSecurity
WHEREEventID=4663ANDAccessTYPELIKE%%010000%%ORDERBYTimeGeneratedDESC
Theoutput:
TimeGd,EventID,USER,LogonID,ObjectName,HandleID,ProcessName,AccessTYPE
13:09:58,4663,hdesk1,0x138b8d8,H:\Test\Doc1.txt,0xe4c,C:\Windows\explorer.exe,
010000
13:09:58,4663,hdesk1,0x138b8d8,H:\Test\Doc1.txt,0xe4c,C:\Windows\explorer.exe,
010000
Attention!Intheoutputabovetherearetwosimultaneousevents4663forthegivenLogonIDand
HandleID.DuetoMicrosoftsdocumentationthiseventshouldbegeneratedwiththefirstpermission
utilizationonly.ThereasonforthisisunknowntomesoIprefertocountdeletioneventsbyID4660.
JudgingbythefieldProcessName=C:\Windows\explorer.exe,weknowthatthefilewasdeleted
locally.
Theanswer:
On20.01.2010at13:09:58userhdesk1deletedthefileH:\Test\Doc1.txtlocallyonserverserv1.
AnswerII
a)Onceagainwegetstartedbyfindingoutiftherewasanyfiledeletion::
LogParsero:csvtabs:ONSELECTTimeGenerated,EventID,Extract_Token(Strings,1,|)ASUSER,
Extract_Token(Strings,3,|)ASLogonID,Extract_Token(Strings,5,|)ASHandleIDINTO
H:\LogParser\Event4660.txtFROMSecurityWHEREEventID=4660ORDERBYTimeGenerated
DESC
Theoutput:
TimeGenerated,EventID,USER,LogonID,HandleID
2010012015:35:52,4660,jane,01605225,05414
Thu 19 May 2016 12:46 AM
4 of 6
https://michaelfirsov.wordpress.com/windows-audit-part-3-tracing-file-de...
Weseethatuserjanedeletedsomefile/folderon20.01.2010at15:35:52.
)Andagainwefindoutwhatexactlywasdeleted,whenandbywhom:(notingthatLogonIDand
HandleIDshouldbethesameasinthepreviousoutput)
TimeGenerated,EventID,USER,LogonID,ObjectName,HandleID,ProcessName,
AccessTYPE
15:35:52,4663,jane,01605225,H:\Test\DocNet.txt,05414,,
010000
Hereweseethenameofdeletedobject(H:\Test\DocNet.txt)andhowitwasdeleted.
AsthefieldProcessName(orImageNameinWin2003)isemptyweknowtherewaswhatIcalla
networkdeletion.
Look!Thistimetheresnoevent4663dublication!
Inbothprecedingexampleswedidntusetheevent4656(HandleOpen)becausewealreadyknowwhat
exactlyhasbeendeletedfromtheevent4663.
Thenextstepistotrytofindoutfromwhatworkstationthedeletionhasoccurred.
Atfirstweshouldsearchforthenetworklogonevent(4624)withthesameLogonID(01605225)asin
theevents4660and4663:
LogParsero:csvtabs:ONSELECTTimeGenerated,EventID,Extract_Token(Strings,3,|)AS
LogonID,Extract_Token(Strings,5,|)ASUSER,Extract_Token(Strings,8,|)ASLogonTYPEINTO
H:\LogParser\Event4624NetworkLogon.txtFROMSecurityWHEREEventID=4624ORDERBY
TimeGeneratedDESC
:
TimeGenerated,EventID,LogonID,USER,LogonTYPE,
ClientAddress
2010012015:45:18,4624,0x161475c,SERV1$,3,127.0.0.1
2010012015:35:47,4624,01605225,jane,3,10.1.2.102
2010012015:35:45,4624,0x16051d5,jane,3,10.1.2.102
Note:Ifweadd[ANDLogonIDLIKE%0x1605225%]expressiontothecodeabove
wellgettheoutputwiththesingleresultingstring:
LogParsero:csvtabs:ONSELECTTimeGenerated,EventID,Extract_Token(Strings,3,|)AS
LogonID,Extract_Token(Strings,5,|)ASUSER,Extract_Token(Strings,8,|)ASLogonTYPEINTO
H:\LogParser\Event4624NetworkLogon.txtFROMSecurityWHEREEventID=4624ANDLogonID
Thu 19 May 2016 12:46 AM
5 of 6
https://michaelfirsov.wordpress.com/windows-audit-part-3-tracing-file-de...
LIKE%01605225%ORDERBYTimeGeneratedDESC
Theoutput:
TimeGenerated,EventID,LogonID,USER,LogonTYPE,
ClientAddress
2010012015:35:47,4624,0x1605225,jane,3,10.1.2.102
So,theansweris:On20.01.2010at15:35:52userjanedeletedthefile
H:\Test\DocNet.txtonserverSERV1fromtheworkstation
withip=10.1.2.102.
Moreover,wecanmakeuseoftheneweventinWin20085140toknowfromwhatsharedfolderthis
filewasdeleted:
LogParserfullText:OFFo:csvtabs:ONSELECTTimeGenerated,EventID,Extract_Token(Strings,1,
|)ASUSER,Extract_Token(Strings,2,|)ASDOMAIN,Extract_Token(Strings,5,|)ASSourceIP,
Extract_Token(Strings,7,|)ASSHAREINTOH:\LogParser\SERV1FileShare5140.txtFROM
SECURITYWHEREEventID=5140ANDSHARENOTLIKE%IPC%orderbyTimeGenerateddesc
Theoutput:
TimeGenerated,EventID,USER,SourceIP,SHARE
2010012016:12:50,5140,secretary,10.1.2.49,\\*\DiskD
2010012015:35:47,5140,jane,10.1.2.102,\\*\Test
andtoseewhenthegivenuserloggedofromtheserverServ1(e.g.atwhattimehasthenetwork
session(withLogonID=01605225)oftheuserjanefromip=10.1.2.102toServ1beenended):
TimeGenerated,EventID,USER,LogonID,LogonTYPE
2010012016:32:12,4634,jane,01605225,3
2010012016:16:24,4634,Consuser1,0x14d6257,3
2010012016:16:00,4634,OLGASR$,0x16708c3,3
2010012016:14:25,4634,secretary,0x166e3b3,3
2010012016:13:01,4634,ELENACHE$,0x166e3a1,3
2010012016:12:58,4634,jane,0x15d8694,3
2010012015:45:18,4634,SERV1$,0x161475c,3
2010012015:44:47,4634,manager,0x1469e11,3
2010012015:35:46,4634,jane,0x16051d5,3
Sohereitisthefinalanswer:
Thu 19 May 2016 12:46 AM
6 of 6
https://michaelfirsov.wordpress.com/windows-audit-part-3-tracing-file-de...
On20.01.2010at15:35:47userjaneconnectedtothesharedfolder\\serv1\testfromtheworkstationwith
ip=10.1.2.102,at15:35:52shedeletedthefileH:\Test\DocNet.txtfrom\\serv1\testandclosedthe
sessionat16:32:12(forexample,closedthe\\serv1\testsharedfolderswindow).
Theresanewversionofthisarticleavailable:
WindowsAuditPart4:TracingfiledeletionsinMSPowerShell(https://michaelfirsov.wordpress.com
/windowsauditpart4tracingfiledeletionsinmspowershell/)
BlogatWordPress.com. TheRetroFittedTheme.