In most companies there are departments like Project Managers, Accountants, Developers and other employee categories that collaborate and work together with groups of documents being stored in some shared folders on a file server or possibly workstations. Occasionally, someone deletes a particular important document or folder with a bunch of documents, resulting in a mission-critical data loss. Considering the described incident, few questions immediately arise:
In Windows OSs, there is an Auditing subsystem built-in, that is capable of logging data about file and folder deletion, as well as user name and executable name that was used to perform an action. The Auditing is not enabled by default because any monitoring you use consumes some part of system resources, so tracking down too much events may cause a considerable system slowdown. Even more, since not all user activity is of interest for logging, Auditing policies enable us capturing only event types that we consider being important.
The Auditing subsystem is built-in into all Microsoft Windows NT OSs: Windows XP/Vista/7, Windows Server 2000/2003/2008. Unfortunately, Windows Home versions lack Auditing
policy configuration interface, thus making it too hard to configure.
In order to enable Auditing, log on to a computer that keeps shared folder structure with administrative permissions, click Start → Run and launch gpedit.msc MMC console. In a Computer
Configuration node, open Windows Settings → Security Settings → Local Policies → Audit Policies folder:
Double-click Audit object access policy and select Success checkbox. This policy enables file, folder and Windows Registry access attempts that were ended in a success.
Actually, this is true, we are only interested in a successful file or folder deletion attempts. Only enable Auditing on computers that keep required documents on their local hard drives.
Simply enabling policy option is not enough. It is also required to designate what folders exactly are to be watched. Usually, we require auditing shared documents and business application data folders (accounting, warehouse databases and so on) – i.e., resources accessible for editing by multiple users.
Since it’s not possible to guess who has tampered with a data, we configure auditing for Everyone system group. Thus, information about any user having deleted a watched object is to be captured and stored to the event log. Open the required shared folder properties and switch to the Security tab. Click Advanced → Auditing and add Everyone to the list, then mark both Delete check boxes:
It is highly possible that there will be too much events listed, so it is a good idea to configure the Security event log settings. To do this, click Start → Run and launch eventvwr.msc MMC console. Right-click the Security event log, select Properties and set the following options:
Frankly, the log sizes recommended above are not calculated by any formula but are to be chosen depending on particular computer usage experience.
When the situation comes to the question, log on to the required computer, click Start → Run and launch eventvwr.msc MMC console. Open Security event log for viewing. It is
highly possible that not only the required events are logged. Right-click event log and select the View → Filtercommand. Consider the following events to be filtered:
Watch through the filtered event list taking into account the following information fields inside each record:
The issue is that when performing certain procedures programs usually request multiple access types simultaneously — for example, Delete+Synchronize or Delete+Read_Control. The only important for us access type is Delete.
When the situation comes to the question, log on to the required computer, click Start → Run and launch eventvwr.msc MMC console. Open Security event log for viewing. It is
highly possible that not only the required events are logged. Right-click event log and select the Filter Current Log command. Consider the following events to be filtered:
Do not consider all the Deletes to be done on purpose. This action is frequently used as a part of normal business application standard functionality. For instance, during Save command execution Microsoft Office suite software first creates a new temporary file, saves document to it, then deletes the original document from disk. This is also true for many database applications: a temporary lock file (.lck) is created on disk and is being deleted from disk later when exiting the program.
In my working experience, several companies have dealt with deletion on purpose. The typical scenario was: the employee disgruntled with a contract break decided to remove all his work results and deleted his/her home folder content as well as all the shared documents he/she was intended to work with. Such an activity is very likely to be noticed in event logs because it generates tens and even hundreds successful Object Access records in a second. In fact, it’s easy to recover the deleted stuff from Shadow Copies (Previous Versions) or daily backup. But basically, I was always able to answer questions ”Who did it?” and “When did it happen?”