How to detect who deleted a file with DataSecurity Plus

Start your free trial

Why you need to know who deleted a file

Files containing sensitive information might be deleted accidentally or maliciously in an organization. In these cases, it's necessary to identify who deleted the files for further investigation, and to restore the lost data. Monitoring file deletion gives details such as what file was deleted, when, and from where to help make forensic analysis easier.

     
  • DataSecurity Plus
  • Windows Native Auditing

Steps to configure DataSecurity Plus for file deletion auditing

  1. Download and install DataSecurity Plus.
  2. Open the DataSecurity Plus console.
  3. Navigate to Admin Console > Admin > Administrative Settings > Domain Settings, and click + Add Domain in the top-right corner to add a new domain.
  4. Provide the Domain Name along with its username and password. Add the required domain controllers, and click Save.
  1. To add file servers, navigate to File Audit > Configuration, and click the + Add Server button located in the top-right corner.
  2. Select your domain, and add the servers you want to audit.
  3. Choose the files and folders to be audited beside Select Objects to Monitor, and click Add.
  4. Click Install Agent and Finish. The agent is now installed on the selected servers.

Steps to find out who deleted files

  1. Go to the File Audit tab.
  2. Navigate to Access Audit > Deleted/Overwritten Files.
  3. Select the Server Name and Periods to display the report.
  4. Click on Filter in the top-right corner of the report window, and enter the following details:
    • Action: Delete
    • Current File Name: Name of the file to be monitored (for this example, we'll name the file Employee_Data)
  5. Click Apply.

Now the report to track who deleted the file is displayed below.

You can also use filters to view reports based on a file's location, creation, or deletion time; specific users who might have deleted files; and so on.

Steps to send instant alerts when a file is deleted

  1. Go to the FileAudit tab.
  2. Navigate to Configuration > General Settings > Alert Configuration.
  3. Click the + Add Global Alert or + Add Server Alert button located in the top-right corner based on your objective.
  1. Provide a suitable name and description for the alert.
  2. Choose a Severity from the drop-down menu.
  3. You can define a Threshold Limit to send alerts based on the number of delete events that can occur within a specific time.
Note: If Threshold Limit is not mentioned, then an alert email is sent for every monitored event that occurs in the file. If the Threshold Limit is not mentioned, then an alert notification will be sent for every monitored event that occurs in the file.
  1. To receive email alerts, go to Response > Email.
  2. Check the Enable email notification and provide the necessary details. To add arguments to the Subject or Message, click Customize, and choose the argument from the drop-down menu.
  3. You can choose the number of email alerts you wish to receive at a particular time by entering the values in the Send a maximum of text box.
  4. Click Save.
  1. You can include or exclude entities in the Criteria menu. To monitor who deleted a particular file, enter the following details under Include:
    • User Object: All
    • Action: Delete
    • Local Path: C:\Employee data
  2. The default Exclude settings can be left unchanged. Now click Save.

An alert profile has been created to send an email when a user deletes the file Employee_Data.

Here's an example of an alert email.

Steps to set an audit policy

  1. Launch the Group Policy Management console by either:
    • Navigating to Server Manager > Tools > Group Policy Management Console. (or)
    • Pressing Win+R. In the Run dialog box that appears, type gpmc.msc and click OK.
  2. The Group Policy Management Console window will open. You can create a new Group Policy Object (GPO), or modify an existing one.
  3. If you want to add the policy to any existing GPO, go to step 6.
  1. To create a new GPO, right-click on the domain, site, or OU where you want to apply the policy, and click Create a new GPO in this domain and Link it here.
  2. Enter a name for the GPO in the New GPO dialog box, and click OK.
  1. Now right-click on that GPO, and choose Edit.
  2. In the Group Policy Management Editor, navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Audit Policy.
  1. From the list of audit policies, double-click on Audit object access to open its Properties.
  2. Check the Define these policy settings box, and check both Success and Failure to audit all delete attempts.
  3. Click Apply and then OK to close the window.
  1. The GPO will be automatically updated. To update it manually, open Command Prompt, type gpupdate, and press Enter. Now the GPO is updated.

Steps to set the auditing properties for the required file

  1. Right-click the file (Employee_Data) you want to audit, and choose Properties.
  2. Go to the Security tab, and click Advanced to open the Advanced Security Settings window.
  1. Go to the Auditing tab, and click Add to create a new audit entry. The Auditing Entry window will appear.
  2. Click Select a Principal, and the Select User, Computer, Service Account, or Group dialog box will appear.
  3. Provide Everyone as the object name, and click Check Names.
  1. Click OK to close the dialog box.
  2. Choose the type of action you want to audit from the drop-down. If you want to audit all successful and failed events, choose All.
  3. This folder, subfolders and files is selected by default in the Applies To field.
  4. Under the Basic permissions section, select the required permissions, and click OK.
  5. The new entry is now added. Click Apply and OK to close the window.
  6. Click OK in the Properties window.

Steps to view who has deleted the file using Event Viewer

  1. Open the Event Viewer.
  2. Navigate to Windows Logs > Security.
  1. Click the Filter Current Log option in the right pane to bring up the Filter Current Log window.
  2. Under the Task category option, enter the event ID for which you want to view logs. When a file is deleted, the event ID 4660 is logged. Enter this event ID, and click OK.
  1. The logs for all delete events are displayed. Click on a log to view the details.
  1. Search for this log and view the object name.
  2. The object name is not displayed in the delete event ID 4660. To view what object is deleted, we can view what object was accessed before deletion using the event ID 4663.

You can now find who deleted the file using native auditing.

Is there an easier alternative to native auditing?

Native auditing is cumbersome as it involves numerous steps. Logs contain excessive noise, and it's tedious to find critical information like the name of the deleted file, as it's not mentioned in the log.

DataSecurity Plus solves this problem by providing in-depth information about the deleted files including the name, location, host name, etc. all from one central place. It can even send alerts about delete events.

 

Ensure data security and integrity with the help of ManageEngine DataSecurity Plus.

Email Download Link