Files containing sensitive information might be deleted accidentally or maliciously in an organization. In these cases, it's necessary to identify who deleted the files for further investigation, and to restore the lost data. Monitoring file deletion gives details such as what file was deleted, when, and from where to help make forensic analysis easier.
Steps to set an audit policy
- Launch the Group Policy Management console by either:
- Navigating to Server Manager > Tools > Group Policy Management Console. (or)
- Pressing Win+R. In the Run dialog box that appears, type gpmc.msc and click OK.
- The Group Policy Management Console window will open. You can create a new Group Policy Object (GPO), or modify an existing one.
- If you want to add the policy to any existing GPO, go to step 6.
- To create a new GPO, right-click on the domain, site, or OU where you want to apply the policy, and click Create a new GPO in this domain and Link it here.
- Enter a name for the GPO in the New GPO dialog box, and click OK.
- Now right-click on that GPO, and choose Edit.
- In the Group Policy Management Editor, navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Audit Policy.
- From the list of audit policies, double-click on Audit object access to open its Properties.
- Check the Define these policy settings box, and check both Success and Failure to audit all delete attempts.
- Click Apply and then OK to close the window.
- The GPO will be automatically updated. To update it manually, open Command Prompt, type gpupdate, and press Enter. Now the GPO is updated.
Steps to set the auditing properties for the required file
- Right-click the file (Employee_Data) you want to audit, and choose Properties.
- Go to the Security tab, and click Advanced to open the Advanced Security Settings window.
- Go to the Auditing tab, and click Add to create a new audit entry. The Auditing Entry window will appear.
- Click Select a Principal, and the Select User, Computer, Service Account, or Group dialog box will appear.
- Provide Everyone as the object name, and click Check Names.
- Click OK to close the dialog box.
- Choose the type of action you want to audit from the drop-down. If you want to audit all successful and failed events, choose All.
- This folder, subfolders and files is selected by default in the Applies To field.
- Under the Basic permissions section, select the required permissions, and click OK.
- The new entry is now added. Click Apply and OK to close the window.
- Click OK in the Properties window.
Steps to view who has deleted the file using Event Viewer
- Open the Event Viewer.
- Navigate to Windows Logs > Security.
- Click the Filter Current Log option in the right pane to bring up the Filter Current Log window.
- Under the Task category option, enter the event ID for which you want to view logs. When a file is deleted, the event ID 4660 is logged. Enter this event ID, and click OK.
- The logs for all delete events are displayed. Click on a log to view the details.
- Search for this log and view the object name.
- The object name is not displayed in the delete event ID 4660. To view what object is deleted, we can view what object was accessed before deletion using the event ID 4663.
You can now find who deleted the file using native auditing.
Is there an easier alternative to native auditing?
Native auditing is cumbersome as it involves numerous steps. Logs contain excessive noise, and it's tedious to find critical information like the name of the deleted file, as it's not mentioned in the log.
DataSecurity Plus solves this problem by providing in-depth information about the deleted files including the name, location, host name, etc. all from one central place. It can even send alerts about delete events.