Someone Deleted My File. How Can I Find Out Who?

If you’ve ever been tasked with recovering a lost file or folder and had to explain exactly what happened (Who moved or deleted it? When did it happen? Why?), you...
Michael Buckbee
1 min read
Last updated June 9, 2023

If you’ve ever been tasked with recovering a lost file or folder and had to explain exactly what happened (Who moved or deleted it? When did it happen? Why?), you know how annoyingly time-consuming it can be. And sometimes you simply don’t have any good answers. All you can do is restore from backup.

How do we fix this?

Having an audit trail can help tremendously, but native auditing on Windows, UNIX, and many other platforms is resource intensive, provides too much data, eats up storage, and slows servers down. It’s easy to see why auditing is rarely enabled.

Performing Forensic Investigations the Hard Way

Let’s see what it really takes to perform forensic investigations on Windows using native auditing.

Windows auditing for file access first requires that successful object access attempts be enabled, via the local or domain security policy settings.

default domain security settings

Next, each folder’s auditing settings must be modified to include the users you wish to audit. The image below shows that “everyone” who accesses the finance folder will be audited.

finance

Once auditing is enabled, events will show up in the security event container:

Event Viewer

Get the Free PowerShell and Active Directory Essentials Video Course

The events must be opened up individually to inspect their contents.

4

There are some filtering abilities if you know which user you’re interested in, but not for directory name, file type, delete events. So, what can we do next?

5

Give Varonis’ DatAdvantage a try if you’re on the help desk, doing forensics for security, and auditing data use – you’ll be able to quickly answer these frequently asked questions:

  • Who has been accessing this folder?
  • What data has this user been accessing?
  • Who sent emails to whom?
  • Who deleted these files?
  • Where did those files go?

audit

To learn more: download our Whitepaper – Accelerating Audits with Automation

What should I do now?

Below are three ways you can continue your journey to reduce data risk at your company:

1

Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.

2

See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.

3

Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

fighting-golden-ticket-attacks-with-privileged-attribute-certificate-(pac)
Fighting Golden Ticket Attacks with Privileged Attribute Certificate (PAC)
Learn how and why to control the Active Directory Environment state with PACRequestorEnforcement, the implications of doing so and how to detect Golden Ticket attacks happening in your network.
the-difference-between-ssl-and-tls
The Difference Between SSL and TLS
SSL and TLS are used interchangably in conversations as they are incredibly closely related. Knowing the subtle difference is key. 
is-a-ransomware-attack-a-data-breach?
Is a ransomware attack a data breach?
Understanding if ransomware is a data breach is vital to determining what response your IT and Legal department needs to take.
dns-over-https-as-a-covert-command-and-control-channel
DNS over HTTPS as a covert Command and Control channel
Learn how DNS over HTTPS (DoH) is being actively used as a Command and Control (C2) channel by threat actors.