Windows Audit Part 3: Tracing file deletions

There’s a new version of this article available:
Windows Audit Part 4: Tracing file deletions in MS PowerShell

Windows Audit Part1
Windows Audit Part2

Now it’s time to answer the most important question: how we can trace file/folder deletions?

In this article I’d like to offer system administrators a pictorial guide with wich they could easily and quickly find all necessary information in Windows EventViewer security log.

The task:

To find out ‘what, by whom, when and at what location” was deleted.

(on the example of Windows Server 2008 R2)

Prerequisites:  First of all we should enable “Object Access” audit with “File System”,  “File Share” and “Handle Manipulation” subcategories (Win2008) or just  “File System” category for Win2003.

Let’s consider this scheme:
(upper event id-s are for Win2008, lower ones are for Win2003)

File Deletion Scheme

I An object was deleted locally  (“Local deletion”)

2-1)    Open Handle ID  – e.g.  a file is open.
(pay attention to the list (*) of user permisions for the object and Logon ID.)

2-2)    Registration of the exercised  “DELETE” permission** (0×10000)
(the “Process/Image File Name” field will show the application by wich the object was deleted. )

2-3)    Object deletion
(the name of the deleted object might be  known from 2-2
or from 2-1 by its Handle ID).

2-4)    Handle ID Close – e.g. the file is closed.

*: permissions mentioned here mean what user CAN do but not necessary WILL do!

**: this permission has been realy exercised.

II An object was deleted from the shared folder (“Network deletion”)

 1-1)   Network Logon (pay attention to user name, workstation, Logon ID)

1-2)   Share Folder Access (only for Win2008)

2-1)   Open Handle ID  – e.g.  a file is open.
(pay attention to the list (*) of user permissions for the object and Logon ID.)

2-2)   Registration of the exercised “DELETE” permission** (0×10000)
(the empty “Process/Image File Name” field means “network deletion”)

2-3)   Object deletion
(the name of the deleted object might be  known from 2-2  or from 2-1 by its Handle ID).

2-4)  Handle ID Close – e.g. the file is closed.

3)    Network logoff (with the same Logon ID as in 1-1).

Answer I

Note:    For future use I prefer to save the LogParser output to a text file,
for instance to H:\LogParser\.

a) We’ll get started by finding out if there was any file deletion:

LogParser  -o:csv -tabs:ON “SELECT  TimeGenerated, EventID, Extract_Token(Strings, 1, ‘|’) AS USER, Extract_Token(Strings, 3, ‘|’) AS LogonID, Extract_Token(Strings, 5, ‘|’) AS HandleID INTO H:\LogParser\Event4660.txt FROM Security WHERE EventID = 4660 ORDER BY TimeGenerated DESC”

The output:

TimeGenerated,          EventID,      USER,    LogonID,      HandleID

2010-01-20 13:09:58,      4660,             hdesk1,      0x138b8d8,     0xe4c

We can see that user hdesk1 deleted some  file on 20.01.2010 at 13:09:58.

b) Then we should find out what exactly was deleted, when and by whom:  (note that LogonID and HandleID should be the same as in the previous output)

LogParser  -o:csv -tabs:ON “SELECT  TimeGenerated, EventID, Extract_Token(Strings, 1, ‘|’) AS USER, Extract_Token(Strings, 3, ‘|’) AS LogonID, Extract_Token(Strings, 6, ‘|’) AS ObjectName, Extract_Token(Strings, 7, ‘|’) AS HandleID, Extract_Token(Strings, 11, ‘|’) AS ProcessName, Extract_Token(Strings, 9, ‘|’) AS AccessTYPE INTO H:\LogParser\Event4663.txt FROM Security WHERE EventID = 4663 AND AccessTYPE LIKE ‘%%0×10000%%’ ORDER BY TimeGenerated DESC”

The output:

TimeGd,  EventID,  USER,  LogonID,    ObjectName,      HandleID,        ProcessName,       AccessTYPE

13:09:58,    4663,    hdesk1,   0x138b8d8,     H:\Test\Doc1.txt,     0xe4c,     C:\Windows\explorer.exe,     0×10000

13:09:58,    4663,    hdesk1,   0x138b8d8,     H:\Test\Doc1.txt,      0xe4c,     C:\Windows\explorer.exe,     0×10000

Attention! In the output above there are two simultaneous events 4663 for the given LogonID and HandleID. Due to Microsoft’s documentation this event should be generated with the first permission utilization only. The reason for this is unknown to me so I prefer to count deletion events by ID 4660.

Judging by the field ProcessName = C:\Windows\explorer.exe , we know that the file was deleted locally .


The answer:

On 20.01.2010 at 13:09:58  user hdesk1 deleted the file H:\Test\Doc1.txt  locally  on server serv1  .

 

Answer II

 a) Once again we get started by finding out if there was any file deletion::

LogParser  -o:csv -tabs:ON “SELECT  TimeGenerated, EventID, Extract_Token(Strings, 1, ‘|’) AS USER, Extract_Token(Strings, 3, ‘|’) AS LogonID, Extract_Token(Strings, 5, ‘|’) AS HandleID INTO H:\LogParser\Event4660.txt FROM Security WHERE EventID = 4660 ORDER BY TimeGenerated DESC”

The output:

TimeGenerated,        EventID,     USER,    LogonID,       HandleID

2010-01-20 15:35:52,      4660,            jane,        0×1605225,      0×5414

We see that user  jane deleted some file/folder on 20.01.2010 at 15:35:52.

б) And again we find out what exactly was deleted, when and by whom:  (noting that LogonID and HandleID should be the same as in the previous output)

TimeGenerated,  EventID, USER,          LogonID,           ObjectName,        HandleID, ProcessName,   AccessTYPE

15:35:52,              4663,         jane,           0×1605225,         H:\Test\DocNet.txt,  0×5414,                   ,               0×10000

Here we see the name of deleted object (H:\Test\DocNet.txt) and how it was deleted.

As the field  ProcessName (or ImageName in Win2003) is empty we know there was what I call a “network deletion”.

Look! This time there’s no event 4663 dublication!

In both preceding examples we didn’t use the event 4656 (Handle Open) because we already know what exactly has been deleted from the event 4663.

The next step is to try to find out from what workstation the deletion has occurred.

At first we should search for the network logon event (4624) with the same LogonID (0×1605225) as in the events 4660 and 4663:

LogParser  -o:csv -tabs:ON “SELECT  TimeGenerated, EventID, Extract_Token(Strings, 3, ‘|’) AS LogonID, Extract_Token(Strings, 5, ‘|’) AS USER, Extract_Token(Strings, 8, ‘|’) AS LogonTYPE INTO H:\LogParser\Event4624-NetworkLogon.txt FROM Security WHERE EventID = 4624 ORDER BY TimeGenerated DESC”

Результат:

TimeGenerated,                 EventID, LogonID,                USER,                     LogonTYPE,          ClientAddress

 

2010-01-20 15:45:18,            4624,           0x161475c,                SERV1$,                        3,                     127.0.0.1

2010-01-20 15:35:47,        4624,       0×1605225,            jane,                              3,                     10.1.2.102

2010-01-20 15:35:45,            4624,          0x16051d5,                jane,                               3,                     10.1.2.102

 

Note:  If we add [AND LogonID LIKE ‘%0x1605225%’]  expression to the code above
we’ll get the output with the single resulting  string:

LogParser  -o:csv -tabs:ON “SELECT  TimeGenerated, EventID, Extract_Token(Strings, 3, ‘|’) AS LogonID, Extract_Token(Strings, 5, ‘|’) AS USER, Extract_Token(Strings, 8, ‘|’) AS LogonTYPE INTO H:\LogParser\Event4624-NetworkLogon.txt FROM Security WHERE EventID = 4624 AND LogonID LIKE ‘%0×1605225%’ ORDER BY TimeGenerated DESC”

The output:

TimeGenerated,                 EventID, LogonID,                   USER,                     LogonTYPE,          ClientAddress

 2010-01-20 15:35:47,            4624,       0x1605225,            jane,                              3,                           10.1.2.102

So, the answer is: On 20.01.2010  at 15:35:52 user  “jane” deleted the file
H:\Test\DocNet.txt  on server SERV1 from the workstation
with ip = 10.1.2.102.

Moreover, we can make use of the new event in Win2008 – 5140 – to know from what shared folder this file was deleted:

LogParser -fullText:OFF -o:csv -tabs:ON “SELECT TimeGenerated, EventID, Extract_Token(Strings, 1, ‘|’) AS USER, Extract_Token(Strings, 2, ‘|’) AS DOMAIN, Extract_Token(Strings, 5, ‘|’) AS Source-IP, Extract_Token(Strings, 7, ‘|’) AS SHARE  INTO H:\LogParser\SERV1-FileShare-5140.txt FROM SECURITY WHERE EventID = 5140 AND SHARE NOT LIKE ‘%IPC%’ order by TimeGenerated desc”

The output:

TimeGenerated,      EventID,      USER,     Source-IP,    SHARE

2010-01-20 16:12:50,   5140,          secretary,     10.1.2.49,        \\*\DiskD

2010-01-20 15:35:47,   5140,    jane,            10.1.2.102,   \\*\Test

 …and to see when the given user logged off from the server Serv1 (e.g. at what time has the network session (with LogonID = 0×1605225 ) of the user “jane” from ip = 10.1.2.102 to Serv1 been ended ):

TimeGenerated,           EventID,     USER,      LogonID,  LogonTYPE

2010-01-20 16:32:12,      4634,      jane,             0×1605225,        3

2010-01-20 16:16:24,            4634,      Consuser1,     0x14d6257,            3

2010-01-20 16:16:00,            4634,     OLGA-SR$,    0x16708c3,            3

2010-01-20 16:14:25,            4634,     secretary,        0x166e3b3,            3

2010-01-20 16:13:01,            4634,     ELENA-CHE$,  0x166e3a1,          3

2010-01-20 16:12:58,            4634,     jane,                   0x15d8694,         3

2010-01-20 15:45:18,            4634,   SERV1$,             0x161475c,          3

2010-01-20 15:44:47,            4634,   manager,            0x1469e11,          3

2010-01-20 15:35:46,            4634,     jane,                    0x16051d5,         3

So here it is the final answer:

On 20.01.2010 at 15:35:47 user jane connected to the shared folder \\serv1\test from the workstation with ip = 10.1.2.102,  at 15:35:52 she deleted the file H:\Test\DocNet.txt  from \\serv1\test and closed the session at 16:32:12 (for example, closed the \\serv1\test shared folder’s window).

There’s a new version of this article available:
Windows Audit Part 4: Tracing file deletions in MS PowerShell

Advertisements

2 responses

  1. It’s really an awesome and very informative blog-post.
    Though, due to not much technical awareness, I use an automated solution named Lepideauditor for file server (http://www.lepide.com/file-server-audit/ ) that works great for me and audits all changes made in file server even at granular level. It provides the collected data into real time.
    However, I am sure this blog could be a fantastic approach in future prospective.

    1. Denial Parl, thank you so much – I’m happy my articles can be of some help!
      And I’d like to thank you for the Lepideauditor – I did not know about it. It’s always more pleasant to work with a graphical tool than type commands into a console.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: