How to determine and correlate events that a file has been deleted?

Jer06 — Fri, 14 Jan 2011 04:27:13 GMT

Hi all,
I am trying to track a particular folder,where any deletion of files under that folder will be reported.

I did a sample test and realize that a file deletion process consist of the event 560,564 and then 562.

So event 564 is straightforward and tells you that something has been deleted by a user,but it doesn't tells you what has been deleted!?Therefore I am trying to correlate and tied this event 564 to event 560 because it contains the details of the file.I'm trying to do this by looking at the handle ID and the User field.

However,there can be scenarios where a user accesses a file now and generates event 560,few hours later then the user decides to delete off the file that will generate event 564.In between this period there can be multiple events of 560 generated by this user.

So I appreciate if anyone can provide some advice on how to determine that a file has been deleted and how can I accurately determine what is the file that has been deleted and the user?

I am trying to correlate and tied event 564 to the corresponding 560 but am not confident that it is correct...

Thanks in advanced.

Logging for workstations in a Windows domain

altoflyer — Mon, 27 Sep 2010 14:07:44 GMT

We want to monitor access to secure files on workstations. We'll be looking for attempts to delete objects as well as attempts to open them.

If the file is on a workstation that is part of a domain, do the object access atempts and object deleted messages show up on the domain controller or will they only show up on the workstation?

Thanks,

Amy (altoflyer)

Object Created

jwalzer — Mon, 28 Jun 2010 17:19:38 GMT

Randy,

Is there an Object Created EVID?

Thx,
Jeff

UltimateWindowsSecurity.com Forum / Ultimate Windows Security Forum / Security Log / 564 - Object Deleted

How to determine and correlate events that a file has been deleted?

Logging for workstations in a Windows domain

Object Created