|
|
Forum Newbie
      
Group: Forum Members
Last Login: 1/17/2011 10:35:44 PM
Posts: 5,
Visits: 4
|
|
Hi all,
I am trying to track a particular folder,where any deletion of files under that folder will be reported.
I did a sample test and realize that a file deletion process consist of the event 560,564 and then 562.
So event 564 is straightforward and tells you that something has been deleted by a user,but it doesn't tells you what has been deleted!?Therefore I am trying to correlate and tied this event 564 to event 560 because it contains the details of the file.I'm trying to do this by looking at the handle ID and the User field.
However,there can be scenarios where a user accesses a file now and generates event 560,few hours later then the user decides to delete off the file that will generate event 564.In between this period there can be multiple events of 560 generated by this user.
So I appreciate if anyone can provide some advice on how to determine that a file has been deleted and how can I accurately determine what is the file that has been deleted and the user?
I am trying to correlate and tied event 564 to the corresponding 560 but am not confident that it is correct...
Thanks in advanced.
|
|
|
|
Forum Newbie
      
Group: Forum Members
Last Login: 1/17/2011 10:35:44 PM
Posts: 5,
Visits: 4
|
|
Hi,
I just did a few tests,and if I'm not wrong,event code 560 is generated together with event 564,whenever a file is being deleted.So if I see event 564,looking at the nearest event 560(usually within the same timestamp) with the same handle ID tells me that is the object name that was deleted?
Please correct me if I'm wrong..thanks.
|
|
|
|
Expert
      
Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329,
Visits: 0
|
|
You got it. You could also look first for the 560, filename, and DELETE and assume it was deleted because it would be very unusual that a program requested delete access and never used it. To confirm it was actually deleted go forward in the log looking for 564 with the same handle ID.
|
|
|
|