How to determine and correlate events that a... Expand / Collapse
Author
Message
Posted 1/14/2011 4:27:13 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 1/17/2011 10:35:44 PM
Posts: 5, Visits: 4
Hi all,
I am trying to track a particular folder,where any deletion of files under that folder will be reported.

I did a sample test and realize that a file deletion process consist of the event 560,564 and then 562.

So event 564 is straightforward and tells you that something has been deleted by a user,but it doesn't tells you what has been deleted!?Therefore I am trying to correlate and tied this event 564 to event 560 because it contains the details of the file.I'm trying to do this by looking at the handle ID and the User field.

However,there can be scenarios where a user accesses a file now and generates event 560,few hours later then the user decides to delete off the file that will generate event 564.In between this period there can be multiple events of 560 generated by this user.

So I appreciate if anyone can provide some advice on how to determine that a file has been deleted and how can I accurately determine what is the file that has been deleted and the user?

I am trying to correlate and tied event 564 to the corresponding 560 but am not confident that it is correct...

Thanks in advanced.
Post #550
Posted 1/17/2011 10:23:14 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 1/17/2011 10:35:44 PM
Posts: 5, Visits: 4
Hi,

I just did a few tests,and if I'm not wrong,event code 560 is generated together with event 564,whenever a file is being deleted.So if I see event 564,looking at the nearest event 560(usually within the same timestamp) with the same handle ID tells me that is the object name that was deleted?

Please correct me if I'm wrong..thanks.
Post #553
Posted 2/10/2011 10:15:16 AM
Expert

ExpertExpertExpertExpertExpertExpertExpertExpert

Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329, Visits: 0
You got it.  You could also look first for the 560, filename, and DELETE and assume it was deleted because it would be very unusual that a program requested delete access and never used it.  To confirm it was actually deleted go forward in the log looking for 564 with the same handle ID.
Post #585
« Prev Topic | Next Topic »


Permissions Expand / Collapse

All times are GMT -5:00, Time now is 9:30pm