November 23, 2010

Investigating deleted files on MS file servers

If you've dealt with issues related to users deleting (probably accidentally) shared files and not saying a word about it, then you've probably also dealt with another user wanting to restore these files and finding out who did the "bad thing".

You of course need to have auditing turned on on your share. If you do, then you'll need to look for two events in your security log, Event ID 560 and Event ID 564. Search for Event ID 560 and enter the filename (or part of it) in the "description" field:

This is what 560 looks like (long story short.. it shows the file name and user who modified the file in question):

Event Type:    Success Audit
Event Source:    Security
Event Category:    Object Access
Event ID:    560
Date:        DD/MM/YYYY
<===== Modification DATE
Time:        HH:MM:SS
<===== Modification TIME
User:        YOURDOMAIN\USER <===== USER NAME of the user who made the change
Object Open:
     Object Server:    Security
     Object Type:    File
     Object Name:    D:\SiteShare\MyFolder\MyFile.docx
<===== PATH and FILE NAME
     Handle ID:    666
<===== HANDLE ID
     Operation ID:    {0,2XXXXXXXXX}
     Process ID:    4
     Image File Name:    
     Primary User Name:    SERVER_HOSTNAME$
     Primary Domain:    YOURDOMAIN
     Primary Logon ID:    (0x0,0x2XX)
     Client User Name:    USER
     Client Domain:    YOURDOMAIN
     Client Logon ID:    (0x0,0xBXXXXXX)
     Accesses:    DELETE
     Privileges:    -
     Restricted Sid Count:    0
     Access Mask:    0x10080

An here is 564, it does not contain the file name but confirms deletion of an object and that's why we'll usually need to search for 560 first:

Event Type:    Success Audit
Event Source:    Security
Event Category:    Object Access
Event ID:    564
Date:        DD/MM/YYYY
<===== Modification DATE
Time:        HH:MM:SS <===== Modification TIME
User:        YOURDOMAIN\USER <===== USER NAME of the user who made the change
Object Deleted:
<===== USER NAME of the user who made the change
     Object Server:    Security
     Handle ID:    666
<===== HANDLE ID
     Process ID:    4
     Image File Name:

Looking at these two events you will notice that they will have the same Handle ID and usually the same time and date, although in some cases 564 can be logged much later than 560.

Event ID 560 is logged whenever a program calls upon an object which has been enabled for auditing.

Event ID 564 is logged upon object deletion.

Voila! You've found the guilty one :)