File System Auditing - Who Deleted My File (and Why)?

File System Auditing - Who Deleted My File (and Why)? | Security | Chicago IT | Equilibrium |

When IT admins receive a file restore request after an “accidental” file deletion, there may be no answer available as to who deleted the file. The file is typically restored from last night’s backup and the ticket is closed. The root cause of the issue is never found out: Who deleted the file (and Why)?

How do we fix this operational and security issue and prevent it from happening in the first place?

Windows servers have included built-in file system auditing features for years.

However, configuring, monitoring and maintaining these raw event logs is time consuming with minimal benefit, in practice.


Setting up Native File System Auditing in Windows

  1. Windows file system auditing first requires that auditing of object access attempts be enabled, via the local or domain security policy settings:

    1st file system audit

  2. Next, each folder's auditing settings must be modified to include the users you wish to audit. For example, the image below shows that "everyone" who accesses the finance folder will be audited.

    2nd file system audit

  3. Once auditing is enabled, events will appear in the security event container on that local server. 3rd file system audit

  4. The file system auditing events must be opened up individually to inspect their contents (the interface is a bit better in Server 2008 and 2012).

    4th file system audit


  5. There are some filtering capabilities available if you know which user you're interested in, but there is nothing for directory name, file type, and "delete" events. This shows the limited return on time invested.

    5th file system audit


For organizations that are serious about network security and file system auditing, a third party solution is a must. This will allow an organization to collect and manage the logs effectively as well as leverage intelligence, reports and altering.

Of the solutions available on the market, Varonis' DatAdvantage has been recognized by Gartner in the category of file system auditing category. This software helps in IT areas such as help desk troubleshooting, security forensics, recurring account reviews and annual formal audits.

With Varonis, you will be able to easily answer the following questions:

  • Who has been accessing this folder?
  • What data has this user been accessing?
  • Who sent emails to whom?
  • Who deleted these files?
  • Where did those files go?

Below is a screenshot of the interface with the tree of folders on the left (click to zoom):

screenshot of interface
Screenshot of Interface


To learn more about Varonis, download their whitepaper: Accelerating Audits with Automation.

To mature your overall security program, contact Equilibrium for a free consultation to discuss how a Security Assessment will help. Visit our Security Practice homepage and email us at .

Author: Todd Bey

Follow EQ:

EQ Linked-In | Security | Chicago IT | Equilibrium IT |  EQ Facebook | Security | Chicago IT | Equilibrium IT |  EQ Google+ | Security | Chicago IT | Equilibrium IT |  EQ Twitter | Security | Chicago IT | Equilibrium IT |


Questions?  Call us today in Chicago at 773-205-0200 | Email us at  | Request a FREE Consultation


Contact Us

Call today! 773.205.0200 or use the form below.