Solving The Mystery - Who Deleted That File

Have you ever experienced a scenario, where a file has been deleted from a machine and you are wondering who deleted the file and had no idea who was the culprit? Good luck! In this article, I will try to explain a technique available on the Windows machine to find out who deleted the file.

Motivation

The urge for writing this article comes from an issue in our production environment and it might be useful for readers if ever they encounter such an issue. Our problem started when one of our production servers went out of the load balancer. We had recently deployed an Asp.net core 2.x application, which was deployed as a Self-Contained Application. In a self-contained deployment, the complete .net core framework is bundled in a folder and it also includes your asp.net core Exe which is launched by the IIS server. In our scenario, the exe was being deleted, which was causing 502.5 process error as the Host Process couldn't be started. Since the production server has restricted access, it wasn't possible that a user was deleting the file. It was a sporadic delete operation and happened on some servers while others were working fine. This was the inspiration for identifying how the exe was getting deleted. If you are interested in more details, then refer the GitHub issue.

If you couldn't follow the above reasoning, you may be able to possibly relate to the following scenario where the need to find out who deleted the file is important.

• A Shared folder among the team has certain files deleted.
• The deployed application is missing certain files.

What does Windows OS offer?

Windows offers the built-in Audit feature using various policies which allow us to audit the access requests, audit login, process tracking, and more.

How to know who deleted the file?

The following 3 step process would help us in identifying who deleted the file.

1. Turn on the File Auditing Process on the System.
2. Configure the Audit process on the File/Folder to be monitored.
3. Verify the Audit Logs to get details of who deleted the file.

Note
You will require the Admin permissions on the machine where the File Auditing needs to be set up.

Let's dig into these steps further in detail.

Turn on the File Auditing Process on the System.

Operating Systems offers the functionality to track various file operations. These features are configurable and can be turned Off/On using Policies. Windows uses the concepts of Policies to manage various settings which influence what can be done on the machine.

Wikipedia defines the Group Policy as, "a feature of the Microsoft Windows NT family of operating systems that controls the working environment of user accounts and computer accounts."

There are Group Policies which apply to all computers in a domain and Local Policies which apply to the local computer only. Group Policies are configured by Network admins. In this instance, we are going to change the Local Policy. Please note that windows Policies wouldn't work for Windows Home edition. You need to have a professional or enterprise edition of Windows.

• Navigate to the System which needs monitoring and opens the Local Group Policy Editor by either entering gpedit.msc in the Run menu or typing in Group Policy in the Windows Search.

The Local Group Policy will appear as shown below.

• Select the Object Access Section on the left tree, by navigating to Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -Local Group Policy Object -> Object Access
  
  
• Select the Subcategory for Audit File System, and then right click or double click on the subcategory. Another window pops-up, Audit File System Properties. Check the Checkboxes for the Success and Failure conditions under the Condition the following event for checkbox as shown below.

With the above-mentioned steps, we have enabled the File System Auditing on the Operating System. Next, we will explore how to set up logging for the Folder which needs to be monitored.

Configure the Audit process on the File/Folder to be monitored.

Basically, in this step, we will define what kind of File System Access (Read/Write/Delete) needs to be monitored and what Users & Roles need to be tracked. 

• Select the folder in the Windows Explorer which needs to be monitored for the file deletion.
• Right click on the folder, go to properties, Navigate to Security Tab and then click on the Advanced button as shown below.

• A dialog named *Advanced Security Settings for * would open. Go to Auditing Tab, and then click Continue. Note: You must be an administrator to define the Auditing policy.

• Next, add the Audit entry by clicking the Add Button as shown below. This will open up another dialog for adding the Auditing entry.

• Define who or which user should be monitored by entering the information in the principal. Since we are trying to find out who deleted the file, we will add Everyone.

 

• Next, Select the Type drop-down. We may select "Success" only for a successful file deletion operation or "Select All" if we want to monitor Success along with the Failure operation.

Also, select what permissions need to be audited. Since we are looking for the Delete operation, we need to click on the "Show Advanced Permission" link and then select "Delete & Delete Subfolders and Files" checkbox and click OK button as shown below.

• Once we complete the above step, the Audit Entry should include an entry to audit an attempt to deleting a file by anyone on the machine. Click "Apply" and close the dialog.

Verify the Audit Logs to get details of who deleted the file.

We have set up the Audit Policy on the Operating System and the folders in the above steps. Now, it's the time for action. The File Audit Policy will monitor and once the file is deleted from the folder along with the entry being logged into the Event Viewer. The following steps would provide more details on how to find the entry in the Event Viewer.

For demonstration purposes, I will be deleting a few files under the folder D:\FileAudit\Demo.

• Open the Event Viewer.
  
  eventvwr.msc is the shortcut command for launching the Event Viewer from the Run menu.
  
  
• All the "File Audit" entries would be logged to the Security log. So, navigate to the Security log, as shown below.

• Since there are a lot of events in the Security log and we are only interested in file deletion, we will filter the event viewer log by the event ID. Right click on the "Security" log on the left tree and select filter log. A new dialog window would open as shown below. Enter the Event ID 4660 & 4663 to filter. This helps us narrow down the results in the event viewer and we can look for relevant information.

What are Event IDs 4660 and 4663

4660 - This event is generated when an object is deleted. 4663 - This event indicates that a specific operation was performed on an object.

• We can click on a Row in the event viewer and get the detail in the Preview pane as shown below. The below event shows the event 4663, which details who accessed the object. We can see user Abhinav tried to access the file. Additional details like time and access result (success/failure) are also mentioned.

We can also see the object name as shown in below screenshot which was accessed. The file at location D:\FileAudit\Demo\New Text Document.txt was accessed.

• Next, we will move to event 4060 which is the event we are actually interested in and is related to the deletion of the file. As can be seen in the below screenshot, the details of the Event describe that an object was deleted, and the Subject details provide who deleted the file. Account name and Account domain provide the relevant information and helps in identifying the culprit.

We can get more details of the event by double-clicking the event. In the following screenshot, we can see that the Windows explorer process was used to delete the File by User Abhinav Galodha.

 

So, finally, we tracked who deleted the file.

This article provides a technique to add the File Auditing on the machine and then steps to identify the user who deleted the file. This technique can be extended to a similar scenario like "Who has made an unsuccessful attempt to delete a file". Also, there are various other file permissions which can be audited. Additionally, we can attach the task to an event ID. As an example, we can add a task to send the email whenever we see the file has been deleted. The event viewer is a handy tool to gather information on the System.