How did the file get deleted and what to do about it.

  • General / Background on file structures and identification of deleted files
  1. NIST - white paper describing 'Active File Identification & Deleted File Recovery'
  2. PC based tools for file recovery (such as Recuva)
    1. Reviewed at
    2. Previous Files Recovery by NirSoft
  3. PC tools for secure file deletion are a 90 degree view of this same issue. See the explanation provided by Mark Russinovich of Microsoft for how Secure Delete works at
  • Event Logs
  1. create a Local Security Policy for Audit Policy to Audit Object Access - this will log events to the Security Event Logs
  2. Enable auditing for a User/Group and enable for a folder that you want to track
    1. an old (2006) but a good overview of the process:
    2. Initial setup of Windows Security Auditing
      1. Advanced Security Audit Policy Settings
    3. Tracking down who removed files
    4. Steps in the process
      1. Create the auditing policy (Audit object access in Security Settings / Local Policies / Audit Policy)
      2. "success" is what you will monitor, i.e. successfully deleting a file or folder
      3. Can enable auditing for a specific User or Group (or just default to everyone)
      4. In the top level folder to track: Properties / Security / Advanced / Auditing (Admin access?) / Add Events to audit ... apply to sub-folders and files
      5. Use the Event Logs to monitor (filtering of the results will be important)
    5. Event Log Explorer (free for personal use)

Total Count: 627559 | Page Views: 254

New and Changed:

    See also Computer Forensics Tools


    If you follow someone else’s way, you are not going to realize your potential.

    Joseph Campbell

    Page Views: 254 | << | Trail Index | >> | HomeLinks