Track deleted

General discussion related to "Everything".
Post Reply
CrxtJ7tOs4Iq
Posts: 28
Joined: Wed Jan 14, 2015 2:19 pm

Track deleted

Post by CrxtJ7tOs4Iq »

I am trying to come up with a way to track deleted items. I have been looking around and coming up empty handed. Is there a way to do this inside of everything search or am i going to have to use the command line to dump to file and compare?

This is something i would like to track over time.
Thank you.
NotNull
Posts: 5461
Joined: Wed May 24, 2017 9:22 pm

Re: Track deleted

Post by NotNull »

CrxtJ7tOs4Iq wrote:I have been looking around and coming up empty handed.
Search for parse USN journal in your favourite search engine; quite a few tools pop up.
CrxtJ7tOs4Iq wrote:Is there a way to do this inside of everything search
This is not possible with the current version of Everything, but ...
it *is* on the to do-list to show deleted files some time after they are deleted (can't find that thread right now)
CrxtJ7tOs4Iq wrote:This is something i would like to track over time.
Be careful what you wish for!
Run this script as administrator to get an idea how much files get deleted on your C:-drive in a short period of time (every line is a deleted file):
EDIT: This script does not work on Win7 and lower (Thanks to @Stamimail for pointing it out)

GetDeleted.cmd

Code: Select all

@echo off
setlocal
pushd "%~dp0"
set OUTPUT=DeletedItems.csv

echo Usn,File name,File name length,Reason nr,Reason,Time stamp,File attributes #,File attributes,File ID,Parent file ID,Source info nr,Source info,Security ID,Major version,Minor version,Record length,Number of extents,Remaining extents,Extent,Offset,Length > "%OUTPUT%"

fsutil usn readjournal c: csv | findstr /i /C:"file delete" >> "%OUTPUT%"

echo.
echo.
echo output is in "%CD%\%OUTPUT%"
echo.
pause

On my system it took about one minute for the script to complete.
CrxtJ7tOs4Iq
Posts: 28
Joined: Wed Jan 14, 2015 2:19 pm

Re: Track deleted

Post by CrxtJ7tOs4Iq »

Thank you.
You gave me a lot to think about and look into.

The drive that i am monitoring is a file server so there is not near the traffic that we see on a windows c: drive
NotNull
Posts: 5461
Joined: Wed May 24, 2017 9:22 pm

Re: Track deleted

Post by NotNull »

CrxtJ7tOs4Iq wrote:Thank you.
You gave me a lot to think about and look into.
Another thought that just sprung (?) to mind: You could also enable and confgure auditing on your fileserver and audit the selected files/folders for deletion:
2018-08-22 18_08_53-Auditing Entry for Tools.png
2018-08-22 18_08_53-Auditing Entry for Tools.png (14.85 KiB) Viewed 4171 times
Files that are deleted will then show up in the Eventlog of your server (including the usraccount that was responsible for it).
There are a lot of Eventlog analyzers/filters out there that can narrow this down to what you want (Powershell is surprisingly good at it).


This is an interesting question. Please keep us posted with your progress!
CrxtJ7tOs4Iq
Posts: 28
Joined: Wed Jan 14, 2015 2:19 pm

Re: Track deleted

Post by CrxtJ7tOs4Iq »

We actually already do this, and ship the event logs off to a event log forwarder server.
But the amount of data i collect is an annoying amount. I was hoping for a clean little way via command line
I have actually achieved this very easy in small scale(100,000+ files), but the problem arises when monitoring 10's of millions of files the ES files become to large at 1GB+
at that point i have a hard time comparing 2 large files
Post Reply