{"id":220,"date":"2016-05-10T22:40:07","date_gmt":"2016-05-10T22:40:07","guid":{"rendered":"http:\/\/eventlogxp.com\/blog\/?p=220"},"modified":"2016-12-09T16:10:45","modified_gmt":"2016-12-09T16:10:45","slug":"tracking-down-who-removed-files","status":"publish","type":"post","link":"https:\/\/eventlogxp.com\/blog\/tracking-down-who-removed-files\/","title":{"rendered":"Tracking down who removed files"},"content":{"rendered":"<p>Let&#8217;s assume you have a shared folder on a server which is accessible by all employees in your company. The users commonly copy some documents into this folder to let the others to work with these shared documents. One day you discover that some files unexpectedly disappeared from the shared folder. Usually\u00a0this means that someone deleted these files (consciously or unconsciously). Now we need to detect the person who removed the files.<\/p>\n<p>First, you need to setup Windows security auditing to monitor file access (and optionally logon) events. Of course, you should do it right after creating a shared folder and granting access to it (post factum setup won&#8217;t help you) . <a href=\"http:\/\/eventlogxp.com\/essentials\/securityauditing.html\" target=\"_blank\">This\u00a0article<\/a> describes how to setup security auditing and audit file access and logon events.<\/p>\n<p>If you correctly setup file access auditing for your shared folder, &#8220;File system&#8221; events will appear in Security log on every attempt to open file inside the folder.<\/p>\n<p><a href=\"http:\/\/eventlogxp.com\/blog\/wp-content\/uploads\/2016\/05\/filesystemaudit.png\" rel=\"attachment wp-att-221\" data-rel=\"lightbox-gallery-DPFCKyqQ\" data-rl_title=\"\" data-rl_caption=\"\" title=\"\"><img loading=\"lazy\" class=\"alignnone wp-image-221 size-full\" src=\"http:\/\/eventlogxp.com\/blog\/wp-content\/uploads\/2016\/05\/filesystemaudit.png\" alt=\"file system auditing\" width=\"944\" height=\"624\" srcset=\"https:\/\/eventlogxp.com\/blog\/wp-content\/uploads\/2016\/05\/filesystemaudit.png 944w, https:\/\/eventlogxp.com\/blog\/wp-content\/uploads\/2016\/05\/filesystemaudit-300x198.png 300w, https:\/\/eventlogxp.com\/blog\/wp-content\/uploads\/2016\/05\/filesystemaudit-768x508.png 768w, https:\/\/eventlogxp.com\/blog\/wp-content\/uploads\/2016\/05\/filesystemaudit-660x436.png 660w\" sizes=\"(max-width: 944px) 100vw, 944px\" \/><\/a><\/p>\n<p>So be sure that the maximum log size for Security log is set to a reasonable value (or you have a chance to lose old events). Microsoft recommends 4GB for most of Windows, but this depends on different factors \u2013 I prefer much smaller sizes with autobackup option.<\/p>\n<p>Event 4660 occurs when someone removes a file or a folder. But its event description doesn&#8217;t contain the file name:<\/p>\n<pre>An object was deleted.\r\n\r\nSubject:\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Security ID:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 S-1-5-21-3946697505-1589476648-2597793080-1114\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Account Name:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0     mike\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Account Domain:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0FSPRO\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Logon ID:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0084C195\r\n\r\nObject:\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Object Server:\u00a0\u00a0 Security\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Handle ID:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 00000AC8\r\n\r\nProcess Information:\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Process ID:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 00000004\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Process Name:\u00a0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Transaction ID: {00000000-0000-0000-0000-000000000000}<\/pre>\n<p>In fact, when a user deletes file, Windows registers several events: 4663 and then 4660. It can also register event 4656 before 4663).<\/p>\n<p>Here is a sample of 4663 event description:<\/p>\n<pre>An attempt was made to access an object.\r\n\r\nSubject:\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Security ID:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 S-1-5-21-3946697505-1589476648-2597793080-1114\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Account Name:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0     mike\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Account Domain:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0FSPRO\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Logon ID:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0084C195\r\n\r\nObject:\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Object Server:\u00a0\u00a0 Security\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Object Type:\u00a0\u00a0\u00a0\u00a0 File\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Object Name:\u00a0\u00a0\u00a0  C:\\shared\\Data\\_DSC9978.JPG\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Handle ID:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a000000AC8\r\n\r\nProcess Information:\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Process ID:\u00a0\u00a0\u00a0\u00a0\u00a0 00000004\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Process Name:\u00a0\r\n\r\nAccess Request Information:\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Accesses:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 DELETE\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Access Mask:\u00a0\u00a0\u00a0  10000\r\n\r\n<\/pre>\n<p>You can notice that &#8220;Access Request Information&#8221; group contains Accesses: DELETE and Access Mask: 10000 parameters.<\/p>\n<p>So we can just filter security event log by Event ID = 4663 and Access Request Information\\Accesses = DELETE (and if you enabled auditing for several folders, but want to check a specific one, you should also add filter by Object\\Object Name):<\/p>\n<p><a href=\"http:\/\/eventlogxp.com\/blog\/wp-content\/uploads\/2016\/05\/filter-4663-deleted.png\" rel=\"attachment wp-att-222\" data-rel=\"lightbox-gallery-DPFCKyqQ\" data-rl_title=\"\" data-rl_caption=\"\" title=\"\"><img loading=\"lazy\" class=\"alignnone size-medium wp-image-222\" src=\"http:\/\/eventlogxp.com\/blog\/wp-content\/uploads\/2016\/05\/filter-4663-deleted-300x101.png\" alt=\"event 4663 - filter deleted events\" width=\"300\" height=\"101\" srcset=\"https:\/\/eventlogxp.com\/blog\/wp-content\/uploads\/2016\/05\/filter-4663-deleted-300x101.png 300w, https:\/\/eventlogxp.com\/blog\/wp-content\/uploads\/2016\/05\/filter-4663-deleted-660x222.png 660w, https:\/\/eventlogxp.com\/blog\/wp-content\/uploads\/2016\/05\/filter-4663-deleted.png 706w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>Now we can see all &#8220;file delete&#8221; events with file names.<\/p>\n<p>This method works most of time, but I wouldn&#8217;t call it perfect. First, nobody guaranty that Accesses will be DELETE all the time (although you can try Access Request Information\\Accesses Contains DELETE). Second, 4663 event occurs on access attempt. In some cases, e.g. if your file is protected, event 4660 won&#8217;t appear. So to get more accurate picture, we should rely upon 4663 events and get details from the previous events. Event Log Explorer features Linked Filter, which allows you to link events in security log by description parameter. Look again at 4660 and 4663 event samples. You can link them by Object\\Handle ID parameter. Note that Linked Filter scans events from top to bottom, so make sure that you sorted events from new to old (our base event will be 4660).<\/p>\n<p><a href=\"http:\/\/eventlogxp.com\/blog\/wp-content\/uploads\/2016\/05\/linked-filter-4660-4663.png\" rel=\"attachment wp-att-223\" data-rel=\"lightbox-gallery-DPFCKyqQ\" data-rl_title=\"\" data-rl_caption=\"\" title=\"\"><img loading=\"lazy\" class=\"alignnone size-medium wp-image-223\" src=\"http:\/\/eventlogxp.com\/blog\/wp-content\/uploads\/2016\/05\/linked-filter-4660-4663-300x168.png\" alt=\"linked filter - events 4660-4663\" width=\"300\" height=\"168\" srcset=\"https:\/\/eventlogxp.com\/blog\/wp-content\/uploads\/2016\/05\/linked-filter-4660-4663-300x168.png 300w, https:\/\/eventlogxp.com\/blog\/wp-content\/uploads\/2016\/05\/linked-filter-4660-4663-660x370.png 660w, https:\/\/eventlogxp.com\/blog\/wp-content\/uploads\/2016\/05\/linked-filter-4660-4663.png 675w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>Here I got the same result as before.<\/p>\n<p>Now you can just display who deleted files. Event description keeps these details in &#8220;subject&#8221; group. I will use custom columns to show these details in the list:<\/p>\n<p><a href=\"http:\/\/eventlogxp.com\/blog\/wp-content\/uploads\/2016\/05\/custom-columns-deleted-files.png\" rel=\"attachment wp-att-224\" data-rel=\"lightbox-gallery-DPFCKyqQ\" data-rl_title=\"\" data-rl_caption=\"\" title=\"\"><img loading=\"lazy\" class=\"alignnone size-medium wp-image-224\" src=\"http:\/\/eventlogxp.com\/blog\/wp-content\/uploads\/2016\/05\/custom-columns-deleted-files-300x187.png\" alt=\"custom columns-deleted files\" width=\"300\" height=\"187\" srcset=\"https:\/\/eventlogxp.com\/blog\/wp-content\/uploads\/2016\/05\/custom-columns-deleted-files-300x187.png 300w, https:\/\/eventlogxp.com\/blog\/wp-content\/uploads\/2016\/05\/custom-columns-deleted-files.png 492w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>Here is the result of adding custom columns:<\/p>\n<p><a href=\"http:\/\/eventlogxp.com\/blog\/wp-content\/uploads\/2016\/05\/showing-users-who-deleted-files.png\" rel=\"attachment wp-att-225\" data-rel=\"lightbox-gallery-DPFCKyqQ\" data-rl_title=\"\" data-rl_caption=\"\" title=\"\"><img loading=\"lazy\" class=\"alignnone size-medium wp-image-225\" src=\"http:\/\/eventlogxp.com\/blog\/wp-content\/uploads\/2016\/05\/showing-users-who-deleted-files-300x182.png\" alt=\"showing-users who deleted files\" width=\"300\" height=\"182\" srcset=\"https:\/\/eventlogxp.com\/blog\/wp-content\/uploads\/2016\/05\/showing-users-who-deleted-files-300x182.png 300w, https:\/\/eventlogxp.com\/blog\/wp-content\/uploads\/2016\/05\/showing-users-who-deleted-files-768x465.png 768w, https:\/\/eventlogxp.com\/blog\/wp-content\/uploads\/2016\/05\/showing-users-who-deleted-files-660x399.png 660w, https:\/\/eventlogxp.com\/blog\/wp-content\/uploads\/2016\/05\/showing-users-who-deleted-files.png 907w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>You probably noticed that I added Logon ID along with User name. Using the Logon ID, we can detect from which machine user FSPRO\\mike deleted files.<\/p>\n<p>Just set a new filter for event id = 4624 (An account was successfully logged on):<\/p>\n<p><a href=\"http:\/\/eventlogxp.com\/blog\/wp-content\/uploads\/2016\/05\/looking-for-machine-4624.png\" rel=\"attachment wp-att-226\" data-rel=\"lightbox-gallery-DPFCKyqQ\" data-rl_title=\"\" data-rl_caption=\"\" title=\"\"><img loading=\"lazy\" class=\"alignnone size-medium wp-image-226\" src=\"http:\/\/eventlogxp.com\/blog\/wp-content\/uploads\/2016\/05\/looking-for-machine-4624-300x47.png\" alt=\"looking for machine - filter by event 4624\" width=\"300\" height=\"47\" srcset=\"https:\/\/eventlogxp.com\/blog\/wp-content\/uploads\/2016\/05\/looking-for-machine-4624-300x47.png 300w, https:\/\/eventlogxp.com\/blog\/wp-content\/uploads\/2016\/05\/looking-for-machine-4624-660x102.png 660w, https:\/\/eventlogxp.com\/blog\/wp-content\/uploads\/2016\/05\/looking-for-machine-4624.png 702w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>And we are getting the machine name and its IP address<\/p>\n<p><a href=\"http:\/\/eventlogxp.com\/blog\/wp-content\/uploads\/2016\/05\/workstationname.png\" rel=\"attachment wp-att-227\" data-rel=\"lightbox-gallery-DPFCKyqQ\" data-rl_title=\"\" data-rl_caption=\"\" title=\"\"><img loading=\"lazy\" class=\"alignnone size-medium wp-image-227\" src=\"http:\/\/eventlogxp.com\/blog\/wp-content\/uploads\/2016\/05\/workstationname-300x57.png\" alt=\"workstation name and ip address\" width=\"300\" height=\"57\" srcset=\"https:\/\/eventlogxp.com\/blog\/wp-content\/uploads\/2016\/05\/workstationname-300x57.png 300w, https:\/\/eventlogxp.com\/blog\/wp-content\/uploads\/2016\/05\/workstationname-768x147.png 768w, https:\/\/eventlogxp.com\/blog\/wp-content\/uploads\/2016\/05\/workstationname-660x126.png 660w, https:\/\/eventlogxp.com\/blog\/wp-content\/uploads\/2016\/05\/workstationname.png 936w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<a class=\"synved-social-button synved-social-button-share synved-social-size-24 synved-social-resolution-single synved-social-provider-facebook nolightbox\" data-provider=\"facebook\" target=\"_blank\" rel=\"nofollow\" title=\"Share on Facebook\" href=\"https:\/\/www.facebook.com\/sharer.php?u=https%3A%2F%2Feventlogxp.com%2Fblog%2Fwp-json%2Fwp%2Fv2%2Fposts%2F220&#038;t=Tracking%20down%20who%20removed%20files&#038;s=100&#038;p&#091;url&#093;=https%3A%2F%2Feventlogxp.com%2Fblog%2Fwp-json%2Fwp%2Fv2%2Fposts%2F220&#038;p&#091;images&#093;&#091;0&#093;=https%3A%2F%2Feventlogxp.com%2Fblog%2Fwp-content%2Fuploads%2F2016%2F05%2Fwho-removed-files.jpg&#038;p&#091;title&#093;=Tracking%20down%20who%20removed%20files\" style=\"font-size: 0px;width:24px;height:24px;margin:0;margin-bottom:5px;margin-right:5px\"><img alt=\"Facebook\" title=\"Share on Facebook\" class=\"synved-share-image synved-social-image synved-social-image-share\" width=\"24\" height=\"24\" style=\"display: inline;width:24px;height:24px;margin: 0;padding: 0;border: none\" src=\"https:\/\/eventlogxp.com\/blog\/wp-content\/plugins\/social-media-feather\/synved-social\/image\/social\/regular\/48x48\/facebook.png\" \/><\/a><a class=\"synved-social-button synved-social-button-share synved-social-size-24 synved-social-resolution-single synved-social-provider-twitter nolightbox\" data-provider=\"twitter\" target=\"_blank\" rel=\"nofollow\" title=\"Share on Twitter\" href=\"https:\/\/twitter.com\/intent\/tweet?url=https%3A%2F%2Feventlogxp.com%2Fblog%2Fwp-json%2Fwp%2Fv2%2Fposts%2F220&#038;text=Check%20this%20Event%20Log%20Explorer%20blog%20post\" style=\"font-size: 0px;width:24px;height:24px;margin:0;margin-bottom:5px;margin-right:5px\"><img alt=\"twitter\" title=\"Share on Twitter\" class=\"synved-share-image synved-social-image synved-social-image-share\" width=\"24\" height=\"24\" style=\"display: inline;width:24px;height:24px;margin: 0;padding: 0;border: none\" src=\"https:\/\/eventlogxp.com\/blog\/wp-content\/plugins\/social-media-feather\/synved-social\/image\/social\/regular\/48x48\/twitter.png\" \/><\/a><a class=\"synved-social-button synved-social-button-share synved-social-size-24 synved-social-resolution-single synved-social-provider-reddit nolightbox\" data-provider=\"reddit\" target=\"_blank\" rel=\"nofollow\" title=\"Share on Reddit\" href=\"https:\/\/www.reddit.com\/submit?url=https%3A%2F%2Feventlogxp.com%2Fblog%2Fwp-json%2Fwp%2Fv2%2Fposts%2F220&#038;title=Tracking%20down%20who%20removed%20files\" style=\"font-size: 0px;width:24px;height:24px;margin:0;margin-bottom:5px;margin-right:5px\"><img alt=\"reddit\" title=\"Share on Reddit\" class=\"synved-share-image synved-social-image synved-social-image-share\" width=\"24\" height=\"24\" style=\"display: inline;width:24px;height:24px;margin: 0;padding: 0;border: none\" src=\"https:\/\/eventlogxp.com\/blog\/wp-content\/plugins\/social-media-feather\/synved-social\/image\/social\/regular\/48x48\/reddit.png\" \/><\/a><a class=\"synved-social-button synved-social-button-share synved-social-size-24 synved-social-resolution-single synved-social-provider-pinterest nolightbox\" data-provider=\"pinterest\" target=\"_blank\" rel=\"nofollow\" title=\"Pin it with Pinterest\" href=\"https:\/\/pinterest.com\/pin\/create\/button\/?url=https%3A%2F%2Feventlogxp.com%2Fblog%2Fwp-json%2Fwp%2Fv2%2Fposts%2F220&#038;media=https%3A%2F%2Feventlogxp.com%2Fblog%2Fwp-content%2Fuploads%2F2016%2F05%2Fwho-removed-files.jpg&#038;description=Tracking%20down%20who%20removed%20files\" style=\"font-size: 0px;width:24px;height:24px;margin:0;margin-bottom:5px;margin-right:5px\"><img alt=\"pinterest\" title=\"Pin it with Pinterest\" class=\"synved-share-image synved-social-image synved-social-image-share\" width=\"24\" height=\"24\" style=\"display: inline;width:24px;height:24px;margin: 0;padding: 0;border: none\" src=\"https:\/\/eventlogxp.com\/blog\/wp-content\/plugins\/social-media-feather\/synved-social\/image\/social\/regular\/48x48\/pinterest.png\" \/><\/a><a class=\"synved-social-button synved-social-button-share synved-social-size-24 synved-social-resolution-single synved-social-provider-linkedin nolightbox\" data-provider=\"linkedin\" target=\"_blank\" rel=\"nofollow\" title=\"Share on Linkedin\" href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https%3A%2F%2Feventlogxp.com%2Fblog%2Fwp-json%2Fwp%2Fv2%2Fposts%2F220&#038;title=Tracking%20down%20who%20removed%20files\" style=\"font-size: 0px;width:24px;height:24px;margin:0;margin-bottom:5px;margin-right:5px\"><img alt=\"linkedin\" title=\"Share on Linkedin\" class=\"synved-share-image synved-social-image synved-social-image-share\" width=\"24\" height=\"24\" style=\"display: inline;width:24px;height:24px;margin: 0;padding: 0;border: none\" src=\"https:\/\/eventlogxp.com\/blog\/wp-content\/plugins\/social-media-feather\/synved-social\/image\/social\/regular\/48x48\/linkedin.png\" \/><\/a><a class=\"synved-social-button synved-social-button-share synved-social-size-24 synved-social-resolution-single synved-social-provider-mail nolightbox\" data-provider=\"mail\" rel=\"nofollow\" title=\"Share by email\" href=\"mailto:?subject=Tracking%20down%20who%20removed%20files&#038;body=Check%20this%20Event%20Log%20Explorer%20blog%20post:%20https%3A%2F%2Feventlogxp.com%2Fblog%2Fwp-json%2Fwp%2Fv2%2Fposts%2F220\" style=\"font-size: 0px;width:24px;height:24px;margin:0;margin-bottom:5px\"><img alt=\"mail\" title=\"Share by email\" class=\"synved-share-image synved-social-image synved-social-image-share\" width=\"24\" height=\"24\" style=\"display: inline;width:24px;height:24px;margin: 0;padding: 0;border: none\" src=\"https:\/\/eventlogxp.com\/blog\/wp-content\/plugins\/social-media-feather\/synved-social\/image\/social\/regular\/48x48\/mail.png\" \/><\/a>","protected":false},"excerpt":{"rendered":"<p>Let&#8217;s assume you have a shared folder on a server which is accessible by all employees in your company. The users commonly copy some documents into this folder to let the others to work with these shared documents. One day you discover that some files unexpectedly disappeared from the shared folder. Usually\u00a0this means that someone deleted these files (consciously or unconsciously). Now we need to\u2026 <span class=\"read-more\"><a href=\"https:\/\/eventlogxp.com\/blog\/tracking-down-who-removed-files\/\">Read More &raquo;<\/a><\/span><\/p>\n","protected":false},"author":2,"featured_media":232,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[42],"tags":[5,51,21,49,4,15],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/posts\/220"}],"collection":[{"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/comments?post=220"}],"version-history":[{"count":7,"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/posts\/220\/revisions"}],"predecessor-version":[{"id":234,"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/posts\/220\/revisions\/234"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/media\/232"}],"wp:attachment":[{"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/media?parent=220"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/categories?post=220"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/tags?post=220"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}