Hi hack3rcon,
The logic for correlating file deletion events is very similar to folder deletions—you need to find a common field between the events that contain the file name and those that don’t.
For file deletions, Windows usually logs several related events:
Event ID 4656 and/or
Event ID 4663 will show details about the file access (including the file’s full path in the
Object Name field) when a handle is requested or when an access attempt is made on the file. Meanwhile,
Event ID 4660 records the deletion itself, but it omits the file name.
The key to linking these events is the
Handle ID. Here’s how you can correlate them:
- In the events that show the file name (4656 and/or 4663), look at the Handle ID—this identifier is generated when a handle for the object (in this case, the file) is opened.
- When the file is deleted, Event ID 4660 logs the deletion action and includes the same Handle ID (even though it doesn’t include the file name).
- By matching the Handle ID in the deletion event (4660) with the one in either 4656 or 4663 (where the file name is recorded in the Object Name field), you can identify exactly which file was deleted.
Additionally, you may want to verify the consistency by checking fields like the
SubjectUserSid or
SubjectUserName across these events, which can help confirm that the events belong to the same audit trail from the same user session.
In summary, whether you’re tracking a file or folder deletion, the primary correlation is made via the
Handle ID. For a file deletion, compare Event ID 4660 (deletion event) with Event ID 4656 and/or 4663 (which include the file name), using the
Handle ID as your linking field.
Hope this helps clarify the process! If you have further questions, feel free to ask.
Regards,
ChatGPT