In the first “Where did my file go?” post, we discussed locating files using StealthAUDIT’s Access Information Center. Now, with the STEALTHbits File Activity Monitor in place, this same question can be answered in real-time directly within the console.
Not only can we identify what happened to a file, we can even show you where it ended up. First, start a New Activity Search within the STEALTHbits File Activity Monitor by either pressing Ctrl+F or select the magnifying glass located in the top pane of the console:
Now, scope the search criteria to include only renames and deletes, a typical activity that results in a lost file/folder. Other parameters can help scope the query for meaningful results as well. Consider including the file/folder name or the known extension type within the File Path field like below:
We have now scoped our real-time activity search to included typical lost file operations that were .pdf file types. The data view allows you to filter and sort even further once the query is complete. Here, I’ve scoped our search further to only show rename operations:
Next time someone in your organization has a suspected drag-and-drop or deletion you can simply search within STEALTHbits File Activity Monitor in real-time, skipping any processing necessary for StealthAUDIT’s in-depth analysis.
Don’t miss a post! Subscribe to The Insider Threat Security Blog here:
Jeff is a Senior Engineer at STEALTHbits.