[Script Info]
Title: 
[Events]
Format: Layer, Start, End, Style, Name, MarginL, MarginR, MarginV, Effect, Text
Dialogue: 0,0:00:00.24,0:00:02.16,Default,,0000,0000,0000,,in this video i want to show you how to
Dialogue: 0,0:00:02.16,0:00:04.32,Default,,0000,0000,0000,,find out who accessed your files and
Dialogue: 0,0:00:04.32,0:00:05.04,Default,,0000,0000,0000,,folders
Dialogue: 0,0:00:05.04,0:00:07.20,Default,,0000,0000,0000,,or even try to access your files and
Dialogue: 0,0:00:07.20,0:00:08.88,Default,,0000,0000,0000,,folders in windows 10
Dialogue: 0,0:00:08.88,0:00:11.76,Default,,0000,0000,0000,,by enabling object auditing on your
Dialogue: 0,0:00:11.76,0:00:16.08,Default,,0000,0000,0000,,files and folders
Dialogue: 0,0:00:16.08,0:00:18.16,Default,,0000,0000,0000,,before we begin please note that this
Dialogue: 0,0:00:18.16,0:00:20.00,Default,,0000,0000,0000,,applies only to windows 10
Dialogue: 0,0:00:20.00,0:00:23.44,Default,,0000,0000,0000,,pro enterprise and education
Dialogue: 0,0:00:23.44,0:00:26.80,Default,,0000,0000,0000,,and the file system should be ntfs
Dialogue: 0,0:00:26.80,0:00:29.12,Default,,0000,0000,0000,,so if you have windows 10 home it
Dialogue: 0,0:00:29.12,0:00:30.96,Default,,0000,0000,0000,,doesn't work on windows 10 home
Dialogue: 0,0:00:30.96,0:00:33.60,Default,,0000,0000,0000,,now that being said and because what i'm
Dialogue: 0,0:00:33.60,0:00:35.52,Default,,0000,0000,0000,,going to show you uses group policy
Dialogue: 0,0:00:35.52,0:00:38.08,Default,,0000,0000,0000,,management or security policy management
Dialogue: 0,0:00:38.08,0:00:39.76,Default,,0000,0000,0000,,which is a subset of group policy
Dialogue: 0,0:00:39.76,0:00:42.24,Default,,0000,0000,0000,,management there are out there some
Dialogue: 0,0:00:42.24,0:00:44.16,Default,,0000,0000,0000,,batch files and some scripts
Dialogue: 0,0:00:44.16,0:00:46.88,Default,,0000,0000,0000,,that can enable this on windows 10 home
Dialogue: 0,0:00:46.88,0:00:48.80,Default,,0000,0000,0000,,but this is not officially supported by
Dialogue: 0,0:00:48.80,0:00:49.76,Default,,0000,0000,0000,,microsoft
Dialogue: 0,0:00:49.76,0:00:51.68,Default,,0000,0000,0000,,so here i'm gonna show you only the
Dialogue: 0,0:00:51.68,0:00:53.20,Default,,0000,0000,0000,,supported method
Dialogue: 0,0:00:53.20,0:00:55.20,Default,,0000,0000,0000,,there are three easy steps to achieve
Dialogue: 0,0:00:55.20,0:00:56.40,Default,,0000,0000,0000,,this the first step
Dialogue: 0,0:00:56.40,0:00:59.28,Default,,0000,0000,0000,,is to enable object access auditing on
Dialogue: 0,0:00:59.28,0:01:00.80,Default,,0000,0000,0000,,your windows 10 pc
Dialogue: 0,0:01:00.80,0:01:02.96,Default,,0000,0000,0000,,the second step is to configure auditing
Dialogue: 0,0:01:02.96,0:01:05.20,Default,,0000,0000,0000,,on the selected files and folders
Dialogue: 0,0:01:05.20,0:01:08.16,Default,,0000,0000,0000,,and the third step is simply viewing the
Dialogue: 0,0:01:08.16,0:01:09.36,Default,,0000,0000,0000,,audit log
Dialogue: 0,0:01:09.36,0:01:11.44,Default,,0000,0000,0000,,so let's start with step 1 which is
Dialogue: 0,0:01:11.44,0:01:13.84,Default,,0000,0000,0000,,enabling object access auditing in
Dialogue: 0,0:01:13.84,0:01:15.04,Default,,0000,0000,0000,,windows 10
Dialogue: 0,0:01:15.04,0:01:17.36,Default,,0000,0000,0000,,so on your windows 10 pc start group
Dialogue: 0,0:01:17.36,0:01:18.40,Default,,0000,0000,0000,,policy editor
Dialogue: 0,0:01:18.40,0:01:21.20,Default,,0000,0000,0000,,so click in your search box and type
Dialogue: 0,0:01:21.20,0:01:21.76,Default,,0000,0000,0000,,group
Dialogue: 0,0:01:21.76,0:01:26.88,Default,,0000,0000,0000,,space poll and here you see group policy
Dialogue: 0,0:01:26.88,0:01:28.56,Default,,0000,0000,0000,,alternatively you can start only
Dialogue: 0,0:01:28.56,0:01:30.48,Default,,0000,0000,0000,,security policy which leads
Dialogue: 0,0:01:30.48,0:01:32.16,Default,,0000,0000,0000,,only to the security settings of the
Dialogue: 0,0:01:32.16,0:01:34.40,Default,,0000,0000,0000,,computer but here i'm showing you group
Dialogue: 0,0:01:34.40,0:01:35.04,Default,,0000,0000,0000,,policy
Dialogue: 0,0:01:35.04,0:01:37.04,Default,,0000,0000,0000,,so let me enlarge this a little bit so
Dialogue: 0,0:01:37.04,0:01:39.44,Default,,0000,0000,0000,,that you can see
Dialogue: 0,0:01:39.44,0:01:42.08,Default,,0000,0000,0000,,and here under group policy you see that
Dialogue: 0,0:01:42.08,0:01:44.00,Default,,0000,0000,0000,,you have local computer policy which is
Dialogue: 0,0:01:44.00,0:01:45.12,Default,,0000,0000,0000,,your computer
Dialogue: 0,0:01:45.12,0:01:46.64,Default,,0000,0000,0000,,and you have two branches computer
Dialogue: 0,0:01:46.64,0:01:48.96,Default,,0000,0000,0000,,configuration and user configuration
Dialogue: 0,0:01:48.96,0:01:51.20,Default,,0000,0000,0000,,the one that is of interest to us is
Dialogue: 0,0:01:51.20,0:01:52.96,Default,,0000,0000,0000,,computer configuration
Dialogue: 0,0:01:52.96,0:01:54.80,Default,,0000,0000,0000,,and then under computer configuration
Dialogue: 0,0:01:54.80,0:01:56.40,Default,,0000,0000,0000,,you have windows settings
Dialogue: 0,0:01:56.40,0:01:59.44,Default,,0000,0000,0000,,click on it to expand it and then you
Dialogue: 0,0:01:59.44,0:02:01.20,Default,,0000,0000,0000,,have security settings
Dialogue: 0,0:02:01.20,0:02:04.08,Default,,0000,0000,0000,,also click on it to expand it and you
Dialogue: 0,0:02:04.08,0:02:05.68,Default,,0000,0000,0000,,have under security settings
Dialogue: 0,0:02:05.68,0:02:07.92,Default,,0000,0000,0000,,something called advanced audit policy
Dialogue: 0,0:02:07.92,0:02:09.20,Default,,0000,0000,0000,,configuration
Dialogue: 0,0:02:09.20,0:02:12.56,Default,,0000,0000,0000,,so here also click on the small arrow
Dialogue: 0,0:02:12.56,0:02:15.68,Default,,0000,0000,0000,,next to it just to expand it
Dialogue: 0,0:02:15.68,0:02:19.28,Default,,0000,0000,0000,,and then click on system audit policies
Dialogue: 0,0:02:19.28,0:02:22.64,Default,,0000,0000,0000,,and you have a bunch of things here
Dialogue: 0,0:02:22.64,0:02:25.04,Default,,0000,0000,0000,,the one that is of interest to us is
Dialogue: 0,0:02:25.04,0:02:25.76,Default,,0000,0000,0000,,object
Dialogue: 0,0:02:25.76,0:02:30.72,Default,,0000,0000,0000,,access so double click object access
Dialogue: 0,0:02:32.00,0:02:34.16,Default,,0000,0000,0000,,and under object access we have to
Dialogue: 0,0:02:34.16,0:02:35.36,Default,,0000,0000,0000,,enable audit
Dialogue: 0,0:02:35.36,0:02:37.76,Default,,0000,0000,0000,,file system only so double click on it
Dialogue: 0,0:02:37.76,0:02:39.68,Default,,0000,0000,0000,,once again
Dialogue: 0,0:02:39.68,0:02:42.00,Default,,0000,0000,0000,,and here you see click on configure the
Dialogue: 0,0:02:42.00,0:02:44.64,Default,,0000,0000,0000,,following audit events
Dialogue: 0,0:02:44.64,0:02:47.84,Default,,0000,0000,0000,,and then select success and failure
Dialogue: 0,0:02:47.84,0:02:51.68,Default,,0000,0000,0000,,success means that if someone succeeds
Dialogue: 0,0:02:51.68,0:02:54.40,Default,,0000,0000,0000,,in accessing the file that or the folder
Dialogue: 0,0:02:54.40,0:02:56.08,Default,,0000,0000,0000,,that you have audited
Dialogue: 0,0:02:56.08,0:02:59.44,Default,,0000,0000,0000,,it will show you and if someone tried to
Dialogue: 0,0:02:59.44,0:03:01.20,Default,,0000,0000,0000,,access but couldn't do it
Dialogue: 0,0:03:01.20,0:03:03.84,Default,,0000,0000,0000,,it will also show you this is a failure
Dialogue: 0,0:03:03.84,0:03:05.68,Default,,0000,0000,0000,,so click ok here
Dialogue: 0,0:03:05.68,0:03:07.60,Default,,0000,0000,0000,,and with the group policy we have
Dialogue: 0,0:03:07.60,0:03:10.08,Default,,0000,0000,0000,,finished so this was the first part
Dialogue: 0,0:03:10.08,0:03:13.20,Default,,0000,0000,0000,,the second part is to apply
Dialogue: 0,0:03:13.20,0:03:15.84,Default,,0000,0000,0000,,the security policy that we just enabled
Dialogue: 0,0:03:15.84,0:03:18.08,Default,,0000,0000,0000,,to a certain file or folder
Dialogue: 0,0:03:18.08,0:03:21.68,Default,,0000,0000,0000,,so here i'm gonna open documents
Dialogue: 0,0:03:21.76,0:03:24.00,Default,,0000,0000,0000,,and let's say under documents i have
Dialogue: 0,0:03:24.00,0:03:25.68,Default,,0000,0000,0000,,folder called personal
Dialogue: 0,0:03:25.68,0:03:28.08,Default,,0000,0000,0000,,so let's say we have these under
Dialogue: 0,0:03:28.08,0:03:28.80,Default,,0000,0000,0000,,personal
Dialogue: 0,0:03:28.80,0:03:31.36,Default,,0000,0000,0000,,and i want to audit all accesses to
Dialogue: 0,0:03:31.36,0:03:32.24,Default,,0000,0000,0000,,personal
Dialogue: 0,0:03:32.24,0:03:36.48,Default,,0000,0000,0000,,so right click on it click properties
Dialogue: 0,0:03:36.48,0:03:39.60,Default,,0000,0000,0000,,and then click security
Dialogue: 0,0:03:39.60,0:03:43.20,Default,,0000,0000,0000,,under security click advanced
Dialogue: 0,0:03:43.20,0:03:46.64,Default,,0000,0000,0000,,under advanced click auditing
Dialogue: 0,0:03:46.64,0:03:50.00,Default,,0000,0000,0000,,click continue and then here you have to
Dialogue: 0,0:03:50.00,0:03:50.72,Default,,0000,0000,0000,,select
Dialogue: 0,0:03:50.72,0:03:53.76,Default,,0000,0000,0000,,the users you want to audit so
Dialogue: 0,0:03:53.76,0:03:57.68,Default,,0000,0000,0000,,click on add
Dialogue: 0,0:03:57.68,0:04:00.80,Default,,0000,0000,0000,,and then click on select principle and
Dialogue: 0,0:04:00.80,0:04:02.56,Default,,0000,0000,0000,,if you have a user in mind that you want
Dialogue: 0,0:04:02.56,0:04:03.44,Default,,0000,0000,0000,,to audit
Dialogue: 0,0:04:03.44,0:04:05.84,Default,,0000,0000,0000,,you can select it here so let me click
Dialogue: 0,0:04:05.84,0:04:07.04,Default,,0000,0000,0000,,advanced
Dialogue: 0,0:04:07.04,0:04:10.08,Default,,0000,0000,0000,,and find now so you can select either a
Dialogue: 0,0:04:10.08,0:04:10.96,Default,,0000,0000,0000,,user
Dialogue: 0,0:04:10.96,0:04:14.32,Default,,0000,0000,0000,,or you can select a group so we have all
Dialogue: 0,0:04:14.32,0:04:15.36,Default,,0000,0000,0000,,these groups here
Dialogue: 0,0:04:15.36,0:04:17.76,Default,,0000,0000,0000,,and all the users let's say we want to
Dialogue: 0,0:04:17.76,0:04:18.96,Default,,0000,0000,0000,,audit everyone
Dialogue: 0,0:04:18.96,0:04:20.88,Default,,0000,0000,0000,,so if we want to audit everyone we have
Dialogue: 0,0:04:20.88,0:04:22.56,Default,,0000,0000,0000,,to select
Dialogue: 0,0:04:22.56,0:04:25.52,Default,,0000,0000,0000,,the built-in group everyone and then
Dialogue: 0,0:04:25.52,0:04:27.12,Default,,0000,0000,0000,,click ok
Dialogue: 0,0:04:27.12,0:04:30.08,Default,,0000,0000,0000,,and then click ok again and then under
Dialogue: 0,0:04:30.08,0:04:31.04,Default,,0000,0000,0000,,type you notice
Dialogue: 0,0:04:31.04,0:04:33.92,Default,,0000,0000,0000,,that success was selected by default so
Dialogue: 0,0:04:33.92,0:04:34.32,Default,,0000,0000,0000,,click
Dialogue: 0,0:04:34.32,0:04:36.96,Default,,0000,0000,0000,,the drop down list and you see you have
Dialogue: 0,0:04:36.96,0:04:37.36,Default,,0000,0000,0000,,all
Dialogue: 0,0:04:37.36,0:04:40.48,Default,,0000,0000,0000,,fail and success so select all
Dialogue: 0,0:04:40.48,0:04:43.28,Default,,0000,0000,0000,,so this way you will audit the succeeded
Dialogue: 0,0:04:43.28,0:04:44.08,Default,,0000,0000,0000,,attempts
Dialogue: 0,0:04:44.08,0:04:46.72,Default,,0000,0000,0000,,on your files and folders and also the
Dialogue: 0,0:04:46.72,0:04:48.48,Default,,0000,0000,0000,,failed attempts in case
Dialogue: 0,0:04:48.48,0:04:51.04,Default,,0000,0000,0000,,someone who doesn't have access to this
Dialogue: 0,0:04:51.04,0:04:53.44,Default,,0000,0000,0000,,folder try to access it or to this file
Dialogue: 0,0:04:53.44,0:04:54.40,Default,,0000,0000,0000,,of course
Dialogue: 0,0:04:54.40,0:04:56.32,Default,,0000,0000,0000,,and then afterwards here click on full
Dialogue: 0,0:04:56.32,0:04:58.40,Default,,0000,0000,0000,,control
Dialogue: 0,0:04:58.40,0:05:01.36,Default,,0000,0000,0000,,and then click ok
Dialogue: 0,0:05:01.44,0:05:04.00,Default,,0000,0000,0000,,now if you select everyone please note
Dialogue: 0,0:05:04.00,0:05:04.48,Default,,0000,0000,0000,,that
Dialogue: 0,0:05:04.48,0:05:07.36,Default,,0000,0000,0000,,also your user access will be audited so
Dialogue: 0,0:05:07.36,0:05:08.88,Default,,0000,0000,0000,,it's better to select
Dialogue: 0,0:05:08.88,0:05:11.36,Default,,0000,0000,0000,,a group that doesn't contain your user
Dialogue: 0,0:05:11.36,0:05:12.16,Default,,0000,0000,0000,,or select
Dialogue: 0,0:05:12.16,0:05:14.48,Default,,0000,0000,0000,,only one user but here for the purpose
Dialogue: 0,0:05:14.48,0:05:16.88,Default,,0000,0000,0000,,of this video i selected everyone
Dialogue: 0,0:05:16.88,0:05:20.08,Default,,0000,0000,0000,,so here click ok and then
Dialogue: 0,0:05:20.08,0:05:23.44,Default,,0000,0000,0000,,ok again and now personal
Dialogue: 0,0:05:23.44,0:05:25.52,Default,,0000,0000,0000,,is being audited and everything under
Dialogue: 0,0:05:25.52,0:05:27.68,Default,,0000,0000,0000,,personal also is being audited
Dialogue: 0,0:05:27.68,0:05:29.92,Default,,0000,0000,0000,,so let's try to access something under
Dialogue: 0,0:05:29.92,0:05:31.12,Default,,0000,0000,0000,,personal
Dialogue: 0,0:05:31.12,0:05:33.84,Default,,0000,0000,0000,,so i just entered into personal so this
Dialogue: 0,0:05:33.84,0:05:34.72,Default,,0000,0000,0000,,should be
Dialogue: 0,0:05:34.72,0:05:36.56,Default,,0000,0000,0000,,logged into the event log so i'm gonna
Dialogue: 0,0:05:36.56,0:05:38.64,Default,,0000,0000,0000,,show you also how to see the event
Dialogue: 0,0:05:38.64,0:05:39.84,Default,,0000,0000,0000,,viewer log
Dialogue: 0,0:05:39.84,0:05:42.72,Default,,0000,0000,0000,,and let me create a new document so let
Dialogue: 0,0:05:42.72,0:05:45.20,Default,,0000,0000,0000,,me create a bitmap image
Dialogue: 0,0:05:45.20,0:05:48.48,Default,,0000,0000,0000,,and let me delete this new text document
Dialogue: 0,0:05:48.48,0:05:51.60,Default,,0000,0000,0000,,let me go into test and let me also
Dialogue: 0,0:05:51.60,0:05:53.28,Default,,0000,0000,0000,,create
Dialogue: 0,0:05:53.28,0:05:57.04,Default,,0000,0000,0000,,here a rich text document
Dialogue: 0,0:05:57.20,0:05:59.76,Default,,0000,0000,0000,,and let's see now if all these actions
Dialogue: 0,0:05:59.76,0:06:00.56,Default,,0000,0000,0000,,were logged
Dialogue: 0,0:06:00.56,0:06:02.88,Default,,0000,0000,0000,,so to see the actions you need to go
Dialogue: 0,0:06:02.88,0:06:04.00,Default,,0000,0000,0000,,into something called
Dialogue: 0,0:06:04.00,0:06:06.72,Default,,0000,0000,0000,,event viewer so event viewer you have
Dialogue: 0,0:06:06.72,0:06:07.84,Default,,0000,0000,0000,,many ways to
Dialogue: 0,0:06:07.84,0:06:09.60,Default,,0000,0000,0000,,launch it so either in the search box
Dialogue: 0,0:06:09.60,0:06:11.36,Default,,0000,0000,0000,,you can type event
Dialogue: 0,0:06:11.36,0:06:13.84,Default,,0000,0000,0000,,and it will show here you can also right
Dialogue: 0,0:06:13.84,0:06:15.44,Default,,0000,0000,0000,,click the windows logo
Dialogue: 0,0:06:15.44,0:06:17.84,Default,,0000,0000,0000,,and here it is event viewer you can
Dialogue: 0,0:06:17.84,0:06:20.16,Default,,0000,0000,0000,,start computer management
Dialogue: 0,0:06:20.16,0:06:23.28,Default,,0000,0000,0000,,by typing computer
Dialogue: 0,0:06:23.28,0:06:27.04,Default,,0000,0000,0000,,management into the search box
Dialogue: 0,0:06:27.04,0:06:29.04,Default,,0000,0000,0000,,and selecting computer management it is
Dialogue: 0,0:06:29.04,0:06:30.80,Default,,0000,0000,0000,,also under computer management so let's
Dialogue: 0,0:06:30.80,0:06:34.72,Default,,0000,0000,0000,,go with computer management
Dialogue: 0,0:06:34.72,0:06:36.64,Default,,0000,0000,0000,,and here you have something called event
Dialogue: 0,0:06:36.64,0:06:37.84,Default,,0000,0000,0000,,viewer
Dialogue: 0,0:06:37.84,0:06:40.08,Default,,0000,0000,0000,,click on the arrow next to it to expand
Dialogue: 0,0:06:40.08,0:06:41.04,Default,,0000,0000,0000,,it
Dialogue: 0,0:06:41.04,0:06:44.16,Default,,0000,0000,0000,,and under windows logs you have
Dialogue: 0,0:06:44.16,0:06:45.68,Default,,0000,0000,0000,,something called security
Dialogue: 0,0:06:45.68,0:06:48.24,Default,,0000,0000,0000,,and this is a security log where all
Dialogue: 0,0:06:48.24,0:06:50.00,Default,,0000,0000,0000,,accesses should be logged
Dialogue: 0,0:06:50.00,0:06:52.32,Default,,0000,0000,0000,,so let me click on it so here you have
Dialogue: 0,0:06:52.32,0:06:54.00,Default,,0000,0000,0000,,all the accesses that were done on the
Dialogue: 0,0:06:54.00,0:06:56.08,Default,,0000,0000,0000,,folder and the files in the folder
Dialogue: 0,0:06:56.08,0:06:58.24,Default,,0000,0000,0000,,so let's see them let me double click
Dialogue: 0,0:06:58.24,0:07:00.08,Default,,0000,0000,0000,,the first one
Dialogue: 0,0:07:00.08,0:07:02.40,Default,,0000,0000,0000,,you see here under subject you have
Dialogue: 0,0:07:02.40,0:07:03.76,Default,,0000,0000,0000,,first account name
Dialogue: 0,0:07:03.76,0:07:06.80,Default,,0000,0000,0000,,so this is a account that accessed the
Dialogue: 0,0:07:06.80,0:07:08.00,Default,,0000,0000,0000,,object
Dialogue: 0,0:07:08.00,0:07:10.88,Default,,0000,0000,0000,,if you here scroll down a little bit you
Dialogue: 0,0:07:10.88,0:07:12.24,Default,,0000,0000,0000,,see that
Dialogue: 0,0:07:12.24,0:07:14.48,Default,,0000,0000,0000,,the folder test was accessed and what
Dialogue: 0,0:07:14.48,0:07:18.48,Default,,0000,0000,0000,,was the access type keep on scrolling
Dialogue: 0,0:07:18.48,0:07:20.24,Default,,0000,0000,0000,,and you see that the access was reading
Dialogue: 0,0:07:20.24,0:07:22.48,Default,,0000,0000,0000,,the attributes so here you can click on
Dialogue: 0,0:07:22.48,0:07:23.92,Default,,0000,0000,0000,,the next arrow
Dialogue: 0,0:07:23.92,0:07:26.16,Default,,0000,0000,0000,,so here this is important this is an
Dialogue: 0,0:07:26.16,0:07:27.36,Default,,0000,0000,0000,,event saying that
Dialogue: 0,0:07:27.36,0:07:30.00,Default,,0000,0000,0000,,data was written or a file was added you
Dialogue: 0,0:07:30.00,0:07:32.00,Default,,0000,0000,0000,,can click on details to see further
Dialogue: 0,0:07:32.00,0:07:33.76,Default,,0000,0000,0000,,information here
Dialogue: 0,0:07:33.76,0:07:37.04,Default,,0000,0000,0000,,so we have everything here so this is
Dialogue: 0,0:07:37.04,0:07:39.12,Default,,0000,0000,0000,,here the new file that we created
Dialogue: 0,0:07:39.12,0:07:42.56,Default,,0000,0000,0000,,the new rich text document
Dialogue: 0,0:07:42.56,0:07:44.64,Default,,0000,0000,0000,,and this is also important here you see
Dialogue: 0,0:07:44.64,0:07:46.56,Default,,0000,0000,0000,,that we found the event
Dialogue: 0,0:07:46.56,0:07:49.36,Default,,0000,0000,0000,,that is delete event and also if you
Dialogue: 0,0:07:49.36,0:07:51.04,Default,,0000,0000,0000,,click on details you see what was
Dialogue: 0,0:07:51.04,0:07:52.08,Default,,0000,0000,0000,,deleted
Dialogue: 0,0:07:52.08,0:07:54.80,Default,,0000,0000,0000,,so this is a text document was deleted
Dialogue: 0,0:07:54.80,0:07:57.28,Default,,0000,0000,0000,,and by whom it was deleted also and this
Dialogue: 0,0:07:57.28,0:07:59.44,Default,,0000,0000,0000,,is the most important thing
Dialogue: 0,0:07:59.44,0:08:02.48,Default,,0000,0000,0000,,so you can see here who deleted the file
Dialogue: 0,0:08:02.48,0:08:06.16,Default,,0000,0000,0000,,if you scroll up it is this user
Dialogue: 0,0:08:06.16,0:08:08.40,Default,,0000,0000,0000,,and you have the time and you have the
Dialogue: 0,0:08:08.40,0:08:10.32,Default,,0000,0000,0000,,file and you have all the information
Dialogue: 0,0:08:10.32,0:08:11.20,Default,,0000,0000,0000,,you need
Dialogue: 0,0:08:11.20,0:08:13.68,Default,,0000,0000,0000,,but as you noticed it writes lots of
Dialogue: 0,0:08:13.68,0:08:14.40,Default,,0000,0000,0000,,events
Dialogue: 0,0:08:14.40,0:08:16.32,Default,,0000,0000,0000,,so now you have to make a compromise
Dialogue: 0,0:08:16.32,0:08:17.68,Default,,0000,0000,0000,,between selecting
Dialogue: 0,0:08:17.68,0:08:21.12,Default,,0000,0000,0000,,one user only to audit or a small group
Dialogue: 0,0:08:21.12,0:08:21.92,Default,,0000,0000,0000,,of users
Dialogue: 0,0:08:21.92,0:08:24.40,Default,,0000,0000,0000,,or everyone so if you suspect that your
Dialogue: 0,0:08:24.40,0:08:26.00,Default,,0000,0000,0000,,system is under attack
Dialogue: 0,0:08:26.00,0:08:29.04,Default,,0000,0000,0000,,it's always better to audit the everyone
Dialogue: 0,0:08:29.04,0:08:29.60,Default,,0000,0000,0000,,group
Dialogue: 0,0:08:29.60,0:08:31.92,Default,,0000,0000,0000,,for a short period of time and you can
Dialogue: 0,0:08:31.92,0:08:33.92,Default,,0000,0000,0000,,always increase the size of the security
Dialogue: 0,0:08:33.92,0:08:35.28,Default,,0000,0000,0000,,log in event viewer
Dialogue: 0,0:08:35.28,0:08:38.56,Default,,0000,0000,0000,,so that older entries don't get
Dialogue: 0,0:08:38.56,0:08:40.56,Default,,0000,0000,0000,,overwritten if you don't see them for a
Dialogue: 0,0:08:40.56,0:08:41.76,Default,,0000,0000,0000,,couple of days
Dialogue: 0,0:08:41.76,0:08:43.76,Default,,0000,0000,0000,,but i don't advise you to keep the
Dialogue: 0,0:08:43.76,0:08:44.88,Default,,0000,0000,0000,,everyone group
Dialogue: 0,0:08:44.88,0:08:47.52,Default,,0000,0000,0000,,auditing all the time so let me show you
Dialogue: 0,0:08:47.52,0:08:49.12,Default,,0000,0000,0000,,a little bit how to increase
Dialogue: 0,0:08:49.12,0:08:51.52,Default,,0000,0000,0000,,the volume of the security log so here
Dialogue: 0,0:08:51.52,0:08:53.20,Default,,0000,0000,0000,,let me click on close
Dialogue: 0,0:08:53.20,0:08:56.08,Default,,0000,0000,0000,,right click the security log here and
Dialogue: 0,0:08:56.08,0:08:56.88,Default,,0000,0000,0000,,then
Dialogue: 0,0:08:56.88,0:09:00.00,Default,,0000,0000,0000,,click on properties
Dialogue: 0,0:09:00.00,0:09:01.92,Default,,0000,0000,0000,,and then under properties here you can
Dialogue: 0,0:09:01.92,0:09:04.40,Default,,0000,0000,0000,,see you have the maximum log size
Dialogue: 0,0:09:04.40,0:09:07.36,Default,,0000,0000,0000,,so here it's in kilobytes so this is 20
Dialogue: 0,0:09:07.36,0:09:09.92,Default,,0000,0000,0000,,meg so if you want to put it
Dialogue: 0,0:09:09.92,0:09:13.68,Default,,0000,0000,0000,,200 max so just put it here
Dialogue: 0,0:09:13.68,0:09:15.92,Default,,0000,0000,0000,,200 megs so here you have also the
Dialogue: 0,0:09:15.92,0:09:18.40,Default,,0000,0000,0000,,option to overwrite events as needed
Dialogue: 0,0:09:18.40,0:09:21.60,Default,,0000,0000,0000,,meaning if you reach the maximum volume
Dialogue: 0,0:09:21.60,0:09:22.00,Default,,0000,0000,0000,,it will
Dialogue: 0,0:09:22.00,0:09:25.60,Default,,0000,0000,0000,,start overwriting other events and also
Dialogue: 0,0:09:25.60,0:09:27.84,Default,,0000,0000,0000,,you can archive the log when full
Dialogue: 0,0:09:27.84,0:09:30.08,Default,,0000,0000,0000,,or do not overwrite events but clear
Dialogue: 0,0:09:30.08,0:09:31.92,Default,,0000,0000,0000,,load manually but this will block your
Dialogue: 0,0:09:31.92,0:09:33.20,Default,,0000,0000,0000,,system from working
Dialogue: 0,0:09:33.20,0:09:35.20,Default,,0000,0000,0000,,if the event log reaches the maximum
Dialogue: 0,0:09:35.20,0:09:37.84,Default,,0000,0000,0000,,value and you don't clear it
Dialogue: 0,0:09:37.84,0:09:40.00,Default,,0000,0000,0000,,so i advise you to keep it overwrite
Dialogue: 0,0:09:40.00,0:09:43.60,Default,,0000,0000,0000,,events as needed and keep it like this
Dialogue: 0,0:09:43.60,0:09:46.88,Default,,0000,0000,0000,,and let's click ok here so it's only
Dialogue: 0,0:09:46.88,0:09:47.76,Default,,0000,0000,0000,,telling me that
Dialogue: 0,0:09:47.76,0:09:51.20,Default,,0000,0000,0000,,it will set the nearest multiple of 64k
Dialogue: 0,0:09:51.20,0:09:54.40,Default,,0000,0000,0000,,so i'm gonna click on ok so on top of
Dialogue: 0,0:09:54.40,0:09:55.84,Default,,0000,0000,0000,,accessing each event
Dialogue: 0,0:09:55.84,0:09:58.16,Default,,0000,0000,0000,,and then scrolling to see the next one
Dialogue: 0,0:09:58.16,0:09:59.44,Default,,0000,0000,0000,,you can also
Dialogue: 0,0:09:59.44,0:10:01.68,Default,,0000,0000,0000,,either find an event or filter the event
Dialogue: 0,0:10:01.68,0:10:02.80,Default,,0000,0000,0000,,so let me show you both
Dialogue: 0,0:10:02.80,0:10:05.12,Default,,0000,0000,0000,,very quickly so if you right click on
Dialogue: 0,0:10:05.12,0:10:06.40,Default,,0000,0000,0000,,security here
Dialogue: 0,0:10:06.40,0:10:09.04,Default,,0000,0000,0000,,and then select filter current log and
Dialogue: 0,0:10:09.04,0:10:10.96,Default,,0000,0000,0000,,here you have a bunch of options that
Dialogue: 0,0:10:10.96,0:10:12.80,Default,,0000,0000,0000,,you can choose to find the information
Dialogue: 0,0:10:12.80,0:10:14.24,Default,,0000,0000,0000,,you want
Dialogue: 0,0:10:14.24,0:10:17.12,Default,,0000,0000,0000,,and the second method is to right click
Dialogue: 0,0:10:17.12,0:10:19.44,Default,,0000,0000,0000,,security and then click on find
Dialogue: 0,0:10:19.44,0:10:21.60,Default,,0000,0000,0000,,and here also you can put a string and
Dialogue: 0,0:10:21.60,0:10:22.64,Default,,0000,0000,0000,,try to find it
Dialogue: 0,0:10:22.64,0:10:25.76,Default,,0000,0000,0000,,in the log so that was it i hope you
Dialogue: 0,0:10:25.76,0:10:27.52,Default,,0000,0000,0000,,enjoyed this video and found it useful
Dialogue: 0,0:10:27.52,0:10:28.24,Default,,0000,0000,0000,,if you did
Dialogue: 0,0:10:28.24,0:10:30.40,Default,,0000,0000,0000,,please share it subscribe to my channel
Dialogue: 0,0:10:30.40,0:10:32.00,Default,,0000,0000,0000,,and give this video a thumbs up
Dialogue: 0,0:10:32.00,0:10:36.16,Default,,0000,0000,0000,,until next time thank you for watching