Sysmon and File Deletion

Published: 2020-05-04. Last Updated: 2020-05-04 22:17:03 UTC
by Didier Stevens (Version: 1)
1 comment(s)

A new version of Sysmon was released, with a new major feature: detection of file deletion (with deleted file preservation).

Mark Russinovich explains this in detail in the following video:

So a new event is recorded (ID 23: FileDelete) whenever a file is deleted, and a copy of the deleted file can be preserved inside an archive directory (per volume).

Sysmon will also detect file shredding. I wanted to test this, and of course, I used Sysinternals' own sdelete.

I used the following basic configuration (don't use this on production systems, this will archive all deleted files):

<Sysmon schemaversion="4.30">
  <EventFiltering>
    <FileDelete onmatch="exclude">
    </FileDelete>
  </EventFiltering>
</Sysmon>

With this command: Sysmon.exe -i config.xml -a sysmondelete

Here is the event for the deletion of file.txt (a copy of notepad.exe):

So the file shredding and deletion was detected and reported, but unfortunately, Sysmon did not detect the shredding early enough to be able to preserve the original file. The shredded file contains only 0x00 bytes, and was therefor not archived.

As Mark mentioned in his video, there might be circumstances where deleted files can not be archived. He used a custom tool to show this, so I also made my custom tool do reproduce his examples.

When my custom tool shredded a file byte per byte, Sysmon could not preserve the file prior to shredding. But when my tool shredded file.txt (e.g. notepad.exe) in blocks of 1MB (or smaller if the file itself is smaller than 1MB), then it worked:

The file shredding was detected, and a copy of the intact file was made:

The file deletion was also detected, but since this is now a file filled solely with 0x00 bytes, an archival copy was not made:

Update: A reader experienced problems with removable storage & Sysmon's file deletion preservation (archive folder is created on removable storage too, and kept open -> can not be ejected safely). Mark will address this issue with next update.

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

1 comment(s)

Comments

Thank you Didier

Diary Archives