KBI 311729 Issue Addressed: File Audit Report Does Not Show Entry For File Or Folder Renaming

Version

Argent Advanced Technology 5.1A-1810-B and below

Date

Thursday, 31 January 2019

Summary

Renaming an existing file creates a report entry saying the original file name was deleted, and has no reference to the new file name or that it was renamed

In this example, the file ‘COPIED_FILE.txt’ was renamed to ‘COPIED_FILED_RENAMED.txt’

The issue has been addressed in Argent Advanced Technology 5.1A-1901-A

Technical Background

File audit reports rely on the file audit Events in Windows security log

Windows OS generates audit Events based on the Windows Win32 API calls

The user’s file renaming operation is actually accomplished by deleting original file entry from NTFS Master File Table (MFT), then adding new file name entry to MFT

That’s why there are one event about file deletion and one Event about folder modification

Argent Advanced Technology 5.1A-1901-A has been enhanced to detect the Event sequence and replace them with one audit entry of file renaming

Resolution

Upgrade to Argent Advanced Technology 5.1A-1901-A or above