I've enabled audit logs on several folders on windows server 2003 environment. It records the deleted action on folder and sub-folder.
The problem is I want to make sure, that when I see Delete in Accesses field, it is for certain the user deleted the folder/file.
When replicating the action, it only shows (delete), I'm not sure, what the rest if for.
I filtered the logs to Object Access, Event ID: 560
So My question is, how to determine that the folder/file is indeed was deleted by that user??
WriteData (or AddFile)
AppendData (or AddSubdirectory or CreatePipeInstance)