Netwrix Auditor enables you to easily detect and investigate malicious or erroneous file deletions on your Windows file servers, EMC storage devices and NetApp filers. However, you must have already enabled auditing, and the process of searching through Windows event log for deleted files can be quite cumbersome: You’ll have to open each event in the list to find the details, such as the name of the person who deleted the file and the time of the event. Microsoft provides a native method to audit file deletions on Windows file servers.
Moreover, without proper file deletion auditing and access permission change auditing, it’s impossible to hold users accountable for their actions and prevent further unauthorized deletions. If a file on a server in your domain is deleted, either maliciously or by mistake, users may be unable access critical information they need, causing important business processes to come to a halt. The "Subject: Security ID" field will show who deleted each file.