We have run into a question when trying to find deleted files and the version of SMB the server is using. We can search for “delete” as the method on 2003. But on 2008 and 2012 it no longer comes across as this. Anyone have any thoughts on how to find Deleted files? Looking at the raw SMB methods, we see that “SMB2_SET_INFO” comes across as an add, deleted, or modify. Any direction on how to segregate them out would be helful!
UPDATE: Thinking about it, i there any SMB flow data to extract?