How to Restore Deleted Files

Admins, did you know Google now lets you restore deleted files?

This really useful facility is now available under the Admin panel, Manage User Accounts section.

Here are the general rules …

  • You can restore files for one user at a time on each user’s page.
  • You can select a date range to restore files from up to 25 days ago.

  • If a user provides others with access to any Drive item, when you restore that item, the access is not restored. The user can re-enable access as needed.

Unfortunately, the restoration tool is a little broad, allowing you only to select a date range for each user.

GAT can help you locate the files you need, identify if they were there in the first place and not just a share and allow you to greatly narrow the date range you might need to look at.

The metadata for Deleted files can be found by simple search in GAT+ (see below)

From the day you installed GAT, it is tracking not only the files in ‘Trash’ but also all files removed from ‘Trash’. Files removed from trash were up until now, permanently deleted, however, GAT always kept their metadata records for you to search.

When you click “Show stats for current filter” files are shown as 0, mind you the ‘0’ file count is only ‘0’ because by default the search is always on for ‘Docs not deleted’, which means in this positive search ‘files deleted’ is always zero.

Looking at all files deleted helps you identify who actually owned the missing files, something that is not always apparent to users of Google Drive. Last Updated date helps you identify the date they were deleted.

How to Restrict the Audit Tool Use to a Select Few

Auditing for all Org Units(Only affects domains with GAT in a sub-OU)

In the beginning, Google recommended that to restrict app use to a select few, you should create an OU for those chosen to run the app and then make the app available only to those in that OU. General Audit Tool followed this procedure and this was our recommended method of restricting GAT access. With the arrival of OAuth2, applications in sub-OU’s only have authority for some audit features over the users in that sub-OU. This is impacting GAT’s ability to report domain-wide. To solve this problem we recommend you set the following.


For GAT+ to work properly and allow the Admin to Audit their domain.
We recommend GAT to be installed domain-wide, and full access to be granted.

This will enable auditing of all users on the domain for details like Google+, Drive, Email etc.
The access to the tool can be restricted by following the steps below.

On the GAT homepage (Old UI) select ‘Configure GAT’ option

Then at the bottom of this configuration tick the box under ‘Restrict GAT users’ and ‘Save’.

GAT will now only be available to Super Admins, security officers and delegated auditors. If you had GAT in a sub-OU, then in Google Admin panel you should move GAT from the sub-OU (‘/auditors’ for example) to the root OU (i.e. ‘/’). See here for more details.

See here to learn about Delegated Audits to auditors who are not Admin staff.

How to silently copy or view files

We are going to use a powerful search feature inside of GAT+ Drive audit to identify the contents of documents we’re going to investigate. This feature is called the ‘File content text search’. It allows admins/delegated auditor to use a word or sentence to search through all of the files across the domain and to return documents which contain them.

Step 1: Click on the ‘Apply custom filter’ button.

Step 2: Enter the word or sentence to return files which contain them. Select the user’s account you want to search through you can leave this field blank to search your entire domain’s Drive or enter a user, Google Group or Org Unit to search through them only.

You can also use multiple rules in the definition section of the Apply custom filter. I used the Updated search parameter. Once you click on Apply button the search will begin.

It will take a few minutes depending on how many files you have across your domain.

Step 3: Select the files you are interested in, remember that these files contain the sentence “private and confidential”.

Step 4: Click on the ‘Files operation’ button and then select ‘Access permissions granted’.

Step 5: Next we will select a date in the future, we will have access to these files until this date. You have an option to write to your security officer explaining why you need access to these files.

Send the request to the Security Officer(s) for approval.

The following email will be sent to the Security Officer.

The Security Officer can click on the link in the email and will be taken to the approval area(Grant) in GAT+. 

When the Security Officer grants access an email will be sent to the requesting Administrator/delegated auditor informing them. The Administrator from the ‘Access permission granted’ menu can see the full list of their access requests along with the time left for each request to remain valid.

Once the request is selected, the requestor can download documents or view the contents silently without the owners’ awareness.

GAT Search Choices Explained

New Filters

One of the key features of GAT+ is it’s very powerful Drive audit search capability. Its power comes from its ability to use so many search operators and parameters to find files based on a multitude of different aspects of its metadata. Navigating through Drive audit you will notice how quickly the data loads.

We have even dedicated an entire post to talk about powerful things you can do from the Drive Audit list.

Let us examine the options in detail.

Title – Can be the file name or any part of the name.

Note: GAT remembers document name history, so if someone renames a document GAT will return matches against the new and old names.

File ID – Is the ID for the file in question.

All files have an ID which can be found in the URL of the file or in GAT+ you can click on the title which will display the full ID.

MimeType – MIME stands for Multi-purpose Internet Mail Extensions. MIME types form a standard way of classifying file types on the Internet.

Here are a few examples:

  • image/png
  • video/mp4
  • application/pdf
  • audio/wav
  • text/css

Flags – State conditions applied to files.


Restricted – Whenever the file is prevented from being downloaded, printed or copied.

Editors can’t share – This flag is self-explanatory and refers to files not being able to be shared by editors.

  • Team Drive Extra ACLs – Some files within Team Drives might have additional sharing settings, for example, a TD file can be shared out with a link.
  • ACLs Changed – ACLs Changed is set when a super admin makes some changes through GAT+ (e.g. remove editor/reader, change owner etc.)
  • Title Truncated – Some files have reaaaaaaaaaaaaaaaaally long file names and we’re forced to truncate them so that they can be indexed.
  • Incomplete data – When changes are made to some files using GAT Unlock the data in the database can be out of date.

Sharing Flags – This flag covers all of the scenarios a file can be exposed.

Anyone in Domain – Anyone within your domain (myOrganisation.com)

Quota Bytes – this parameter refers to the size of the files. Native Google files do not display any size details but all non-Google files do. This parameter takes Bytes. For example:

1 Kilobyte = 1024

1 Megabyte = 1048576

1 Gigabyte = 1073741824

The below example will return all files greater than 1 Gigabyte:

Type – The most popular file type extensions are shown with this search parameter.

Users – Anyone who is an Owner, Editor or Reader of a file. Can also be entered as a regular expression.

Owner – Anyone who is the owner of a file. This can be a full email address or a partial address.  For example to find all files owned by joe@gmail.com

You can select the following:

Owner equal joe@gmail.com or Owner contains (case insensitive) joe

You can also use the contains (case insensitive) to find all files owned by gmail accounts for example:

Owner contains (case insensitive) gmail.com

Editors – Anyone who is the editor of a file. Same search criteria as ‘Owners’.

Readers – Anyone who is the viewer of a file.

Created – When a file was created/uploaded into Google Drive.

Updated – The updated date field changes whenever certain actions are taken. Please see below:

  • File permission changes (add/removing editors or reader, add/removing internal or public share)
  • A file has been edited
  • A files name has changed

Updated is NOT changed whenever:

  • A user is viewing a file.
  • A user is moving a file (surprisingly!).

Advanced Filters

Full Content Search

Using the Advance filters, select ‘Full Content Search’ by default ‘Simple Filter’ is ON. ‘Full Content Search’ allows you to find files which contain specific words or sentences. Even in images and or videos using Googles OCR (Optical Character Recognition) technology.

Examples:

“Credit Card” – This will return files which contain exactly this sentence.

Credit Card without the quotation marks will return files which contain the words Credit and/or Card. If you don’t specify a scope either by entering a user, Google group or Org Unit it will return filtered files for all non-deleted and non-suspended users by default which contain the query.

Title / Description Search

Title / Description Search queries are performed using only files metadata, that is only text columns presented in Drive result table. Contents are not considered. This is a very fast method of finding files using their title or description.

Example 1: The following example below finds all file records containing ANY terms from the list: “java”, “shop” and “coffee” with a file’s title or description.

Example 2: You can also search for exact phrases by wrapping them in double quotes. For example, the following finds all records containing “java” or “coffee shop”:

Example 3: To exclude a word, you can prepend a hyphen “-” character. For example, to find all file records containing “java” or “shop” but not “coffee”, use the following:

Sorting by text score

GAT returns results in unsorted order by default. However, tile / Description queries compute a relevance score for each record that specifies how well a record matches a query.

Also, each text column has a weight which denotes the significance of this column relative to the other ones in terms of a text search score. The order of importance is:

title (10), description (5), owner (4), organizers (4), writers (3), readers (1)

For each column, GAT multiplies the number of matches by the weight and then sums the results. Using this sum, GAT then calculates a score for a record.

To sort results in order of relevance score, you must enable the following option:

It’s disabled by default.

Case Sensitivity

Terms queries are case insensitive by default. You can make them case sensitive by enabling this option:

It’s disabled by default.

Note also that both the options (case sensitive and sort by text score) can be combined:


Additional Resources

‘Copy this Folder’ Feature

GAT+ has introduced a very powerful feature as part of it’s ‘Unlock’ feature set.

‘Copy this folder’ allows Admins, with the permission of a Security Officer, to make a copy of any folder which any user on the Admin’s domain owns or has edit access to. The folder can be any part of the folder tree. Even external folders, shared-in, can now be copied, as long as a local user has edit access rights.

Who Read What Document and When?

This question comes up from time to time and GAT makes it easy to find the detailed answer.

 

First, we find all the documents the person reads (or has ‘viewed’).
To achieve this we navigate to the Drive audit in GAT+. We select the Event tab, then we apply a custom filter.
For the search we enter the email address of the person we’re interested in, then pick an event type as “View” (you can select different options such as download, upload, print, created).
You can select a date parameter to narrow down your search results (If you don’t put date it will scan the user and event type and find every document ever read by that person).

 

The example in the screenshot below will display all events (view) by the user in the past 29 days(since the start of month).

 

However, we can refine this further…

Let’s exclude files where this user is also the owner of those files because we are only interested in files this user viewed which are not his own.

To do this export the results, this will create a spreadsheet where we can edit the owner tab to exclude the person you are currently searching for.

The result you get is all the documents visited by the subject, excluding the files he owns.

A follow-on question from this is how do we create daily/weekly reporting for all or some documents in our domain?

We have a post about how to schedule daily/weekly report on event activities on files you can read more about that below here:

How to Track Visitors and Editors

How to Track Visitors and Editors

First, we have to find the file we would like to check the events for.

Finding the file can be as easy as opening the Drive Audit, then “Apply Custom Filter” search option which will allow us to search using various different search parameters.

For our example case here:
We select simple filter and just search for the File ID equals to: 1gOUqfrOmAQxULze

(Read this post to learn how to extract “File ID”)

After we find the file extracting the historical actions performed on the document, can be achieved as simple as selecting on the file and showing the events.

The result will display all events – view/edit/changed visibility actions occurred on the file.

You can also generate a report, to show new events associated to the file. It can be scheduled weekly and managers can be notified via email notifications.

Screenshot below will display the events of viewed and edit for certain file, and report will be generated weekly based on the date parameter we set up.

In this example, a weekly report will be generated showing events types View and Edit to this particular file.

It will run every weekend and date will be changed automatically to show us only the new information.

How to Find the Space Used on Google Drive

In this post, you will learn how to find used space on your Google Drive.

Using GAT, enter the User Audit, then select “Quota” from the top bar.

Select 'Users'

It will display Quota available for all the users in your domain

It will display Quota available for all the users in your domain

It shows all the users and their Google account usage.

    • Quota available for individual users
    • Quota used out of the availability
    • Quota used for Drive only
    • Quota used for GMail only
  • Quota used for Photos only

Remember you can use “Apply custom filter” to narrow the search down to find individual users, groups, organizational units and so on. Reports can also be generated based on the usage by individual users/groups.

Create a daily report of files shared internally

As super admins, we are interested in what files are shared in or out of our domain but it can also be quite interesting to see what documents are being shared internally. This is quite easy with the GAT+.

In Drive Audit, click on the apply custom filters button.

In Drive Audit, click on the apply custom filters button.

Select the following search parameters in the filter selection area.

Select the following search parameters in the filter selection area.

Select 'apply & schedule'

Note: We selected a time period since the files were last updated.
In our case since yesterday. Then we schedule the report to run daily.
This report will show us data for all files shared internally within our domain on a daily basis for each previous day going forward.

The date will be changed automatically to run a new search for files shared internally on the next day and so on.

How to Find if the Contents of a Folder Changed

Here is a frequent question we get from our G Suite super admins who use GAT+.

‘I want to know when the contents of a folder change?’ In GAT+ we can automate and set up a scheduled report to give us this information.

Go to Drive Audit, Search for the folder you are interested in using the Apply custom filters button.

"Drive" audit section

Select this filter

Select the following search parameters:

    • Make the type of the search equal to a ‘Title / Description Search’
    • Enter the title of the folder into the Terms field.
  • In the Definition area, select the search parameter Type equal Folder and also Owner equal to user’s email address.

"filers filters" section

Once the folder appears in the Drive result table. Click on the drop-down menu next to the title of the folder. Select the option to ‘Show contents of this folder and its subfolders’. Selecting this option will expand the folder completely open and all files within its folder tree will be displayed.

Select the option to ‘Show contents of this folder and its subfolders’.

Now a search will start. You can refresh the screen to see if the search is complete. Once its done, Apply the filter.

"long search" filter

Once we access the content of the folder we can make another search to find files which have been updated since yesterday. The reason why we are looking back a single day is that we want to create a scheduled report which runs daily and shows us files which have been updated in this folder, this report will run automatically each day and it will update the dates selected and increment it to reflect the new day.

Select filter

Underneath the Long Search ID parameter, add another rule called Updated after or equal yesterday’s date. The select the option ‘Scheduled’.

Underneath the Long Search ID parameter, add another rule called Updated after or equal yesterday’s date. The select the option ‘Scheduled’.

select "apply & schedule"

The report will be shared with you via email with a Google spreadsheet attached.

If this receives 0 results in the spreadsheet it just means nothing changed in that folder since the previous day.