unorganized files

Detect File Movement Inside A Folder Tree

Using GAT+ you can see when and where files were moved inside a folder tree structure. This is useful for an investigation for a particular file inside a folder structure.

Launch GAT+, then navigate to Drive audit, Files tab.

Click on the Apply Custom filters button, select Simple filter and search by File ID equal “XXXXX”

When the result is displayed you can select “Show contents of this folder and its subfolders”.
This will take you inside the folder but simultaneously expand all of the subfolders open to be viewed.

There’s an alternative way of going inside a folder and showing the contents of its subfolders.
Click on the Apply Custom filter button and change the filter type from Simple filter to a Folder / Shared drive search, add the File ID and check the Recursive box before applying the filter.


NOTE: The methods of searching are different but the results are the same.

When the results are being displayed in the Files tab and you are successfully inside the folder tree and subfolders are recursively displayed.
Select the Events tab. The filtered search and criteria will be passed to the Events tab so that we can analyze the activity of events inside the folder.

Now that you’re in the Events tab, use the Apply custom filter button again, to set some additional conditions

Changed the Type of filter to Filtered File Search so the event scope is applied for the whole search from the Files tab. By default, it is set to Selected Page Search which will show you event scope activity of the first page from the Files tab which could be a fraction of the results.

In the Definition area, select the Event operator and equal it to Move, then Apply the filter.

When the result is displayed. You can select the “Columns visibility” and change it to show the Source and Destination location. 

The result will be displayed just as below.

And lastly, you can export the results to a Google Spreadsheet or CSV.

Now you have a report that shows you wherever and whenever files were moved to or from the folder tree we are investigating.