TrimIdeas

## Audit changed or deleted files in Windows Server 2008 R2 or newer.ps1
# Version 1.2 :: This script reads offline event logs, oldest to newest, bottom to top.
# See http://www.trimideas.com/2015/04/auditing-changed-deleted-files.html for instructions.

$LogPath = "C:\Event_Logs\"
$ReportPath = "C:\Audit\File-Audit-Reports\"
$Formatted_Date = (Get-Date -UFormat %A-%B-%d-at-%I-%M-%S%p)
$ZipName = "Security-Events-for-" + (Get-Date -UFormat %A-%B-%d) + ".zip"
$Report_in_CSV = $ReportPath + "Audit of changed files on " + $Formatted_Date + ".csv"
$Truncated_Log_Path = $LogPath + "Archive-Security_on_" + $Formatted_Date + ".evtx"
$Today_Midnight = (Get-Date -Hour 0 -Minute 0 -Second 0)
	# Version 1.2 :: This script reads offline event logs, oldest to newest, bottom to top.
	# See http://www.trimideas.com/2015/04/auditing-changed-deleted-files.html for instructions.

	$LogPath = "C:\Event_Logs\"
	$ReportPath = "C:\Audit\File-Audit-Reports\"
	$Formatted_Date = (Get-Date -UFormat %A-%B-%d-at-%I-%M-%S%p)
	$ZipName = "Security-Events-for-" + (Get-Date -UFormat %A-%B-%d) + ".zip"
	$Report_in_CSV = $ReportPath + "Audit of changed files on " + $Formatted_Date + ".csv"
	$Truncated_Log_Path = $LogPath + "Archive-Security_on_" + $Formatted_Date + ".evtx"
	$Today_Midnight = (Get-Date -Hour 0 -Minute 0 -Second 0)