also @ TechSpot: AMD Radeon HD 7770 & Radeon HD 7750 Review
Welcome to the TechSpot OpenBoards. Please read the FAQ if you have any questions. Sign up or Login to participate.
Go Back   TechSpot OpenBoards > Hardware > Storage and Networking
Reload this Page Anyway to discover who deleted a file?

Collaborate in the cloud with Office, Exchange, SharePoint, and Lync

Anyway to discover who deleted a file?
Thread Tools Search this Thread
  #1  
Old 02-05-2009
Newcomer, in training
  
Member since: Aug 2005, 25 posts
Anyway to discover who deleted a file?
Hi all

A collegue of mine had a file deleted from a shared network folder, an excel file, and we believe it was deleted on purpose by someone wanting to cause problems.

We have checked recycle bin and performed an extensive search - the file is gone, and she definitely did not delete it accidentally.

What I would like to know is, is there anyway of recovering the file without 3rd party software (unable to dl and install anything on the works system), and is there anyway to discover who deleted it...or at the least, which pc on the network it was accessed and deleted from? The file itself can be re-recreated, so its not recovering the data that is the main issue...mainly finding out who deleted it.

Any adivce appreciated, and apologies if this in the wrong section..it seemed like the best fit!

Thanks x
  #2  
Old 02-05-2009
TechSpot Evangelist
  
Location: Four Corners, US
Member since: Dec 2006, 10,622 posts
There are ways to recover it until that space is overwritten. And forensics experts can tell when it was done and who was online at the time, but you will likely be unable to do so.
If you have a good administrator for the system, that administrator can narrow it down to who was online... but that depends on your security system and administrator.
  #3  
Old 02-06-2009
jobeard's Avatar
TechSpot Ambassador
  
Location: Southern Calif.
Member since: Apr 2005, 10,836 posts
adding auditing
hum; your request to track WHO did what, is a setting in the AUDITing section
of the NTFS settings for the directory.

WARNING: This level can create MASSIVE log files and you need to review / post process
them to find what has occurred. Use Google to find tools to filter the logs for the events you want to see.

Adding detail Logging

using an ADMIN login, locate the directory to be audited and open the PARTENT;
\Documents and Settings\All Users\Shared Documents
open
\Documents and Settings\All Users
right-click on Shared Documents->Properties->click Security
Click the Security Tab and then the Advanced button at the bottom

Click the Auditing Tab
clear the check boxes at the bottom
click ADD button
enter EVERYONE and click Check Names; click ok

now set the following permissions
create Files/write data
create Folders / append data
delete subfolders and files
delete
change perms
take Ownership
click the box for Apply to objects & containers within
click ok
now click APPLY
click ok twice to close

Now you can see these events using
run->Eventvwr.msc
under the Security Events

an annotated sample is attached (it is in LIFO Order; oldest at the bottom)
Attached Files
File Type: txt SystemAudit.log.txt (6.9 KB, 7 views)
Last edited by jobeard; 02-06-2009 at 02:55 PM.. Reason: note log order
Closed Thread

Similar Topics
Topic Replies Forum
Startup file deleted 2 Windows OS
File still on computer after deleted from recycle bin 1 Windows OS
Deleted the PST file under outlook folder - help 2 Software Apps
File: rundll32.exe deleted - How do I get it back? 3 Windows OS
Deleted file recovery? 3 Storage and Networking

Thread Tools Search this Thread
Search this Thread:

Advanced Search
All times are GMT -4. The time now is 02:35 PM.