Anyway to discover who deleted a file?

Status
Not open for further replies.

glitzyglamgirl

Posts: 23   +0
Hi all

A collegue of mine had a file deleted from a shared network folder, an excel file, and we believe it was deleted on purpose by someone wanting to cause problems.

We have checked recycle bin and performed an extensive search - the file is gone, and she definitely did not delete it accidentally.

What I would like to know is, is there anyway of recovering the file without 3rd party software (unable to dl and install anything on the works system), and is there anyway to discover who deleted it...or at the least, which pc on the network it was accessed and deleted from? The file itself can be re-recreated, so its not recovering the data that is the main issue...mainly finding out who deleted it.

Any adivce appreciated, and apologies if this in the wrong section..it seemed like the best fit!

Thanks x
 
There are ways to recover it until that space is overwritten. And forensics experts can tell when it was done and who was online at the time, but you will likely be unable to do so.
If you have a good administrator for the system, that administrator can narrow it down to who was online... but that depends on your security system and administrator.
 
adding auditing

hum; your request to track WHO did what, is a setting in the AUDITing section
of the NTFS settings for the directory.

WARNING: This level can create MASSIVE log files and you need to review / post process
them to find what has occurred. Use Google to find tools to filter the logs for the events you want to see.


Adding detail Logging

using an ADMIN login, locate the directory to be audited and open the PARTENT;
\Documents and Settings\All Users\Shared Documents​
open
\Documents and Settings\All Users​
right-click on Shared Documents->Properties->click Security
Click the Security Tab and then the Advanced button at the bottom

Click the Auditing Tab
clear the check boxes at the bottom
click ADD button
enter EVERYONE and click Check Names; click ok

now set the following permissions
create Files/write data
create Folders / append data
delete subfolders and files
delete
change perms
take Ownership​
click the box for Apply to objects & containers within
click ok
now click APPLY
click ok twice to close

Now you can see these events using
run->Eventvwr.msc
under the Security Events

an annotated sample is attached (it is in LIFO Order; oldest at the bottom)
 

Attachments

  • SystemAudit.log.txt
    6.9 KB · Views: 7
Status
Not open for further replies.
Back