Anyway to discover who deleted a file?

By glitzyglamgirl
Feb 5, 2009
  1. Hi all

    A collegue of mine had a file deleted from a shared network folder, an excel file, and we believe it was deleted on purpose by someone wanting to cause problems.

    We have checked recycle bin and performed an extensive search - the file is gone, and she definitely did not delete it accidentally.

    What I would like to know is, is there anyway of recovering the file without 3rd party software (unable to dl and install anything on the works system), and is there anyway to discover who deleted it...or at the least, which pc on the network it was accessed and deleted from? The file itself can be re-recreated, so its not recovering the data that is the main issue...mainly finding out who deleted it.

    Any adivce appreciated, and apologies if this in the wrong seemed like the best fit!

    Thanks x
  2. raybay

    raybay TS Evangelist Posts: 7,241   +10

    There are ways to recover it until that space is overwritten. And forensics experts can tell when it was done and who was online at the time, but you will likely be unable to do so.
    If you have a good administrator for the system, that administrator can narrow it down to who was online... but that depends on your security system and administrator.
  3. jobeard

    jobeard TS Ambassador Posts: 11,168   +986

    adding auditing

    hum; your request to track WHO did what, is a setting in the AUDITing section
    of the NTFS settings for the directory.

    WARNING: This level can create MASSIVE log files and you need to review / post process
    them to find what has occurred. Use Google to find tools to filter the logs for the events you want to see.

    Adding detail Logging

    using an ADMIN login, locate the directory to be audited and open the PARTENT;
    \Documents and Settings\All Users\Shared Documents​
    \Documents and Settings\All Users​
    right-click on Shared Documents->Properties->click Security
    Click the Security Tab and then the Advanced button at the bottom

    Click the Auditing Tab
    clear the check boxes at the bottom
    click ADD button
    enter EVERYONE and click Check Names; click ok

    now set the following permissions
    create Files/write data
    create Folders / append data
    delete subfolders and files
    change perms
    take Ownership​
    click the box for Apply to objects & containers within
    click ok
    now click APPLY
    click ok twice to close

    Now you can see these events using
    under the Security Events

    an annotated sample is attached (it is in LIFO Order; oldest at the bottom)

    Attached Files:

Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...