Recovering data and information on Win 2000 server.

I have a Windows 2000 server PDC network that one of my users quit and erased all of their files loaded on the server.  What kind of accounting information can I find to be able to tell when the files were deleted and by what user and what time?  The former employee did a lot of damage and we need to have this information.  Thanks.
Who is Participating?
oBdAConnect With a Mentor Commented:
No way, sorry. As I said, if you have a daily backup, you can roughly determine the time of deletion by checking when the files started missing in the backups. Otherwise, without auditing enabled, Windows does not keep a record of who deleted what, where, and when. It's just an entry in the file table that gets removed.
I am not fimiliar with Win 2000, but I suspect there is a folder with log files somewhere.
If you haven't enabled auditing on the machine and the folder in question prior to the event, there's pretty much nothing you can do to find out who deleted what when. Windows by itself doesn't log deletion or creation of files unless told so.
The only option to find out which files were deleted is restoring a backup of the folder in question to another location, then compare the contents of the of the deleted folder with the restored folder.
Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Lee W, MVPTechnology and Business Process AdvisorCommented:
I concur with oBdA - unless you previously enabled auditing for file access, there list no way I've every heard of to get your data back.  You can, of course, yank the drive(s) from the system and send them to a data recovery service, like OnTrack - but that would be my only suggestion - and there's no guarentee they will be able to recover the data or give any information on who deleted the files and/or when.
johnpatbullockAuthor Commented:
I've recovered my data, my problem is I want to be able to tell when the files were deleted and by whom.  I checked an auditing was not turned on.  Is their anyother way to tell?  Are their any third party applications that I can that will tell me.  
kelo501Connect With a Mentor Commented:
the only way I can think of is to look at your back ups and note when the files were no longer being backed up.  That will put you at 24 hours...  Then compare the users with, full control/modify permisions on the directory/files in question.  By defult logons are logged on the DC.

Now you can refrence:
deletion date
users with permisions
users logged on durring relavent time frame.

That in no way tells you who did it but would confirm if the person suspected was able to do it.  It will also help you correct your security policy to prevent it from happening again.


Did that help you sort it out at all?

If you need anyhelp setting either the Defult domain or local security policys for logging let me know.

in addtion there is a product call spectorCNE by spector software that provides for so really great user watching.

thanks hewittg
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.