Recovering data and information on Win 2000 server.

Posted on 2004-08-27
Last Modified: 2010-04-14
I have a Windows 2000 server PDC network that one of my users quit and erased all of their files loaded on the server.  What kind of accounting information can I find to be able to tell when the files were deleted and by what user and what time?  The former employee did a lot of damage and we need to have this information.  Thanks.
Question by:johnpatbullock

Expert Comment

ID: 11914104
I am not fimiliar with Win 2000, but I suspect there is a folder with log files somewhere.
LVL 83

Expert Comment

ID: 11914556
If you haven't enabled auditing on the machine and the folder in question prior to the event, there's pretty much nothing you can do to find out who deleted what when. Windows by itself doesn't log deletion or creation of files unless told so.
The only option to find out which files were deleted is restoring a backup of the folder in question to another location, then compare the contents of the of the deleted folder with the restored folder.
LVL 95

Expert Comment

by:Lee W, MVP
ID: 11918776
I concur with oBdA - unless you previously enabled auditing for file access, there list no way I've every heard of to get your data back.  You can, of course, yank the drive(s) from the system and send them to a data recovery service, like OnTrack - but that would be my only suggestion - and there's no guarentee they will be able to recover the data or give any information on who deleted the files and/or when.
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.


Author Comment

ID: 11923702
I've recovered my data, my problem is I want to be able to tell when the files were deleted and by whom.  I checked an auditing was not turned on.  Is their anyother way to tell?  Are their any third party applications that I can that will tell me.  
LVL 83

Accepted Solution

oBdA earned 250 total points
ID: 11925168
No way, sorry. As I said, if you have a daily backup, you can roughly determine the time of deletion by checking when the files started missing in the backups. Otherwise, without auditing enabled, Windows does not keep a record of who deleted what, where, and when. It's just an entry in the file table that gets removed.

Assisted Solution

kelo501 earned 250 total points
ID: 11998379
the only way I can think of is to look at your back ups and note when the files were no longer being backed up.  That will put you at 24 hours...  Then compare the users with, full control/modify permisions on the directory/files in question.  By defult logons are logged on the DC.

Now you can refrence:
deletion date
users with permisions
users logged on durring relavent time frame.

That in no way tells you who did it but would confirm if the person suspected was able to do it.  It will also help you correct your security policy to prevent it from happening again.


Expert Comment

ID: 12022496

Did that help you sort it out at all?

If you need anyhelp setting either the Defult domain or local security policys for logging let me know.

in addtion there is a product call spectorCNE by spector software that provides for so really great user watching.


Expert Comment

ID: 12396897
thanks hewittg

Featured Post

Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
This Micro Tutorial will teach you how to censor certain areas of your screen. The example in this video will show a little boy's face being blurred. This will be demonstrated using Adobe Premiere Pro CS6.
In a recent question ( here at Experts Exchange, a member asked how to add page numbers to a PDF file using Adobe Acrobat XI Pro. This short video Micro Tutorial sh…

778 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question