how can I find info or list of  all files deleted from a workstation , including those on its network server ?

Posted on 2005-04-20
Last Modified: 2010-04-03
is there a way of finding out when an account user on a desktop workstation using XP deleted a file from a server using a linux (squid?) fileserver, I have done a recovery of data deleted from the workstation but would like to prove that  this workstation was the one used to do a malicious deletion of files and folders  on the server.

thought i would start this question since I am in the middle of sifting through the last 6 month's of deleted files recovered on the workstation.

or would it be the network guys who can tell which system or IP (all workstations have fixed IP) were to blame ?

any help to speed this up would be useful ,

Question by:BeastOfBodmin
    LVL 13

    Expert Comment


    Unless filedeletions were being logged by software -- which I don't think is a normal default -- I doubt if there is any way to find out who did it. weeks or months after the fact.

    Your problems here are basically non-technical.  Maybe what you need is a security firm and, to the extent permitted by law, a polygraph screen of the employees.
    LVL 1

    Expert Comment

    When you delete things from the network, they are permanently deleted and not sent to the recycle bin.  If this is a server with lots of disk activity, the file might be really permanently deleted.  If there isn't much activity, then you might be able to recover the file using software like Executive Software's Network Undelete - which you have to buy.  There may be other free software out there, but in a circumstance like this, I would say getting it recovered needs to be done right away - if it can still be recovered at all.  Otherwise, shut down the server and wait until you get working undelete software.


    Author Comment

    thanks for your imput, but what I would like is a path to any usage logs on the workstation that might give up when and if the file was deleted using a particular workstation.

    I have already found usage tracks that show the files were downloaded to a floppy

    and would the server > workstation>floppy download leave a copy of the file in any temp folders, even ones that have been deleted.

    i am not unfamiliar with retrieving deleted files using recovery software , just need the pointer to where the time stamp/log could be found and if a temp copy may be lingering around from the dsownload to floppy


    LVL 22

    Accepted Solution

    if you have logging enabled at the server then you can check network access and track usage, most file servers leave this off by default because of the I/O overhead if there's heavy usage. if your network people are really good about logging they might be able to track it through other means; router logs for example would be a good place to start, or DNS logs to check access times. Or in a windows system you might check the AD logs.  You'll find a number of different logs in the system32\logfiles directory c:\winnt\system32\logfiles or c:\windows\system32\logfiles but they are mostly service related and not network related.

    Unless the deletions were very recent or you keep very good logs it'll be hard to pin down because most temp files are deleted regularly on heavily trafficked machines. it's unlikely that the download will be lingering in some temporary location that's easily accessible. You might be able to recover it as it will still physically reside on the disk until it is overwritten but it's unlikely to have been anywhere except RAM or a pagefile on the local machine so a copy is difficult to recover

    If you are using linux squid...the question mark i presume mens you're unsure, you can check the logs there as it will track per user as well as by a number of different means. the only catch is that it's written in squids on format look around in etc/squid/squid.conf to see your configuration then check the appropriate log files

    Author Comment


    thanks for your imput, using the email logs from the server and the retrieved deleted email from the workstation we were able to confirm the date of the downloads to floppy and other incriminating evidence sufficient for the eagles to chew on.

    whilst I am not familiar with squid and do not need to go any further with this question but I felt that you were the one who picked up on the fact that this was part of the question and so award you the marks

    thanks to all  

    Author Comment

    for anyone else I used this as part of my research


    Alas the middle section is cryptic as hell to me . The beginning and the end may have useful information for you.


    The config section looks like the file that will be of best use(section 6.6)

    Featured Post

    Why You Should Analyze Threat Actor TTPs

    After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

    Join & Write a Comment

    Hi, I've made you some graphics for a better understanding how RAID works. First of all, there are two ways a raid can be generated: - By hardware - By software What does that mean? This means: If you have a hardware RAID controller, there…
    We wanted to provide an in-depth explanation of the Ping Node offering clarifications on its function and usage. Incorrect Ping Node configuration and functionality can cause problems with HA clusters. The importance of this article is critical for …
    This video teaches viewers how to encrypt an external drive that requires a password to read and edit the drive. All tasks are done in Disk Utility. Plug in the external drive you wish to encrypt: Make sure all previous data on the drive has been …
    This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    22 Experts available now in Live!

    Get 1:1 Help Now