• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 267
  • Last Modified:

how can I find info or list of all files deleted from a workstation , including those on its network server ?

is there a way of finding out when an account user on a desktop workstation using XP deleted a file from a server using a linux (squid?) fileserver, I have done a recovery of data deleted from the workstation but would like to prove that  this workstation was the one used to do a malicious deletion of files and folders  on the server.

thought i would start this question since I am in the middle of sifting through the last 6 month's of deleted files recovered on the workstation.

or would it be the network guys who can tell which system or IP (all workstations have fixed IP) were to blame ?

any help to speed this up would be useful ,

1 Solution

Unless filedeletions were being logged by software -- which I don't think is a normal default -- I doubt if there is any way to find out who did it. weeks or months after the fact.

Your problems here are basically non-technical.  Maybe what you need is a security firm and, to the extent permitted by law, a polygraph screen of the employees.
When you delete things from the network, they are permanently deleted and not sent to the recycle bin.  If this is a server with lots of disk activity, the file might be really permanently deleted.  If there isn't much activity, then you might be able to recover the file using software like Executive Software's Network Undelete - which you have to buy.  There may be other free software out there, but in a circumstance like this, I would say getting it recovered needs to be done right away - if it can still be recovered at all.  Otherwise, shut down the server and wait until you get working undelete software.


BeastOfBodminAuthor Commented:
thanks for your imput, but what I would like is a path to any usage logs on the workstation that might give up when and if the file was deleted using a particular workstation.

I have already found usage tracks that show the files were downloaded to a floppy

and would the server > workstation>floppy download leave a copy of the file in any temp folders, even ones that have been deleted.

i am not unfamiliar with retrieving deleted files using recovery software , just need the pointer to where the time stamp/log could be found and if a temp copy may be lingering around from the dsownload to floppy


Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Reid PalmeiraTelecom EngineerCommented:
if you have logging enabled at the server then you can check network access and track usage, most file servers leave this off by default because of the I/O overhead if there's heavy usage. if your network people are really good about logging they might be able to track it through other means; router logs for example would be a good place to start, or DNS logs to check access times. Or in a windows system you might check the AD logs.  You'll find a number of different logs in the system32\logfiles directory c:\winnt\system32\logfiles or c:\windows\system32\logfiles but they are mostly service related and not network related.

Unless the deletions were very recent or you keep very good logs it'll be hard to pin down because most temp files are deleted regularly on heavily trafficked machines. it's unlikely that the download will be lingering in some temporary location that's easily accessible. You might be able to recover it as it will still physically reside on the disk until it is overwritten but it's unlikely to have been anywhere except RAM or a pagefile on the local machine so a copy is difficult to recover

If you are using linux squid...the question mark i presume mens you're unsure, you can check the logs there as it will track per user as well as by a number of different means. the only catch is that it's written in squids on format look around in etc/squid/squid.conf to see your configuration then check the appropriate log files
BeastOfBodminAuthor Commented:

thanks for your imput, using the email logs from the server and the retrieved deleted email from the workstation we were able to confirm the date of the downloads to floppy and other incriminating evidence sufficient for the eagles to chew on.

whilst I am not familiar with squid and do not need to go any further with this question but I felt that you were the one who picked up on the fact that this was part of the question and so award you the marks

thanks to all  
BeastOfBodminAuthor Commented:
for anyone else I used this as part of my research



Alas the middle section is cryptic as hell to me . The beginning and the end may have useful information for you.


The config section looks like the file that will be of best use(section 6.6)

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now