BeastOfBodmin
asked on
how can I find info or list of all files deleted from a workstation , including those on its network server ?
is there a way of finding out when an account user on a desktop workstation using XP deleted a file from a server using a linux (squid?) fileserver, I have done a recovery of data deleted from the workstation but would like to prove that this workstation was the one used to do a malicious deletion of files and folders on the server.
thought i would start this question since I am in the middle of sifting through the last 6 month's of deleted files recovered on the workstation.
or would it be the network guys who can tell which system or IP (all workstations have fixed IP) were to blame ?
any help to speed this up would be useful ,
thought i would start this question since I am in the middle of sifting through the last 6 month's of deleted files recovered on the workstation.
or would it be the network guys who can tell which system or IP (all workstations have fixed IP) were to blame ?
any help to speed this up would be useful ,
When you delete things from the network, they are permanently deleted and not sent to the recycle bin. If this is a server with lots of disk activity, the file might be really permanently deleted. If there isn't much activity, then you might be able to recover the file using software like Executive Software's Network Undelete - which you have to buy. There may be other free software out there, but in a circumstance like this, I would say getting it recovered needs to be done right away - if it can still be recovered at all. Otherwise, shut down the server and wait until you get working undelete software.
http://www.executive.com/file-recovery/file-recovery.asp
Regards
Ranganathan.gp
http://www.executive.com/file-recovery/file-recovery.asp
Regards
Ranganathan.gp
ASKER
thanks for your imput, but what I would like is a path to any usage logs on the workstation that might give up when and if the file was deleted using a particular workstation.
I have already found usage tracks that show the files were downloaded to a floppy
and would the server > workstation>floppy download leave a copy of the file in any temp folders, even ones that have been deleted.
i am not unfamiliar with retrieving deleted files using recovery software , just need the pointer to where the time stamp/log could be found and if a temp copy may be lingering around from the dsownload to floppy
cheers
I have already found usage tracks that show the files were downloaded to a floppy
and would the server > workstation>floppy download leave a copy of the file in any temp folders, even ones that have been deleted.
i am not unfamiliar with retrieving deleted files using recovery software , just need the pointer to where the time stamp/log could be found and if a temp copy may be lingering around from the dsownload to floppy
cheers
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
rpalmeira22
thanks for your imput, using the email logs from the server and the retrieved deleted email from the workstation we were able to confirm the date of the downloads to floppy and other incriminating evidence sufficient for the eagles to chew on.
whilst I am not familiar with squid and do not need to go any further with this question but I felt that you were the one who picked up on the fact that this was part of the question and so award you the marks
thanks to all
thanks for your imput, using the email logs from the server and the retrieved deleted email from the workstation we were able to confirm the date of the downloads to floppy and other incriminating evidence sufficient for the eagles to chew on.
whilst I am not familiar with squid and do not need to go any further with this question but I felt that you were the one who picked up on the fact that this was part of the question and so award you the marks
thanks to all
ASKER
for anyone else I used this as part of my research
http://www.squid-cache.org/Doc/FAQ/FAQ-6.html
Alas the middle section is cryptic as hell to me . The beginning and the end may have useful information for you.
The config section looks like the file that will be of best use(section 6.6)
http://www.squid-cache.org/Doc/FAQ/FAQ-6.html
Alas the middle section is cryptic as hell to me . The beginning and the end may have useful information for you.
The config section looks like the file that will be of best use(section 6.6)
Unless filedeletions were being logged by software -- which I don't think is a normal default -- I doubt if there is any way to find out who did it. weeks or months after the fact.
Your problems here are basically non-technical. Maybe what you need is a security firm and, to the extent permitted by law, a polygraph screen of the employees.