Help us find an in-house bad guy deleteing server files
Posted on 2008-01-25
I have a customer (an international hotel chain) with an unusual problem. They have multiple workstations on property but the server is located in another state. Consequently they do not have an in house IT person. Instead they depend on their remote IT staff for support in almost every case.
The complaint is that one of forty local users on line at the time of the incident purposely deleted some very sensitive files from the remote server. These files were contained in a folder that held twenty five other folders and fourteen other files. The person had to select the files that were deleted from amongst the other files and folders.
They use MS Server 2000 and each user has a unique user name, password, and user level. They have a suspect, but they would like to be able to prove that that person, or whoever it was, actually was the one that deleted the files.
How can we help find out for sure who did it? Their own IT Department reports that they cannot be of any help. Still, I would think that there would at least be some log in files and user files we can look at. Also, what user level would be required to delete files in another users folder?
There was a backup so the owner did get their data back. We have helped them move the files into a protected and encrypted folder to prevent a repeat.