We help IT Professionals succeed at work.

Help us find an in-house bad guy deleteing server files

Hello Experts,

I have a customer (an international hotel chain) with an unusual problem. They have multiple workstations on property but the server is located in another state. Consequently they do not have an in house IT person. Instead they depend on their remote IT staff for support in almost every case.

The complaint is that one of forty local users on line at the time of the incident purposely deleted some very sensitive files from the remote server. These files were contained in a folder that held twenty five other folders and fourteen other files. The person had to select the files that were deleted from amongst the other files and folders.

They use MS Server 2000 and each user has a unique user name, password, and user level. They have a suspect, but they would like to be able to prove that that person, or whoever it was, actually was the one that deleted the files.

How can we help find out for sure who did it? Their own IT Department reports that they cannot be of any help.  Still, I would think that there would at least be some log in files and user files we can look at. Also, what user level would be required to delete files in another users folder?

There was a backup so the owner did get their data back. We have helped them move the files into a protected and encrypted folder to prevent a repeat.

Thank you!
Watch Question

Turn on the auditing feature for the folder.  

Right click on the folder --> Properties --> Security Tab --> Advanced --> Auditing tab -->

Then select the appropriate items you want to log.  The log will be found in Event Viewer.
Tas is right on the $
Regarding, "Who did it" I am afraid you are out of luck on the server unless you had implemented auditing before the fact. When a user logs in an event is generated, but that does not tell you what the person did while logged in. How do you know the files were only deleted instead of copied to the person's local hard drive and then deleted from the server? If that is possible, there are forensic tools you can use to find the files on the local PC even if they were later deleted. If it is important enough, there are pros you can hire to do that job. I would be concerned about the person's outbound email too. Did he send the files to someone? You can audit just about anything: users, computers, shares, etc. Maybe your best bet is to expect that if the person did it once, he will do it again. Then you can devise an audit plan so the person will leave a trail you can follow. Just don't go crazy and audit too much because then it will be too hard to interpret the audit logs. And don't forget to disable it when you are through. Computer audits don't get tired and they stay vigilant. All you need to do is wait long enough.
Hope this helps,
Erik BjersPrincipal Systems Administrator
I agree with the others, turn auditing to help in the future and there is no way to determin who done it after the fact if auditing was not turned on.

I would also recomend that you tighten security on the server in order to prevent files from being deleted:
Folders that contain sensative files should not be shared, or if shared should have auditing on and only limited user access allowed
Remove all hidden shares (C$, D$) these shares can give someone full access to the server hard drives
BACKUP BACKUP BACKUP so if it happens again you can recover

I need to add something. If their IT department cannot be of any help does that mean they will not configure auditing either? I guess you don't have admin access to their server, so without their cooperation you are out of luck doing anything requiring admin privileges, an unlikely scenario if they have an internal IT department. You can't set share permissions as a creator/owner of new folders under a share, but you do have enough control over security permissions to effectively protect the folders you create. Encryption is good, but in a domain you need to be extra careful. Be sure you turned off inherited permissions from the parent folder if they exist. But, to get back to your original question: you can't unless you already had auditing implemented. Your best bet is to see if the person left a trail on his local PC. And my caution to you is be sure you don't inadvertantly get dragged into a mess, legal or otherwise, that you didn't see coming.


Thank you all for both the prevenataive and the antidotal information. I will inform my customer to be more careful from now on. We will now ghost the workstation drive and attack it forensiclly with EnCase to see what we can discover.

Explore More ContentExplore courses, solutions, and other research materials related to this topic.