Help us find an in-house bad guy deleteing server files

Posted on 2008-01-25
Medium Priority
Last Modified: 2010-04-21
Hello Experts,

I have a customer (an international hotel chain) with an unusual problem. They have multiple workstations on property but the server is located in another state. Consequently they do not have an in house IT person. Instead they depend on their remote IT staff for support in almost every case.

The complaint is that one of forty local users on line at the time of the incident purposely deleted some very sensitive files from the remote server. These files were contained in a folder that held twenty five other folders and fourteen other files. The person had to select the files that were deleted from amongst the other files and folders.

They use MS Server 2000 and each user has a unique user name, password, and user level. They have a suspect, but they would like to be able to prove that that person, or whoever it was, actually was the one that deleted the files.

How can we help find out for sure who did it? Their own IT Department reports that they cannot be of any help.  Still, I would think that there would at least be some log in files and user files we can look at. Also, what user level would be required to delete files in another users folder?

There was a backup so the owner did get their data back. We have helped them move the files into a protected and encrypted folder to prevent a repeat.

Thank you!
Question by:Savemypc

Assisted Solution

tastas earned 200 total points
ID: 20747456
Turn on the auditing feature for the folder.  

Right click on the folder --> Properties --> Security Tab --> Advanced --> Auditing tab -->

Then select the appropriate items you want to log.  The log will be found in Event Viewer.
LVL 24

Assisted Solution

ryansoto earned 100 total points
ID: 20747464
Tas is right on the $

Accepted Solution

karmadave earned 1600 total points
ID: 20747587
Regarding, "Who did it" I am afraid you are out of luck on the server unless you had implemented auditing before the fact. When a user logs in an event is generated, but that does not tell you what the person did while logged in. How do you know the files were only deleted instead of copied to the person's local hard drive and then deleted from the server? If that is possible, there are forensic tools you can use to find the files on the local PC even if they were later deleted. If it is important enough, there are pros you can hire to do that job. I would be concerned about the person's outbound email too. Did he send the files to someone? You can audit just about anything: users, computers, shares, etc. Maybe your best bet is to expect that if the person did it once, he will do it again. Then you can devise an audit plan so the person will leave a trail you can follow. Just don't go crazy and audit too much because then it will be too hard to interpret the audit logs. And don't forget to disable it when you are through. Computer audits don't get tired and they stay vigilant. All you need to do is wait long enough.
Hope this helps,
The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

LVL 23

Assisted Solution

by:Erik Bjers
Erik Bjers earned 100 total points
ID: 20747719
I agree with the others, turn auditing to help in the future and there is no way to determin who done it after the fact if auditing was not turned on.

I would also recomend that you tighten security on the server in order to prevent files from being deleted:
Folders that contain sensative files should not be shared, or if shared should have auditing on and only limited user access allowed
Remove all hidden shares (C$, D$) these shares can give someone full access to the server hard drives
BACKUP BACKUP BACKUP so if it happens again you can recover


Assisted Solution

karmadave earned 1600 total points
ID: 20748021
I need to add something. If their IT department cannot be of any help does that mean they will not configure auditing either? I guess you don't have admin access to their server, so without their cooperation you are out of luck doing anything requiring admin privileges, an unlikely scenario if they have an internal IT department. You can't set share permissions as a creator/owner of new folders under a share, but you do have enough control over security permissions to effectively protect the folders you create. Encryption is good, but in a domain you need to be extra careful. Be sure you turned off inherited permissions from the parent folder if they exist. But, to get back to your original question: you can't unless you already had auditing implemented. Your best bet is to see if the person left a trail on his local PC. And my caution to you is be sure you don't inadvertantly get dragged into a mess, legal or otherwise, that you didn't see coming.

Author Closing Comment

ID: 31425172
Thank you all for both the prevenataive and the antidotal information. I will inform my customer to be more careful from now on. We will now ghost the workstation drive and attack it forensiclly with EnCase to see what we can discover.

Featured Post

The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to fix a SonicWall Gateway Anti-Virus firewall blocking automatic updates to apps like Windows, Adobe, Symantec, etc.
Check out the easy way to Export Thunderbird to MS Outlook. It can be done effectively by using manual method and if you are not much into coding then you can definitely try the third party tool for the conversion.
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

593 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question