[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 138
  • Last Modified:

file deletion

hi there

a member of a dept deleted files that were very very confidential. i dont have auditing on, is there any way i can find out who do it. they were moved to a different location and the folder says it was created on a certain date but not by who
0
mikeleahy
Asked:
mikeleahy
  • 4
  • 3
1 Solution
 
oBdACommented:
If this folder was created by the user who moved the files, then you can check the ownership of the folder.
Otherwise, without auditing, there's no way to retrieve that information after the fact.
0
 
mikeleahyAuthor Commented:
i have a name on the owner alright. does this mean that that person moved them?
0
 
oBdACommented:
Careful: it just means that this user created the folder; it does not necessarily mean that this user moved the files in there.
You might check the ownership of the files as well; if they were *moved*, this doesn't mean too much, the original ownership will have been kept. But if the files have been copied (or "moved" to another partition), then the ownership will have changed to the user who copied the files. In this case, the owner is the one who actually moved them. In the former case, you can't tell for sure; moves can happen if you drag a folder in Explorer by accident.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
mikeleahyAuthor Commented:
administrator is owner of the folders in their correction location.

where they were moved to, the persons name shows up as owner, and also the sub folder. within the sub folder different names show up as owners of files etc but i presume thats cos they created them folders.

the user in question shows up as the owner in the new location so i think its safe to assume that they moved the files to there by mistake.
0
 
oBdACommented:
If the files in question are still there, just in another folder, then it's very likely that they were moved by mistake; pretty much nobody would be stupid enough to move confidential files which he shouldn't access into another folder on purpose.
You might want to check why this user had permissions to those files in the first place, and enable auditing for confidential files (don't get carried away with auditing, though, it can have a serious perormance  impact on a file server).
0
 
mikeleahyAuthor Commented:
yeah, thanks for that .great stuff. any links on auditing? would it drag down a server to audit one or two folders
0
 
oBdACommented:
Auditing two folders shouldn't drag down a server (unless the auditing is inherited deep down the folder tree ...), or theses folders are really heavily used by a lot of users. Note that auditing events will be written to the server's security event log, so you might have to increase its size to keep a sufficient auditing time span available.
This still applies to W2k3, the basics haven't changed:
How to enable and apply security auditing in Windows 2000
http://support.microsoft.com/kb/300549
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now