• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 384
  • Last Modified:

Who and When files on Mapped drive were deleted?

hi experts,
I have mapped drives on windows xp, someone deleted some files from one of them, mainly I want to know who (windows user) and when the files were deleted?
note:  when the files where deleted the audit policy for dletetion was not activated.
the mapped Drive based on Avid ISIS Connection for multimedia files based on Raid tech. is there any way to recover these files, the only solution I found is in http://www.werecoverdata.com/raid-data-recovery/
please any ideas?
Thank you.
0
LeDaouk
Asked:
LeDaouk
  • 2
  • 2
  • 2
  • +1
1 Solution
 
lnkevinCommented:
You should pay them (above site) to recover your data if there is no back up existed. The recovery process is quite simple with their tool, if you have proper tools. I don't think we have a lot of options here. In regarding to the audit, you have to activate it before the incident. This feature won't work if not activated. Here is the guide to set up audit, just in case you don't have it:
http://support.microsoft.com/kb/325898

K
0
 
PowerITCommented:
Indeed, auditing policy must be active before the facts.
DIY recovery can be done through software. Have a look at Recuva: http://www.piriform.com/recuva
But to make recovery as successful as possible, you need to minimize the use of that PC/disk/array.
Even installing Recuva can impede the recovery process. So I recommend you boot from another disk (you can add one) and then scan the impacted storage.

kr, J.
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
LeDaoukAuthor Commented:
thx
but I told you before :
(note:  when the files where deleted the audit policy for deletion was not activated.)
so I need something out of audit policy
0
 
PowerITCommented:
I'll try to rephrase this: if the audit policy is not activated then there is nothing to get.
If with 'out of' you actually mean 'next to' then the answer is the same. If no audit policy then there is nothing logged. Even a forensic analysis can not find who, if nothing is logged. You can only find traces of the delete itself. That's why it is so important - and usually overlooked - to define the MS audit policy logging settings AND the SACLs BEFORE putting any system in production.

kr, J.
0
 
LeDaoukAuthor Commented:
there is no soltion!?!?!
0
 
lnkevinCommented:
What do you mean no solution? Your solution is paying for raid recovery. Like I said, you did not set up audit so no logging audit. It's simple as you don't work then you don't get paid. Make sense?

K
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 2
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now