Security Breach SBS 2003

One of my clients has recently let go an employee. A week later all of their QuickBooks data has been deleted including all BU copies.  This data was on a Windows SBS 2003 shared with only 4 people having permission to it. I am in the process of trying to recover the lost data now but I have a few questions. These seem simple enough, but I do not have the answers.

1. Is there a way to see who deletes a file either logged into a server or from a share on the network?
2. Looking through the Event Viewer, in the Systems section, there are print warnings for terminal server printers that are being purged from machine names that do not exist on the network and in the Security section, there are tons of successes around the time we think this happened. Is there a way to tell who logs in and out both terminally and locally?

3. (I had it now I can't remember it) I will have to ask it when I remember sorry!
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Lee W, MVPTechnology and Business Process AdvisorCommented:
1. *IF* auditing is enabled, you can see that information in the security log.  Auditing is TYPICALLY NOT enabled because historically it can cause performance issues if left on.
2.  Again, if auditing is enabled - but if your users typically share passwords and are not forced to change passwords on a regular basis, then even if you find the user ID that did this, you can't be certain it was that user.  

Some tips/ideas:
1.  Disable the users account (should have been done BEFORE the user was notified of his termination
2.  Force ALL USERS to immediately change their passwords
3.  If you have a business class firewall (as opposed to a cheap linksys or similar) you may be able to review logs and get the source IP (which is more definitive and also more difficult to identify - but would hold up better in my OPINION than a user ID entry in a log.
4.  Was the data stored on a drive with Volume Shadow Copy enabled?  If so, try to recover it through volume shadow copy
5.  What about your regular backups?
6.  Assuming you didn't have a good backup plan to begin with, create one NOW.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
LuukerAuthor Commented:
Auditing is disabled I guess as expected.
1. The account is disabled. Regardless, this user did not have permissions to the files in question.  We are starting to think one of the allowed users might have left their machine logged in and left it that way when they left for the day. Getting a straight answer at this point is getting tougher. We are going through video tape now to see what we can find.
2. Didn't think of that, I will set it for tonight.
3. The firewall in place is an entry level business class firewall, but it doesn't keep very good logs.  And to make matters worse, the logs it can keep were disabled (by default) so I wouldn't have anything from that anyway.
4. Have never done that.  I think it is on, but I'm not sure.  I will look into that as well.
5. They ran out of space on their tape drives and they didn't want to purchase a larger drive with new tapes so there is no BU in place. (yeah yeah, I know, I have preached too! But at the end of the day, it is their money and I work for them. All I can do is suggest course of actions, I cannot force them).
6. I agree! Maybe they will reconsider the importance of this now.

We have called in another company to help with data recovery. They said they have software, they can use to try to recover the data as well.  I installed and used Recuva but it didn't find the deleted files. I installed it to the C: drive and the missing data is on D:. He said he can boot the server with a crossover cable hooked to it, and might be able to recover it that way.  Does anyone know the software he might be using? He will not tell me. I am thinking this could be a good thing to know and be good with.
Lee W, MVPTechnology and Business Process AdvisorCommented:
1.  In addition to the forced password reset, if you suspect a user left the machine logged on, enable a group policy forcing the screen saver to activate and lock the machine.  When there is no history of problems, people get annoyed with this... when you can say it was possible someone did that and now look what happened, the users will usually quiet down.
4.  From a workstation with a mapped drive to the server, right click on the folder the accounting data was in and look for a previous versions tab.  Cross fingers.  If it was enabled, then the data may be recoverable to noon the day of the incident - or 7am.  (the standard snapshot times).  If the user who is suspected didn't have admin rights on the server AND shadow copies were enabled, then this SHOULD be there.  Otherwise, if the user did have or gained domain admin rights, its POSSIBLE if they remembered to have disabled shadow copy and blown away all hope of recovery with that method.
5 & 6.  As I've heard said in regards to the healthcare plan... don't let the great (full backup every night) be enemy of the good (critical files backed up only).  Certain things are critical.  Back them up ALWAYS.  Other things are less critical.  They can be skipped or periodically backed up.  You don't HAVE to get new backup hardware... maybe you backup the accounting data and a few key files EVERY NIGHT, but the rest of the system is backed up every other night or on weekends only.  Also consider an online backup service.  Carbonite's old server for home users works on servers... I wouldn't want to backup the ENTIRE server, but you could have it backup some of the critical files and the old service is unlimited for $55/year.
btanExec ConsultantCommented:
As for the network crossover cable boot, I suspect they are attempting a "live" network forensic.

Take a look at the link on some possibilities

There are more in the link - just see the first two

There is also portable device doing such scheme, see details in PDF

Hope it helps
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.