Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Finding recently deleted files in Windows SBS 2011 Standard

Posted on 2013-01-10
6
Medium Priority
?
2,362 Views
Last Modified: 2013-01-12
Hi.

The company I work for just let a couple of people go. I’ve disabled their network accounts per normal procedure, but since the relationship had evidently been contentious for about the last month, I’ve been asked to determine if either of these individuals may have recently deleted any files/folders from the network before their access was cut off.

We have no special tracking or forensic software installed on the server (SBS 2011 Standard), so I don’t know how I would go about providing this kind of detailed information, or whether it’s even possible after the fact.

I do have twice-daily backups going back nearly a year, so the only thing I can think to do is to restore our data folders from a point 4-6 weeks ago and do a file compare with their current versions to see what files and folders, if any, might be missing.

Is this my only option, or is their an alternate/batter approach? If anyone has any suggestions, I would greatly appreciate it.


Joe
0
Comment
Question by:Joe2009
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 96

Accepted Solution

by:
Lee W, MVP earned 1600 total points
ID: 38764467
Now, your daily backups (or the Windows equivalent if it was enabled - Volume Shadow Copy) is your only option UNLESS you had PREVIOUSLY enabled Object Access Auditing.  It's not enabled by default and it obviously cannot audit things that have already happened.
0
 

Author Comment

by:Joe2009
ID: 38764721
Yeah, that's kinda what I figured. I've already begun doing some data restores and I'll see what they show.

I'm going to leave this question open for a bit to see if anyone else weighs in with an opinion.

Thanks.

Joe
0
 
LVL 96

Assisted Solution

by:Lee W, MVP
Lee W, MVP earned 1600 total points
ID: 38765705
You can then grab a program called beyond compare and compare the contents of the two locations and see what's different - but warning - all your legitimately changed and deleted files will be "flagged" as changed - but at least it should highlight all the differences.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:Joe2009
ID: 38765808
Yup. BC is what I'm using. I know I'm going to be coming across a fair number of legit changes and deletions, but at least seeing the differences laid out should give me a good indication of whether any wholesale deletions occurred.
0
 
LVL 65

Assisted Solution

by:btan
btan earned 400 total points
ID: 38766910
if auditing is enable, maybe can help also but typically man few enabled this beforehand and is afterthought since business does not demand or no need to review the massive "noisy" log . Else is other network traffic log if SMB payload is stored ...but can only trail to PC IP address which can be even confusing if there is DHCP etc...best effort

http://blogs.technet.com/b/askds/archive/2009/08/04/tracking-a-remote-file-deletion-back-to-the-source.aspx
0
 

Author Comment

by:Joe2009
ID: 38770366
if auditing is enable, maybe can help also but typically man few enabled this beforehand and is afterthought since business does not demand or no need to review the massive "noisy" log . Else is other network traffic log if SMB payload is stored ...but can only trail to PC IP address which can be even confusing if there is DHCP etc...best effort

http://blogs.technet.com/b/askds/archive/2009/08/04/tracking-a-remote-file-deletion-back-to-the-source.aspx 

Thanks for the link-- it might prove useful going forward.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Are you looking to recover an email message or a contact you just deleted mistakenly? Or you are searching for a contact that you erased from your MS Outlook ‘Contacts’ folder and now realized that it was important.
Microsoft will be releasing the Windows 10 Creators Update in just a matter of weeks. Are you prepared? Follow these steps to ensure everything goes smoothly and you don't lose valuable data on your PC.
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through the process of installing of Data Protection Manager on a server running Windows Server 2012 R2, including the prerequisites. Microsoft .Net 3.5 is required. To install this feature, go to Server Manager…

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question