The company I work for just let a couple of people go. I’ve disabled their network accounts per normal procedure, but since the relationship had evidently been contentious for about the last month, I’ve been asked to determine if either of these individuals may have recently deleted any files/folders from the network before their access was cut off.
We have no special tracking or forensic software installed on the server (SBS 2011 Standard), so I don’t know how I would go about providing this kind of detailed information, or whether it’s even possible after the fact.
I do have twice-daily backups going back nearly a year, so the only thing I can think to do is to restore our data folders from a point 4-6 weeks ago and do a file compare with their current versions to see what files and folders, if any, might be missing.
Is this my only option, or is their an alternate/batter approach? If anyone has any suggestions, I would greatly appreciate it.