Finding recently deleted files in Windows SBS 2011 Standard

Hi.

The company I work for just let a couple of people go. I’ve disabled their network accounts per normal procedure, but since the relationship had evidently been contentious for about the last month, I’ve been asked to determine if either of these individuals may have recently deleted any files/folders from the network before their access was cut off.

We have no special tracking or forensic software installed on the server (SBS 2011 Standard), so I don’t know how I would go about providing this kind of detailed information, or whether it’s even possible after the fact.

I do have twice-daily backups going back nearly a year, so the only thing I can think to do is to restore our data folders from a point 4-6 weeks ago and do a file compare with their current versions to see what files and folders, if any, might be missing.

Is this my only option, or is their an alternate/batter approach? If anyone has any suggestions, I would greatly appreciate it.


Joe
Joe2009Asked:
Who is Participating?
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
Now, your daily backups (or the Windows equivalent if it was enabled - Volume Shadow Copy) is your only option UNLESS you had PREVIOUSLY enabled Object Access Auditing.  It's not enabled by default and it obviously cannot audit things that have already happened.
0
 
Joe2009Author Commented:
Yeah, that's kinda what I figured. I've already begun doing some data restores and I'll see what they show.

I'm going to leave this question open for a bit to see if anyone else weighs in with an opinion.

Thanks.

Joe
0
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
You can then grab a program called beyond compare and compare the contents of the two locations and see what's different - but warning - all your legitimately changed and deleted files will be "flagged" as changed - but at least it should highlight all the differences.
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
Joe2009Author Commented:
Yup. BC is what I'm using. I know I'm going to be coming across a fair number of legit changes and deletions, but at least seeing the differences laid out should give me a good indication of whether any wholesale deletions occurred.
0
 
btanExec ConsultantCommented:
if auditing is enable, maybe can help also but typically man few enabled this beforehand and is afterthought since business does not demand or no need to review the massive "noisy" log . Else is other network traffic log if SMB payload is stored ...but can only trail to PC IP address which can be even confusing if there is DHCP etc...best effort

http://blogs.technet.com/b/askds/archive/2009/08/04/tracking-a-remote-file-deletion-back-to-the-source.aspx
0
 
Joe2009Author Commented:
if auditing is enable, maybe can help also but typically man few enabled this beforehand and is afterthought since business does not demand or no need to review the massive "noisy" log . Else is other network traffic log if SMB payload is stored ...but can only trail to PC IP address which can be even confusing if there is DHCP etc...best effort

http://blogs.technet.com/b/askds/archive/2009/08/04/tracking-a-remote-file-deletion-back-to-the-source.aspx 

Thanks for the link-- it might prove useful going forward.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.