?
Solved

Finding recently deleted files in Windows SBS 2011 Standard

Posted on 2013-01-10
6
Medium Priority
?
2,309 Views
Last Modified: 2013-01-12
Hi.

The company I work for just let a couple of people go. I’ve disabled their network accounts per normal procedure, but since the relationship had evidently been contentious for about the last month, I’ve been asked to determine if either of these individuals may have recently deleted any files/folders from the network before their access was cut off.

We have no special tracking or forensic software installed on the server (SBS 2011 Standard), so I don’t know how I would go about providing this kind of detailed information, or whether it’s even possible after the fact.

I do have twice-daily backups going back nearly a year, so the only thing I can think to do is to restore our data folders from a point 4-6 weeks ago and do a file compare with their current versions to see what files and folders, if any, might be missing.

Is this my only option, or is their an alternate/batter approach? If anyone has any suggestions, I would greatly appreciate it.


Joe
0
Comment
Question by:Joe2009
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 96

Accepted Solution

by:
Lee W, MVP earned 1600 total points
ID: 38764467
Now, your daily backups (or the Windows equivalent if it was enabled - Volume Shadow Copy) is your only option UNLESS you had PREVIOUSLY enabled Object Access Auditing.  It's not enabled by default and it obviously cannot audit things that have already happened.
0
 

Author Comment

by:Joe2009
ID: 38764721
Yeah, that's kinda what I figured. I've already begun doing some data restores and I'll see what they show.

I'm going to leave this question open for a bit to see if anyone else weighs in with an opinion.

Thanks.

Joe
0
 
LVL 96

Assisted Solution

by:Lee W, MVP
Lee W, MVP earned 1600 total points
ID: 38765705
You can then grab a program called beyond compare and compare the contents of the two locations and see what's different - but warning - all your legitimately changed and deleted files will be "flagged" as changed - but at least it should highlight all the differences.
0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 

Author Comment

by:Joe2009
ID: 38765808
Yup. BC is what I'm using. I know I'm going to be coming across a fair number of legit changes and deletions, but at least seeing the differences laid out should give me a good indication of whether any wholesale deletions occurred.
0
 
LVL 64

Assisted Solution

by:btan
btan earned 400 total points
ID: 38766910
if auditing is enable, maybe can help also but typically man few enabled this beforehand and is afterthought since business does not demand or no need to review the massive "noisy" log . Else is other network traffic log if SMB payload is stored ...but can only trail to PC IP address which can be even confusing if there is DHCP etc...best effort

http://blogs.technet.com/b/askds/archive/2009/08/04/tracking-a-remote-file-deletion-back-to-the-source.aspx
0
 

Author Comment

by:Joe2009
ID: 38770366
if auditing is enable, maybe can help also but typically man few enabled this beforehand and is afterthought since business does not demand or no need to review the massive "noisy" log . Else is other network traffic log if SMB payload is stored ...but can only trail to PC IP address which can be even confusing if there is DHCP etc...best effort

http://blogs.technet.com/b/askds/archive/2009/08/04/tracking-a-remote-file-deletion-back-to-the-source.aspx 

Thanks for the link-- it might prove useful going forward.
0

Featured Post

Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A quick step-by-step overview of installing and configuring Carbonite Server Backup.
The Delta outage: 650 cancelled flights, more than 1200 delayed flights, thousands of frustrated customers, tens of millions of dollars in damages – plus untold reputational damage to one of the world’s most trusted airlines. All due to a catastroph…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question