Solved

Finding recently deleted files in Windows SBS 2011 Standard

Posted on 2013-01-10
6
2,142 Views
Last Modified: 2013-01-12
Hi.

The company I work for just let a couple of people go. I’ve disabled their network accounts per normal procedure, but since the relationship had evidently been contentious for about the last month, I’ve been asked to determine if either of these individuals may have recently deleted any files/folders from the network before their access was cut off.

We have no special tracking or forensic software installed on the server (SBS 2011 Standard), so I don’t know how I would go about providing this kind of detailed information, or whether it’s even possible after the fact.

I do have twice-daily backups going back nearly a year, so the only thing I can think to do is to restore our data folders from a point 4-6 weeks ago and do a file compare with their current versions to see what files and folders, if any, might be missing.

Is this my only option, or is their an alternate/batter approach? If anyone has any suggestions, I would greatly appreciate it.


Joe
0
Comment
Question by:Joe2009
  • 3
  • 2
6 Comments
 
LVL 95

Accepted Solution

by:
Lee W, MVP earned 400 total points
ID: 38764467
Now, your daily backups (or the Windows equivalent if it was enabled - Volume Shadow Copy) is your only option UNLESS you had PREVIOUSLY enabled Object Access Auditing.  It's not enabled by default and it obviously cannot audit things that have already happened.
0
 

Author Comment

by:Joe2009
ID: 38764721
Yeah, that's kinda what I figured. I've already begun doing some data restores and I'll see what they show.

I'm going to leave this question open for a bit to see if anyone else weighs in with an opinion.

Thanks.

Joe
0
 
LVL 95

Assisted Solution

by:Lee W, MVP
Lee W, MVP earned 400 total points
ID: 38765705
You can then grab a program called beyond compare and compare the contents of the two locations and see what's different - but warning - all your legitimately changed and deleted files will be "flagged" as changed - but at least it should highlight all the differences.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:Joe2009
ID: 38765808
Yup. BC is what I'm using. I know I'm going to be coming across a fair number of legit changes and deletions, but at least seeing the differences laid out should give me a good indication of whether any wholesale deletions occurred.
0
 
LVL 61

Assisted Solution

by:btan
btan earned 100 total points
ID: 38766910
if auditing is enable, maybe can help also but typically man few enabled this beforehand and is afterthought since business does not demand or no need to review the massive "noisy" log . Else is other network traffic log if SMB payload is stored ...but can only trail to PC IP address which can be even confusing if there is DHCP etc...best effort

http://blogs.technet.com/b/askds/archive/2009/08/04/tracking-a-remote-file-deletion-back-to-the-source.aspx
0
 

Author Comment

by:Joe2009
ID: 38770366
if auditing is enable, maybe can help also but typically man few enabled this beforehand and is afterthought since business does not demand or no need to review the massive "noisy" log . Else is other network traffic log if SMB payload is stored ...but can only trail to PC IP address which can be even confusing if there is DHCP etc...best effort

http://blogs.technet.com/b/askds/archive/2009/08/04/tracking-a-remote-file-deletion-back-to-the-source.aspx

Thanks for the link-- it might prove useful going forward.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Suggested Solutions

How to fix error ""Failed to validate the vCentre certificate. Either install or verify the certificate by using the vSphere Data Protection Configuration utility" when you are trying to connect to VDP instance from Vcenter.
Are you looking to recover an email message or a contact you just deleted mistakenly? Or you are searching for a contact that you erased from your MS Outlook ‘Contacts’ folder and now realized that it was important.
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now