Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Finding recently deleted files in Windows SBS 2011 Standard

Posted on 2013-01-10
6
Medium Priority
?
2,408 Views
Last Modified: 2013-01-12
Hi.

The company I work for just let a couple of people go. I’ve disabled their network accounts per normal procedure, but since the relationship had evidently been contentious for about the last month, I’ve been asked to determine if either of these individuals may have recently deleted any files/folders from the network before their access was cut off.

We have no special tracking or forensic software installed on the server (SBS 2011 Standard), so I don’t know how I would go about providing this kind of detailed information, or whether it’s even possible after the fact.

I do have twice-daily backups going back nearly a year, so the only thing I can think to do is to restore our data folders from a point 4-6 weeks ago and do a file compare with their current versions to see what files and folders, if any, might be missing.

Is this my only option, or is their an alternate/batter approach? If anyone has any suggestions, I would greatly appreciate it.


Joe
0
Comment
Question by:Joe2009
  • 3
  • 2
6 Comments
 
LVL 97

Accepted Solution

by:
Lee W, MVP earned 1600 total points
ID: 38764467
Now, your daily backups (or the Windows equivalent if it was enabled - Volume Shadow Copy) is your only option UNLESS you had PREVIOUSLY enabled Object Access Auditing.  It's not enabled by default and it obviously cannot audit things that have already happened.
0
 

Author Comment

by:Joe2009
ID: 38764721
Yeah, that's kinda what I figured. I've already begun doing some data restores and I'll see what they show.

I'm going to leave this question open for a bit to see if anyone else weighs in with an opinion.

Thanks.

Joe
0
 
LVL 97

Assisted Solution

by:Lee W, MVP
Lee W, MVP earned 1600 total points
ID: 38765705
You can then grab a program called beyond compare and compare the contents of the two locations and see what's different - but warning - all your legitimately changed and deleted files will be "flagged" as changed - but at least it should highlight all the differences.
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 

Author Comment

by:Joe2009
ID: 38765808
Yup. BC is what I'm using. I know I'm going to be coming across a fair number of legit changes and deletions, but at least seeing the differences laid out should give me a good indication of whether any wholesale deletions occurred.
0
 
LVL 65

Assisted Solution

by:btan
btan earned 400 total points
ID: 38766910
if auditing is enable, maybe can help also but typically man few enabled this beforehand and is afterthought since business does not demand or no need to review the massive "noisy" log . Else is other network traffic log if SMB payload is stored ...but can only trail to PC IP address which can be even confusing if there is DHCP etc...best effort

http://blogs.technet.com/b/askds/archive/2009/08/04/tracking-a-remote-file-deletion-back-to-the-source.aspx
0
 

Author Comment

by:Joe2009
ID: 38770366
if auditing is enable, maybe can help also but typically man few enabled this beforehand and is afterthought since business does not demand or no need to review the massive "noisy" log . Else is other network traffic log if SMB payload is stored ...but can only trail to PC IP address which can be even confusing if there is DHCP etc...best effort

http://blogs.technet.com/b/askds/archive/2009/08/04/tracking-a-remote-file-deletion-back-to-the-source.aspx 

Thanks for the link-- it might prove useful going forward.
0

Featured Post

Free recovery tool for Microsoft Active Directory

Veeam Explorer for Microsoft Active Directory provides fast and reliable object-level recovery for Active Directory from a single-pass, agentless backup or storage snapshot — without the need to restore an entire virtual machine or use third-party tools.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Are you looking to recover an email message or a contact you just deleted mistakenly? Or you are searching for a contact that you erased from your MS Outlook ‘Contacts’ folder and now realized that it was important.
This article shows how to use a free utility called 'Parkdale' to easily test the performance and benchmark any Hard Drive(s) installed in your computer. We also look at RAM Disks and their speed comparisons.
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
Suggested Courses

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question