How do I determine who copied a folder to the server?

I am trying to determine who access a user's desktop and copied a folder with confidential information to the general file server.  Unfortunately, when the user whose desktop it came from found it, and the confidential information in the folder, on the file server the user deleted it.  Is there any way to determine who accessed the user's desktop and copied the folder?

Desktop - Windows 7
Server - 03 r2
Jeremy TyreSystem Project AnalystAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

If auditing is turned on.  Also if you are in a domain.  You should be able to look in the audit events to see which user did things with the file system.  If not, how did they access files on that local PC? Is there a share? Is the user in question an Admin?
Paul StruikSr. System EngineerCommented:

Maybe you can restore the folder with Volume Shadow Copy if enabled to check the file information. I assume that someone else logged on the desktop using their own credentials, so if you have a time frame you could check the security log. Futhermore i don't think you have file-access auditing enabled on the Windows Server.

Thats all i can think of, maybe someone else has a briliant idea.
Jeremy TyreSystem Project AnalystAuthor Commented:
I am on a domain.  Shadow copy was never configured on the server.  The files were transfered and deleted between backups.  The user was on the computer during the estimated time that the files were transfered.  File access auditing does not appear to be on, only login attempts.

I am looking through the security logs on the local computer to see if I can find any successful logins other then the normal user during that time frame.
The 7 Worst Nightmares of a Sysadmin

Fear not! To defend your business’ IT systems we’re going to shine a light on the seven most sinister terrors that haunt sysadmins. That way you can be sure there’s nothing in your stack waiting to go bump in the night.

Paul StruikSr. System EngineerCommented:
I think that's your only bet or maybe the user did it accidently, wouldn't be the first doing that :P.. sorry I couldn't be more of a help.
btanExec ConsultantCommented:
Audit has to be enable to trace back user and object activities, you can see if there are any trails (assuming audit is on)  in Finding the IP may not necessary state is that user per se but at least we can drill into the start of such anomalous activities have been carried out. Actually if the deletion is not the secure erasure type it can still be able to trace if the suspected user machine has traces of that  and correlate the time of those file created and deletion with the file server, but can be pretty tedious too..
Well, are these files something they user would have opened in a app that keeps track of MRU? Most recently used items? If so there may be history there or in the registry to show it. Also if they opened certain files (which they could only do if they copied them, I assume), they may create temp files or such in %temp%.  

If I knew a user should have access, says they didn't open files or do anything with them and a word doc or whatever temp file was found from that set of files, I'd know they had lied if it was in their temp folder.

If there are files they would have opened with a browser maybe the browser cache might have something.
There are also undelete programs that might help recover deleted files if not too much has been done after the fact. Check out digital forensic software.

Undelete, Uneraser, WinUndelete,SoftPerfect
btanExec ConsultantCommented:
there are also other tools such as LastActivityView (isplays a log of actions made by the user and events occurred on this computer executed)
..and WinLogOnView, FolderTimeUpdate
...and if there is sight of anti-forensic tool (timestomp etc) on the suspect amchine , it does ring the bell as well

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Jeremy TyreSystem Project AnalystAuthor Commented:
Unfortunately, this has been taken out of my hands and pasted to people who specialize in this.  Thanks everyone for the help though.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Digital Forensics

From novice to tech pro — start learning today.