Hi Guys,
Please help me, we have the network shares/file server and we have an incident which someone deleted the files/folder in our network shares which badly the windows audit policy is not working.
Is there any forensic tools or way to find the culprit who deleted the said files/folder.
Thank you and more power..
Please provide more informations about the server OS, workstations OS, etc.
Before Windows Server 2008 there were no specific events for file shares.
Build a timeline of the network activities from your server logs and figure the connected workstations by the deletion time, the logged in users and filter who had access to the shared resources.
When you have potential targets, check the workstation logs as well, you might find artifacts about accessing network shares.
I just hope you had backups and you ask for help in doing a post-event audit only for figuring out what happened ?!
The server is windows 2008, and the workstation is windows 7/8/10, yes there is no specific events in the security log because audit policy is not "enabled", can we do undelete for server to see the deleted files/folder?,
If we can do laptop or desktop auditing if will cause too much time for checking the artifactis about accessing network shares.
Thanks for helping me.
No logs, no backups, sounds like trouble (
You should create a binary image for work and start your data recovery as soon as possible. Don't try doing recovery on the live running system, it can lead to even more trouble (overwriting your valuable deleted data)!
actually we have a backup, is there a way to find the culprit even there is no enabled auditing in windows policy.
any help guys?
Good to hear that you had backups!
Your server event logs have informations for building a login/logout timeline for users. This way you can narrow down who was online when the deletion could happen.
If you got no logs at all, well, bad luck!
on the specific folder, specific domain users has access to the folder, however if we check the logs based on the logon is not sufficient to have a hard evidence who is actually deleting the folders/files. That's why i'm need your help is there a way not or using forensic tools to find the person who deleted the folder/files using the file servers/network shares.
Thanks!
Maybe you should look through NTFS artifacts. In my opinion, NTFS artifacts can help you.
Hi Igor,
NTFS Artifacts for the file server? or for laptop/desktop who accessing the fileserver?
Please enlighten me?
Guys,
Any forensic tools or any help for this?
Thank you very much.