who deleted folder over lan?

Hopefully you have adequate logging in your Security.evtx event log. This will contain the authentication that occurred around the time of the alleged remote folder deletion.

hi all,

one of the employees one personal folder got deleted on windows 7 system. he says someone accessed over LAN and deleted his folder by the help of LAN administrator.

need to find out who deleted (multiple lan admin IDs are there) or he deleted by mistake.

how to find out it. will image the hard disk. we have Encase and FTK forensics softwares.

please advise is there any methodology to find out?

regards
Michelle

I'd suggest starting by determining what shares may have been available, and what version of Windows was running on the system. Knowing the version of Windows will tell you what artifacts you can expect to be available…or not.

If you know about what time this action occurred, I'd recommend starting with a timeline of system activity, looking specifically for type 3 logins from remote systems.

I agree with pbobby and keydet89. You need the Security Event logs. If the computer is a member of a domain, the event logs may be on the domain controller. Windows does not track who deleted what files, unless they're in somebody's recycle bin, which will not be the case if it was done remotely. You have to show that somebody was logged in at the suspected time of deletion.

If they feel that a LAN admin is responsible, good luck getting the domain event logs without a court order placing all related data on hold. Time is an issue because event logs roll over. Look for other clues during the suspected time of deletion like access to USB devices, Dropbox, email, RDP, etc. Also, ask for backups!