Questions

computer Forensics

+
0 Votes
Locked

computer Forensics

jitendragautam15
there is one problem in my company someone deleted a important file which is shared on the network today, i recovered that file but i want that system ip and mac address for identify the person who deleted the file at particular time interval
client = win7 and data server = XP
  • +
    0 Votes
    robo_dev

    IF you were using active directory and IF auditing were enabled, you could determine who was logged in and even see the file deletion in the logs, IF that were enabled and IF you were running AD on a Windows server.

    For a Windows XP share, the only remote possibility would be if the user made a change to the document, then deleted it, the file would appear on their local workstation as a 'recent file' and potentially the properties of the restored file would show that username as the owner.

    Further, if this were a Word document, for example, and the user changed it then deleted, there would be metadata in the file showing that, plus there would be traces on their local PC (recent files, Word temp files, word auto-recover files, etc).

    +
    0 Votes
    gechurch

    Robo_dev is absolutely right in everything he says. I can't think of any other way of finding this info without having systems in place first.

    To track this stuff in the future I can recommend http://www.greyware.com/software/systemchangelog/3x/index.asp. I use it on a few servers. It's much easier to read than AD Auditing (and it tracks renames properly). It also runs fine on Windows XP, and is free for personal use ($30 after the trial runs out if you use it commercially).

  • +
    0 Votes
    robo_dev

    IF you were using active directory and IF auditing were enabled, you could determine who was logged in and even see the file deletion in the logs, IF that were enabled and IF you were running AD on a Windows server.

    For a Windows XP share, the only remote possibility would be if the user made a change to the document, then deleted it, the file would appear on their local workstation as a 'recent file' and potentially the properties of the restored file would show that username as the owner.

    Further, if this were a Word document, for example, and the user changed it then deleted, there would be metadata in the file showing that, plus there would be traces on their local PC (recent files, Word temp files, word auto-recover files, etc).

    +
    0 Votes
    gechurch

    Robo_dev is absolutely right in everything he says. I can't think of any other way of finding this info without having systems in place first.

    To track this stuff in the future I can recommend http://www.greyware.com/software/systemchangelog/3x/index.asp. I use it on a few servers. It's much easier to read than AD Auditing (and it tracks renames properly). It also runs fine on Windows XP, and is free for personal use ($30 after the trial runs out if you use it commercially).