Answer for:

computer Forensics

Message 2 of 3

View entire thread
0 Votes
Collapse -

IF you were using active directory and IF auditing were enabled, you could determine who was logged in and even see the file deletion in the logs, IF that were enabled and IF you were running AD on a Windows server.

For a Windows XP share, the only remote possibility would be if the user made a change to the document, then deleted it, the file would appear on their local workstation as a 'recent file' and potentially the properties of the restored file would show that username as the owner.

Further, if this were a Word document, for example, and the user changed it then deleted, there would be metadata in the file showing that, plus there would be traces on their local PC (recent files, Word temp files, word auto-recover files, etc).