computer Forensics

By jitendragautam15 ·
there is one problem in my company someone deleted a important file which is shared on the network today, i recovered that file but i want that system ip and mac address for identify the person who deleted the file at particular time interval
client = win7 and data server = XP

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

That info may possibly only exist on the client workstation that deleted it

by robo_dev In reply to computer Forensics

IF you were using active directory and IF auditing were enabled, you could determine who was logged in and even see the file deletion in the logs, IF that were enabled and IF you were running AD on a Windows server.

For a Windows XP share, the only remote possibility would be if the user made a change to the document, then deleted it, the file would appear on their local workstation as a 'recent file' and potentially the properties of the restored file would show that username as the owner.

Further, if this were a Word document, for example, and the user changed it then deleted, there would be metadata in the file showing that, plus there would be traces on their local PC (recent files, Word temp files, word auto-recover files, etc).

Collapse -

A Recommendation

by gechurch In reply to computer Forensics

Robo_dev is absolutely right in everything he says. I can't think of any other way of finding this info without having systems in place first.

To track this stuff in the future I can recommend I use it on a few servers. It's much easier to read than AD Auditing (and it tracks renames properly). It also runs fine on Windows XP, and is free for personal use ($30 after the trial runs out if you use it commercially).

Related Discussions

Related Forums