Find file on Server using log

[joebloggs2]

Our network guru left their job a month ago and I'm after been put in charge of the server in our small office. One of the users loaded an important file onto the server and someone else "cut" it off. The person who "cut" it off had their laptop stolen and with it the file. The person who loaded can't seem to find it on their machine either. The person who got the laptop stolen knows what day and roughly what time they cut the file off the server. We're using Microsoft Windows 2003 Server. Is there a log kept of all "transactions" by users on the server. Can I use this to some way retrieve the file as it's probably not overwritten on the disk as we've alot of room and very few users. I hate to be a pain, but could someone give me fairly detailed instructions on how to get to the user log and retrieve the file.

Thanks,
John

 

[monsterjta]

By default, these types of user transactions are not logged anywhere. Most likely your previous administrator did not configure logging to this level, as it's not necessarily prudent to do so. This level of monitoring, or logging, would usually be configured as a security measure to mitigate malicious actions or for evidential purposes.

With that being said...when was this file moved from the server to the users laptop? Possibly it is still in an archived backup rotation? Maybe can be restored? If it's not still in a backup archive somewhere, I'm afraid you'd have lost the file for good. What makes it more difficult is, you don't even know where the file originally resided.

Going forward, it would be a good idea to configure your systems so that your users are keeping their files in a centralized share, or redirect My Documents and/or Desktop files.

If the file is important enough, you could send the disk to a forensics specialist to attempt retrieval of the lost data. However, most likely this would surely be like killing an ant with a hand grenade.

I hope you find this post helpful,

Jonathan Almquist
Minneapolis, MN

 

[joebloggs2]

thanks Jonathan

I do know what folder on the server the file was stored.
Where would I look to find if the previous administrator was keeping a log on transactions?? Where would I find the individual user logs of server logs?? The file can be re-done in that it's a presentation. Just going to take the person involved a couple of days to redo it.

thanks again
John

 

[monsterjta]

The problem here is not when the file was accessed or who accessed it...right? You know who moved the file, and approximately when. This information will help you in retrieving the file form a backup rotation, but that's about it.

One way to find out quickly if there is auditing configured on the directory where the file existed is to take a look at the advanced NTFS security, auditing tab on the directory in which the file once resided. If object access is not being audited, then no logging will be kept in the event viewer.

Again, this information will not help much in retrieving the file other than searching your backup archives for a specific data/time.

I hope you find this post helpful,

Jonathan Almquist
Minneapolis, MN