Is there anyway to find out who deleted a folder on a shared drive?
I am suspecting that there is some professional sabotage where I work. A folder which held weeks worth of work was on a shared drive. The drive is accessible to everyone in the company. Yesterday it vanished. I’ve searched everywhere and cannot find it. I did not delete it, I checked with our IT guy and he didn’t move it… he’s looking into the back up to retrieve it, but half the work since the last tape back up will be gone.
Is there any way that they (or I) can determine who removed the folder from the drive?
Observing members:
0
Composing members:
0
8 Answers
It all depends on what those shares are hosted on and in some cases a level of auditing is turned on or not.
Simple Windows File Share with Mapped Drives will not get you what you are looking for.
Anyone who has permissions to do this could have moved it anywhere. Sadly many IT shops do not put proper things in place to manage this. They could search on all shares for specific folder or file name to see if it was accidentely dropped somewhere.
You also may be dealing with simple users who fall into the ID 10 T category (Idiot).
Suggest to IT that they establish snapshots or a technology that tracks and saves off recent versions to be able to revert to.
Good luck.
Use recuva to try to recover it, its free, and works great. I’d use thwe portable version for this, since its faster.
@XOIIO recuva works great if you find the machine that did the dirty deed and it didnt bypass the recyle bin
@blueiiznh It might work on the network drive itself too.
Recuva doesn’t seem to work on the network drive… it’ll only scan the local disk and the recovery disk
:-(
(In addition to gettng the work back, I’d really LOVE to figure out who did this)
Whether you can see the history or not depends on what kind of logging is enabled on the machine where the shared folder was stored.
Also, any recovery would have to be done on that server, not the desktop clients.
@christine215 Yeah, the shared folder is on the server, computers just have access to it.
This is why multiple mirroring is essential for work-critical drives.
I would hazard a guess that you’re working in a small company, with maybe 5 – 20 users of the network. I might suggest that if you’re working for a larger organisation, the IT department should take the heat for this, unless you can demonstrate that the folder was deleted with malicious intent (but they should still take the majority of the heat – they are in the business of data integrity and security, after all).
Permissions, permissions, permissions.
You might get more joy from recuva if you remove the NAS from its box (potentially invalidating its warranty) and attaching it via USB, or directly through the S-ATA pports internal to the computer.
Answer this question
This question is in the General Section. Responses must be helpful and on-topic.