General Question

christine215's avatar

Is there anyway to find out who deleted a folder on a shared drive?

Asked by christine215 (3173points) July 27th, 2011

I am suspecting that there is some professional sabotage where I work. A folder which held weeks worth of work was on a shared drive. The drive is accessible to everyone in the company. Yesterday it vanished. I’ve searched everywhere and cannot find it. I did not delete it, I checked with our IT guy and he didn’t move it… he’s looking into the back up to retrieve it, but half the work since the last tape back up will be gone.

Is there any way that they (or I) can determine who removed the folder from the drive?

Observing members: 0 Composing members: 0

8 Answers

blueiiznh's avatar

It all depends on what those shares are hosted on and in some cases a level of auditing is turned on or not.
Simple Windows File Share with Mapped Drives will not get you what you are looking for.

Anyone who has permissions to do this could have moved it anywhere. Sadly many IT shops do not put proper things in place to manage this. They could search on all shares for specific folder or file name to see if it was accidentely dropped somewhere.
You also may be dealing with simple users who fall into the ID 10 T category (Idiot).

Suggest to IT that they establish snapshots or a technology that tracks and saves off recent versions to be able to revert to.

Good luck.

XOIIO's avatar

Use recuva to try to recover it, its free, and works great. I’d use thwe portable version for this, since its faster.

blueiiznh's avatar

@XOIIO recuva works great if you find the machine that did the dirty deed and it didnt bypass the recyle bin

XOIIO's avatar

@blueiiznh It might work on the network drive itself too.

christine215's avatar

Recuva doesn’t seem to work on the network drive… it’ll only scan the local disk and the recovery disk
:-(
(In addition to gettng the work back, I’d really LOVE to figure out who did this)

jaytkay's avatar

Whether you can see the history or not depends on what kind of logging is enabled on the machine where the shared folder was stored.

Also, any recovery would have to be done on that server, not the desktop clients.

XOIIO's avatar

@christine215 Yeah, the shared folder is on the server, computers just have access to it.

the100thmonkey's avatar

This is why multiple mirroring is essential for work-critical drives.

I would hazard a guess that you’re working in a small company, with maybe 5 – 20 users of the network. I might suggest that if you’re working for a larger organisation, the IT department should take the heat for this, unless you can demonstrate that the folder was deleted with malicious intent (but they should still take the majority of the heat – they are in the business of data integrity and security, after all).

Permissions, permissions, permissions.

You might get more joy from recuva if you remove the NAS from its box (potentially invalidating its warranty) and attaching it via USB, or directly through the S-ATA pports internal to the computer.

Answer this question

Login

or

Join

to answer.

This question is in the General Section. Responses must be helpful and on-topic.

Your answer will be saved while you login or join.

Have a question? Ask Fluther!

What do you know more about?
or
Knowledge Networking @ Fluther