Re: Tool Question
- From: "/kj" <kj@xxxxxxxxxxx>
- Date: Fri, 13 Jan 2006 09:20:33 -0700
If you need only find the fragments for your proof then you might be
successful, however your probabilities diminish every day the raid array
remains in production.
If you also need to attribute the action to this specific user, then I know
of no built-in mechanism (besides audit, which you say was not enabled) that
will unequivocally attribute the action to the user.
/kj
"cjobes" <cjobes@xxxxxxxxxxxxx> wrote in message
news:uL2TTmFGGHA.3200@xxxxxxxxxxxxxxxxxxxxxxx
> Thanks Susan,
>
> I got some price quotes ($5000+) and the client has to decide whether he
> wants to do this.
>
> Claus
>
> "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa@xxxxxxxxxxx>
> wrote in message news:%23lhXrMFGGHA.4036@xxxxxxxxxxxxxxxxxxxxxxx
>> All that's going to do is show the file deleted though and may not [I'm
>> just thinking of my Guidance software tools that I have] I don't think it
>> will tell you who did it.
>>
>> You'll have to forensically image a RAID on a server which is not a
>> trivial thing to do and one that I haven't even done.
>>
>> Kroll On Track is an organization that would be able to do this.
>>
>> cjobes wrote:
>>> Susan, Russ and Jeff,
>>>
>>> Thanks for your answers. Audit was not turned on mainly for the reasons
>>> that Jeff pointed out. This client normally does not have the need for
>>> this level of auditing and also doesn't have the resources. I'm aware
>>> that some forensic work would be needed for this. I'm trying to do the
>>> research to give the client an idea what this would cost him.
>>>
>>> Claus
>>>
>>> "cjobes" <cjobes@xxxxxxxxxxxxx> wrote in message
>>> news:OxojBs$FGHA.1628@xxxxxxxxxxxxxxxxxxxxxxx
>>>
>>>>Hi all,
>>>>
>>>>A user at a client deleted some files from a shared network drive. We
>>>>need to find proof of that action by recovering files or fragments on a
>>>>Raid 5 of an SBS2000 server. Does anybody know a good tool for this?
>>>>This is not about recovering the files (there are backups) but to proof
>>>>the delete itself.
>>>>
>>>>Thanks,
>>>>Claus
>>>>
>>>
>>>
>
.
- References:
- Tool Question
- From: cjobes
- Re: Tool Question
- From: cjobes
- Re: Tool Question
- From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
- Re: Tool Question
- From: cjobes
- Tool Question
- Prev by Date: Re: transcaction files not commited to the database
- Next by Date: Re: SMTP configuration
- Previous by thread: Re: Tool Question
- Next by thread: Re: Tool Question
- Index(es):
