Forensics say the files were deleted intentionally

[gdangerfield]

I am running Windows 2000 as a domain server with mirrored hard drives. A forensic expert said that thousands of files were intentionally deleted from the server and I know they were not deleted intentionally.

These are all word documents from one user's document folder. All of the file names which were "deleted" have an added bracket on them (e.g. sample.doc shows it was deleted as sample[1034].doc--Object Pool[1036]). The user's document folder still has those files in them with the original name.

(I don't know if the recovery tool he used added the additional characters to the name or not)

Anyone have any idea if Server 2000 automatically does anything that would explain this?

TIA

 

[eyec]

depending on the forensic software used it could have given the alternate file name with a Bates number.

Bates numbers are used to catalog files for evidenciary presentation.

 

[chiph]

The only thing I know that might do this is Windows has a feature that allows you to move seldom-used files to secondary storage (tape library, optical drive, etc.) Otherwise, someone had to have done it.

If you have a problem with this regularly happening, you'll want to turn the auditing feature on. Be aware that it uses up a lot of disk space, recording who did what, when.

Chip H.


____________________________________________________________________
Click here to learn Ways to help with Tsunami Relief
If you want to get the best response to a question, please read FAQ222-2244 first