On Windows Server 2003, is there a way to see if and when a file was deleted?
It's a web server with IIS, our web application let our users to load Word documents into server. However, we found that one Word file is missing, and would like to know is it was deleted or never existed (web app could'nt load it).
EDIT:
I tried to follow this:
Enable auditing the folder you want to keep track of. Just right click on the folder, go to “sharing and security”, then “security” tab, at the bottom click on “advanced”. Select the auditing tab, click add, select the group or users to track, then pick what actions you want to track.
To track file deletion you would enable:
Create files/Write data Success/Fail Create folders / append data Success/Fail Delete Subfolders/Files Success/Fail Delete Suceess/Fail
This one will apply from now on, past actions wouldn't be able to track?
Usually, this kind of question can be answered by looking into your backup history. If you have shadow copies enabled and these are reaching back far enough, they could serve the same purpose.
Other that that, you can get some indication on whether anything was changed in a directory's contents by looking at the directory modification time.
If you suspect it has been a recent change and no other means are available to you, consider using a NTFS journal viewer utility (there are even open source / free ones like this here) to inspect your NTFS journal's contents. If the delete operation happened not yet to be overwritten by the journal wrap, you would find it in there (although not the name of the user for the delete operation's security context).
This will produce tons of logs which are not easily readable / searchable with the default set of tools provided with Windows Server. I would not recommend using it unless you have some kind of event log collection / auditing system offering the necessary feature set.
Normally when people load a file, they check to make sure that they can see it. So check your server logs to see if it was ever accessed. If it was accessed, you have proof that it existed at one point.
As for deleted, how good is your logging? Do you have any kind of a retention policy?