My girlfriend is a lab technician at a small pharmaceutical startup. She created a very important Excel file and placed it in a shared folder on a server that the "IT" guy set up. The server runs Mountain Lion (OS X 10.8.2).
Last week, this important file went missing from this particular folder. There were several other files in this folder, but they didn't go missing.
She has since been able to recover the file from Time Machine, but wants to know how that file went missing. She assures me that no one in her department is careless enough to delete the file, but perhaps a higher-up with access to the shared file either accidentally moved/deleted the file (or did so deliberately due to the file's contents).
The issue here, is that due to a power struggle within the company, she suspects that someone may have attempted to sabotage (delete or move) this critical file which had data that could move the company forward faster in a particular direction than certain saboteurs would like.
The "IT" guys doesn't know much about server logs, etc. And I'm not a Mac expert. My question is this:
Is there a way to find out who deleted or moved this critical file? Are there file change logs located somewhere on the server that could "prove" this action?
Best Answer
Yes - by default, file deletions are logged along with many other important file sharing events.
Install the Server app on any Mac (or log into the server to run the app there or inspect the log file locally).
Select logs on the left, select AFP Access Log on the bottom and search for the word Delete. Once you've found the file deletion you care about, note the IP address and timestamp. Then search backwards in this log to see what user logged in using that IP immediately prior to that delete event.
You might also seek professional help if you want a forensic analysis rather than performing it yourself. Anyone that can look at the logs can change the logs and how you use this knowledge is more of a social problem than a technical problem. There should be Time Machine or better backups of the server shares, so you should be able to trivially determine the times files are deleted there as well with tools like Backup Loupe and hopefully you find that someone was careless rather than deliberate. Either way, OS X server has sufficient logging to determine a file access oddity if it came from a user that connected to the share as opposed to logging in directly to the server and deleting the file. That event would need additional auditing and logging, but I would start with analyzing the AFP access log since that's normally how files are accessed from a server.