A server administrator is investigating a security incident where a shared folder containing sensitive project data was unexpectedly deleted from a file server. To comply with the company's data handling policy, the administrator must identify which user account was responsible for the deletion. Which of the following is the MOST direct method to find this information?
Perform a full anti-malware scan on all workstations that had access to the shared folder.
Restore the deleted folder from the most recent backup and analyze the restored file metadata.
Analyze the security event logs on the file server, filtering for object deletion events.
Review the datacenter's physical access logs for the time frame when the deletion occurred.
The correct answer is to analyze the security event logs. Server operating systems can be configured to audit object access, which creates a log entry when files or folders are accessed, modified, or deleted. These security logs, often found in the Event Viewer on Windows, will contain events that record the specific action (e.g., delete), the resource that was affected, the timestamp, and most importantly, the security ID of the user account that performed the action. This is the most direct and reliable method for identifying the responsible party.
Restoring from a backup is a data recovery step, not an investigative one; it will bring the data back but will not identify who deleted it.
Reviewing datacenter physical access logs is only useful if the deletion was performed from a physical console session within the datacenter and is not effective for actions performed remotely over the network.
Performing a malware scan is a valid incident response step to identify a potential root cause, but it does not directly identify the user account under which the deletion occurred; the security logs would still be the primary source for that information.