Security/Forensic Question



We use owncloud community edition for some things with a company I work with and it appears someone may have deleted a number of files that were not theirs and were shared with people or that were shared with them before this person left the company. I'm trying to see if we can:

(a) recover the files that were deleted (the storage is on a SAN array and content wasn't backed up like it is for other things)
(b) see a log or some kind of tracking of who logged in when and what was changed

In regards to (b), I have started going through owncloud logs and also our apache logs, which has garnered a little information but not enough that I've been able to piece together how the files disappeared.

Does anyone have any data on (or can point me to) how I might be able to either see what files where where in the past or how to interpret the log files more thoroughly? Also, I'd be happy to bring someone in who's highly familiar with owncloud to help us with this.



ownCloud does not provide such logging per default, it can be activated in the ownCloud Enterprise Edition.
However you should check the trashbin of the owner of the original file as usally you can restore such deleted files.