Question : Problem: EXT3 Data recovery and activity Audit

Hi

We have a production/testing server (Ubuntu 606) which is open to all our developers and they have unrestricted access to certain directories on the server. These directories they usually mount into a location on there Worstations (ubuntu).
Some one has gone and deleted a few very important files and directories out of these directories and we need those files back - urgently (the backups are to old and useless) We believe they were deleted through one of the users mounts on their local machine and we are unable to see who or when these files were deleted as history and other logs only show the commands ran from the shell and locally on the server only.

Is there some way I can trace/audit/check what has happened with the files (if is is not possible, how can I configure something to monitor/audit the activity on the servers files and directories?)

Then also is there a way to easily recover the deleted files? (Raid 0; ext 3) We have tried tools like TestDisk and PhotoRec, but it dumps out way to many files making it close to impossible to find the right stuff.

Answer : Problem: EXT3 Data recovery and activity Audit

Without process auditing or accounting configured on your system I'm afraid finding out what happened will be near impossible.

Check out;
   http://www.cyberciti.biz/tips/linux-audit-files-to-see-who-made-changes-to-a-file.html
and also the link lower on the page for process accounting;
   http://www.cyberciti.biz/tips/howto-log-user-activity-using-process-accounting.html

Before you do this you should have a backup policy in place, auditing is fine but it wont stop it from happening again.