Hi
   I am facing a challenge of recovering a deleted files. Is there any tools which can trace the users who had accessed and deleted the files of remote machine.
Kindly suggest if any

Thanks

There are a number of free and commercial tools out there that can help you extract and correlate bits and pieces of information from the system being investigated that eventually will point you to the user that deleted the files. I'm not sure if there is one that can automatically tell you the user who didn't.

However, the most important thing is that you extract the hidden INFO2 files from the subject host, using Helix Live CD for example. Every user in the system will have this file created the first time the Recycle Bin used. The purpose of this file is to track deleted files and folders original location, as well as file size and deletion time. This makes it possible to relate the deleted files with specific users.

Yeah... but I'm not an expert yet. Just little things I know.

Hack_80, I forgot to mention that the INFO2 file is useful if the deleted files are automatically moved to the Recycle Bin. If the user deleted the files from a remote command prompt or the Recycle Bin is configured to remove files immediately when they are deleted then the INFO2 it will be of no use. There other methods as well to prevent from sending it to the Recycle Bin.

Now since this user accessed the host remotely via shares or whatever, I wonder if there's an entry to the INFO2 file if files/folders are deleted. Hmmm...

Hack_80, can you provide any additional information about the platforms involved and the access method used?  Did the user have access to that file via: remote desktop, shared drives, remote shell, citrix, etc, etc, etc...?  Were these windows/UNIX/etc boxes?  Your answers to those questions are going to dictate where you'd go to get the relevant data. 

first things first, have you made am image of the drive?  If you're primary concern is to recover the file then you need to get the drive imaged ASAP if that system is still in use.  Otherwise you'll just write over parts of it at some point.  Do you have access to some UNIX/Linux/BSD system that will let you do a simple dd?  As long as nobody has played with the drive too much then you should be able to pull the file right back off.