Use SQL Query to check who deleted the documents

Recently, my customer met a specified issue about lots of documents removed from library. As you know, the data is the most valuable for customers, it must be a critical issue once the data is lost from library.

Since my Customer is responsible for SharePoint Management and Maintenance, after this issue was reported from end user, he did his best to check the auditor logs to verify who removed the documents immediately, unfortunately, there are too many logs from every SharePoint web front end server to get the useful logs to validate.

There is no way for him, he contacted me to discuss two points: one is to find out who removed the documents because he needs to report this issue to his lead, another is to restore the lost documents to the original location.

For Point 1, I propose him to use SQL query to check who remove the documents, below is the operation steps as reference.

1.Execute the SQL query to get the relative List ID in alldocs table like this:

2.Execute the following query to get the event type and modify by in eventcache table like this:

3.Event type= 16388 means 'A list item is deleted' + 'A generic delete event' according to this link https://sebmatthews.net/microsoft/from-the-database-sharepoint-eventcache-eventtype-codes/

4.Based on the information above, we can get the information who deleted the documents from library.

For Point 2, I propose to restore Content Database in UAT environment and sync the specified library to the Production environment.

Hopefully it can help you.