We help IT Professionals succeed at work.

forensics for inapprpriate files stored on a pc

net-geek asked
Last Modified: 2010-04-11
i need to know if we can perform any kind of forensic analaysis on a windows pc which has some inappropritae files saved on the hard disk.  are there are any tools or can i use the even viewer in any manner to find out who may have saved the files or any other useful information regarding these files. Are there any FREE forensics tools available?

I dont knwo where to satrt but managment wants to get as much information as possible.  Please help.
Watch Question

If this is for legal purposes, I would hire somebody to take the image and research what it contains.  Be very careful about documenting the chain of evidence, (see http://www.securityfocus.com/infocus/1244)  when you hand it off to them, who has possession of the box, etc.  If you are looking to satisfy an internal inquiry, you need to image the original disk first, and perform any forensic work on the imaged disk, not on the original.  Never directly access the original disk for forensic work, as your work may destroy the details of what the disk holds.  Instead work on a replicated image, as you can always set back to where you began.  As for forensic tools, a google search will turn up lots to choose from.

one of the best free forensics software collections would be Helix Live CD distribution. Live CD also goes with the philosophy of the forensics to manipulate with the evidence the least amount possible.

Also, use third-party/unbiased bystanders or "the Management" will be hard pressed to show the evidence wasn't planted.
Rich RumbleSecurity Samurai
Top Expert 2006

If possible, work with the original storage media as little as possible as mentioned above, make a copy or an image of the data and inspect that. If you need to do any "undeleting" you will have to work with the original drive, do not install the retrieval software on the original drive/media your recovering the data from.
There are plenty of trial software app's out there... if your looking for things like IE's histroy files, they are saved in each users profile, document and settings\username\local settings I think.

If there is any likelihood that this will result in legal action then you really need to get a specialist in. The chain of custody is critical here (the way the evidence is collected, stored and presented) and will simply be thrown out of court if the correct methodology has not been followed from the beginning.

That said there are several good apps. Encase is great and is Windows based, but not free (www.guidancesoftware.com). For free stuff there is a price to pay in terms of steep learning curve and less documentation. The Coroners Toolkit (TCT) is pretty good, is free and open source but is Unix only (both host and target). I would recommend looking at the Sleuth Kit & Autopsy Browser - this is also Unix/Linux however does allow you to examine non-unix file systems - this is free and the documentation is possibly the best of the free tools. It can be found at www.sleuthkit.org

In order to carry out this type of work with any tools, free or otherwise, you are looking at alot of work to learn the techniques required. This is a tremendously complex subject which requires much technical expertise and an in-depth knowledge of file systems and operating systems..

This one is on us!
(Get your first solution completely free - no credit card required)
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.