Solved

forensics for inapprpriate files stored on a pc

Posted on 2006-07-20
5
395 Views
Last Modified: 2010-04-11
i need to know if we can perform any kind of forensic analaysis on a windows pc which has some inappropritae files saved on the hard disk.  are there are any tools or can i use the even viewer in any manner to find out who may have saved the files or any other useful information regarding these files. Are there any FREE forensics tools available?

I dont knwo where to satrt but managment wants to get as much information as possible.  Please help.
0
Comment
Question by:net-geek
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 10

Expert Comment

by:Sorenson
ID: 17146863
If this is for legal purposes, I would hire somebody to take the image and research what it contains.  Be very careful about documenting the chain of evidence, (see http://www.securityfocus.com/infocus/1244)  when you hand it off to them, who has possession of the box, etc.  If you are looking to satisfy an internal inquiry, you need to image the original disk first, and perform any forensic work on the imaged disk, not on the original.  Never directly access the original disk for forensic work, as your work may destroy the details of what the disk holds.  Instead work on a replicated image, as you can always set back to where you began.  As for forensic tools, a google search will turn up lots to choose from.
0
 
LVL 8

Expert Comment

by:jako
ID: 17147066
one of the best free forensics software collections would be Helix Live CD distribution. Live CD also goes with the philosophy of the forensics to manipulate with the evidence the least amount possible.

Also, use third-party/unbiased bystanders or "the Management" will be hard pressed to show the evidence wasn't planted.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 17150134
If possible, work with the original storage media as little as possible as mentioned above, make a copy or an image of the data and inspect that. If you need to do any "undeleting" you will have to work with the original drive, do not install the retrieval software on the original drive/media your recovering the data from.
There are plenty of trial software app's out there... if your looking for things like IE's histroy files, they are saved in each users profile, document and settings\username\local settings I think.
-rich
0
 
LVL 1

Expert Comment

by:isyseurope
ID: 17167459
OK,

If there is any likelihood that this will result in legal action then you really need to get a specialist in. The chain of custody is critical here (the way the evidence is collected, stored and presented) and will simply be thrown out of court if the correct methodology has not been followed from the beginning.

That said there are several good apps. Encase is great and is Windows based, but not free (www.guidancesoftware.com). For free stuff there is a price to pay in terms of steep learning curve and less documentation. The Coroners Toolkit (TCT) is pretty good, is free and open source but is Unix only (both host and target). I would recommend looking at the Sleuth Kit & Autopsy Browser - this is also Unix/Linux however does allow you to examine non-unix file systems - this is free and the documentation is possibly the best of the free tools. It can be found at www.sleuthkit.org

In order to carry out this type of work with any tools, free or otherwise, you are looking at alot of work to learn the techniques required. This is a tremendously complex subject which requires much technical expertise and an in-depth knowledge of file systems and operating systems..

Jon
0
 
LVL 2

Accepted Solution

by:
tellkeeper earned 50 total points
ID: 17178633
I think everyone pretty much agrees on a few things.

1. Don't touch the original media, except for making a copy.
2. Make multiple copies or images so that you don't have to touch the original again.
3. If it is for legal purposes, don't try it. Get a professional involved in the matter so that it is on them.
4. If you are going to have someone else work on it with you, what I do is I tape a shotgun folder to the side of it
(a folder with holes in it and signature and date blocks on the front and back. This way you can have each person who handles the pc sign and date. Any any info they may find can be put in the folder.
5. Helix is a great freeware to use for such projects as I believe someone mentioned before.
6. If you are willing to spend some money NTI www.forensics-intl.com/tools.html  has some great utilities.
7. Once your image is made one thing you can do to help yourself out is check the properties on said files for the date created and the time. Sometimes, although this is not the most accurate for of forensics, it can give you an idea of the culperate (forgive the spelling).
8. If this is going to be for legal purposes as mentioned before, understand that everything you do will be magnified by the defense in a trial. This is why pro's should be called in if you think it will go this far.
9. Document everything, and be unbias.
Good luck
Chris
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ready for our next Course of the Month? Here's what's on tap for June.
Recovering from what the press called "the largest-ever cyber-attack", IT departments worldwide are discussing ways to defend against this in the future. In this process, many people are looking for immediate actions while, instead, they need to tho…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question