[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now


forensics for inapprpriate files stored on a pc

Posted on 2006-07-20
Medium Priority
Last Modified: 2010-04-11
i need to know if we can perform any kind of forensic analaysis on a windows pc which has some inappropritae files saved on the hard disk.  are there are any tools or can i use the even viewer in any manner to find out who may have saved the files or any other useful information regarding these files. Are there any FREE forensics tools available?

I dont knwo where to satrt but managment wants to get as much information as possible.  Please help.
Question by:net-geek
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 10

Expert Comment

ID: 17146863
If this is for legal purposes, I would hire somebody to take the image and research what it contains.  Be very careful about documenting the chain of evidence, (see http://www.securityfocus.com/infocus/1244)  when you hand it off to them, who has possession of the box, etc.  If you are looking to satisfy an internal inquiry, you need to image the original disk first, and perform any forensic work on the imaged disk, not on the original.  Never directly access the original disk for forensic work, as your work may destroy the details of what the disk holds.  Instead work on a replicated image, as you can always set back to where you began.  As for forensic tools, a google search will turn up lots to choose from.

Expert Comment

ID: 17147066
one of the best free forensics software collections would be Helix Live CD distribution. Live CD also goes with the philosophy of the forensics to manipulate with the evidence the least amount possible.

Also, use third-party/unbiased bystanders or "the Management" will be hard pressed to show the evidence wasn't planted.
LVL 38

Expert Comment

by:Rich Rumble
ID: 17150134
If possible, work with the original storage media as little as possible as mentioned above, make a copy or an image of the data and inspect that. If you need to do any "undeleting" you will have to work with the original drive, do not install the retrieval software on the original drive/media your recovering the data from.
There are plenty of trial software app's out there... if your looking for things like IE's histroy files, they are saved in each users profile, document and settings\username\local settings I think.

Expert Comment

ID: 17167459

If there is any likelihood that this will result in legal action then you really need to get a specialist in. The chain of custody is critical here (the way the evidence is collected, stored and presented) and will simply be thrown out of court if the correct methodology has not been followed from the beginning.

That said there are several good apps. Encase is great and is Windows based, but not free (www.guidancesoftware.com). For free stuff there is a price to pay in terms of steep learning curve and less documentation. The Coroners Toolkit (TCT) is pretty good, is free and open source but is Unix only (both host and target). I would recommend looking at the Sleuth Kit & Autopsy Browser - this is also Unix/Linux however does allow you to examine non-unix file systems - this is free and the documentation is possibly the best of the free tools. It can be found at www.sleuthkit.org

In order to carry out this type of work with any tools, free or otherwise, you are looking at alot of work to learn the techniques required. This is a tremendously complex subject which requires much technical expertise and an in-depth knowledge of file systems and operating systems..


Accepted Solution

tellkeeper earned 200 total points
ID: 17178633
I think everyone pretty much agrees on a few things.

1. Don't touch the original media, except for making a copy.
2. Make multiple copies or images so that you don't have to touch the original again.
3. If it is for legal purposes, don't try it. Get a professional involved in the matter so that it is on them.
4. If you are going to have someone else work on it with you, what I do is I tape a shotgun folder to the side of it
(a folder with holes in it and signature and date blocks on the front and back. This way you can have each person who handles the pc sign and date. Any any info they may find can be put in the folder.
5. Helix is a great freeware to use for such projects as I believe someone mentioned before.
6. If you are willing to spend some money NTI www.forensics-intl.com/tools.html  has some great utilities.
7. Once your image is made one thing you can do to help yourself out is check the properties on said files for the date created and the time. Sometimes, although this is not the most accurate for of forensics, it can give you an idea of the culperate (forgive the spelling).
8. If this is going to be for legal purposes as mentioned before, understand that everything you do will be magnified by the defense in a trial. This is why pro's should be called in if you think it will go this far.
9. Document everything, and be unbias.
Good luck

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The well known Cerber ransomware continues to spread this summer through spear phishing email campaigns targeting enterprises. Learn how it easily bypasses traditional defenses - and what you can do to protect your data.
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question