forensics for inapprpriate files stored on a pc

i need to know if we can perform any kind of forensic analaysis on a windows pc which has some inappropritae files saved on the hard disk.  are there are any tools or can i use the even viewer in any manner to find out who may have saved the files or any other useful information regarding these files. Are there any FREE forensics tools available?

I dont knwo where to satrt but managment wants to get as much information as possible.  Please help.
Who is Participating?
tellkeeperConnect With a Mentor Commented:
I think everyone pretty much agrees on a few things.

1. Don't touch the original media, except for making a copy.
2. Make multiple copies or images so that you don't have to touch the original again.
3. If it is for legal purposes, don't try it. Get a professional involved in the matter so that it is on them.
4. If you are going to have someone else work on it with you, what I do is I tape a shotgun folder to the side of it
(a folder with holes in it and signature and date blocks on the front and back. This way you can have each person who handles the pc sign and date. Any any info they may find can be put in the folder.
5. Helix is a great freeware to use for such projects as I believe someone mentioned before.
6. If you are willing to spend some money NTI  has some great utilities.
7. Once your image is made one thing you can do to help yourself out is check the properties on said files for the date created and the time. Sometimes, although this is not the most accurate for of forensics, it can give you an idea of the culperate (forgive the spelling).
8. If this is going to be for legal purposes as mentioned before, understand that everything you do will be magnified by the defense in a trial. This is why pro's should be called in if you think it will go this far.
9. Document everything, and be unbias.
Good luck
If this is for legal purposes, I would hire somebody to take the image and research what it contains.  Be very careful about documenting the chain of evidence, (see  when you hand it off to them, who has possession of the box, etc.  If you are looking to satisfy an internal inquiry, you need to image the original disk first, and perform any forensic work on the imaged disk, not on the original.  Never directly access the original disk for forensic work, as your work may destroy the details of what the disk holds.  Instead work on a replicated image, as you can always set back to where you began.  As for forensic tools, a google search will turn up lots to choose from.
one of the best free forensics software collections would be Helix Live CD distribution. Live CD also goes with the philosophy of the forensics to manipulate with the evidence the least amount possible.

Also, use third-party/unbiased bystanders or "the Management" will be hard pressed to show the evidence wasn't planted.
Rich RumbleSecurity SamuraiCommented:
If possible, work with the original storage media as little as possible as mentioned above, make a copy or an image of the data and inspect that. If you need to do any "undeleting" you will have to work with the original drive, do not install the retrieval software on the original drive/media your recovering the data from.
There are plenty of trial software app's out there... if your looking for things like IE's histroy files, they are saved in each users profile, document and settings\username\local settings I think.

If there is any likelihood that this will result in legal action then you really need to get a specialist in. The chain of custody is critical here (the way the evidence is collected, stored and presented) and will simply be thrown out of court if the correct methodology has not been followed from the beginning.

That said there are several good apps. Encase is great and is Windows based, but not free ( For free stuff there is a price to pay in terms of steep learning curve and less documentation. The Coroners Toolkit (TCT) is pretty good, is free and open source but is Unix only (both host and target). I would recommend looking at the Sleuth Kit & Autopsy Browser - this is also Unix/Linux however does allow you to examine non-unix file systems - this is free and the documentation is possibly the best of the free tools. It can be found at

In order to carry out this type of work with any tools, free or otherwise, you are looking at alot of work to learn the techniques required. This is a tremendously complex subject which requires much technical expertise and an in-depth knowledge of file systems and operating systems..

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.