Analysing what a sales rep had done to his laptop!

odd request perhaps but we have had a situation where a sales rep has attempted to steal coompany data to a business competitor of ours.  The guy has been using his own personal webmail to email out documents and databases to himself and this other company.  As malicious as this is we cant see a way of being able to track what he has done with any real conviction.  The laptop runs Windows 7 and yes we have had a look at his internet history but what we really need is something that can prove that he has attempted to steal company files. Hindsight is a wonderful thing as we would have installed spy software to record such activities but is there anything that can be used to do something similar retrospectively..???

Any help here would be greatly appreciated.

Who is Participating?

Improve company productivity with a Business Account.Sign Up

DavidConnect With a Mentor PresidentCommented:
First, if you plan legal action then stop everything and call in a certified computer forensic pro.  But realistically, at this point you've tainted everything so it is certainly too late to be able to defend somebody that you set him up. As breadtan said there are just so many articles out there then you might as well be asking how to write a computer program.

So i'll think outside of the box and address a few things that are more vital ...

Take a binary image if the disk drive. then you can work on copies and preserve the original in case you need it later. (or what is left of the original). Make several copies.

You can't just boot an operating system and poke around to the booted drive.  In linux, for example, you can mount the entire disk read-only which will prevent you from mucking things up.

I'm thinking outside of the box, so I would contact a judge to get him/her get a warrant so you can take it to the ISP to get his email logs.  

Get a binary editor that can read the entire raw disk, and then search for strings such as some likely email addresses.   This will find files, bits of files, deleted files, and everything that is still on the HDD.  From there just look at it.  
btanExec ConsultantCommented:
ideally you are looking at data loss prevention solution. there are many when you start googling this term, some include endpoint, server and network control and checks for such leakage. there can be content filtering at network not endpoint only for keyword to identify sensitive data and control the surfing, some are from blucoat k9, etc.

for your retrospective case, it is to establish chain of evidence. area to check out are minimally

a) window event log for audit (if enabled) to check who login, and file access.

b) establish browser history, site accessed

some ref on using tool to sieve out more info
btanConnect With a Mentor Exec ConsultantCommented:
Establishing timeline will be useful for the trails too. Check out these two links

The second link  highlights the key parameters to look for out in the browsing activities. I see that if the browsing activities and the hash of the leaked files has close proximity to its access time and visit to particular website, there may be some correlation to be done. Though it does not mean that it is uploaded but it would be possible that each time user access a file through web browser, the browser caches or stores it. This normally makes it easier for the browser to retrieve data for a smoother experience while surfing the web.

See this (starting form slide 33)
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.