Solved

Vista: I have a system that an unsavory user has deleted all restore points and deleted all their documentation.  How can I bring this system back to search for illicit acts?

Posted on 2011-09-20
7
353 Views
Last Modified: 2012-05-12
I have a user who has left the comany for  having done some illegal things.  Before leaving the user cleaned their mailbox and deleted all their files along will all restore points.  I am working on a resore of the users mailbox.  I am seeking suggestions on how to best bring back the computer itself.  

Thanks,
Peskie
0
Comment
Question by:peskie
7 Comments
 
LVL 3

Accepted Solution

by:
weedhell earned 500 total points
ID: 36571215
first of all do not boot your system again... Since every time we boot the system files are being written in our disk...
To keep the recover probabilities higher we should not write in the disk again...
 take the disk out and plug it in another pc with an SO installed
install some of these recover software and remember never write anything in hdd always save the recovery files in another hdd...

pc Inspector -FREE -
FREE  -  Recuva
FREE  -  Stellar
GetDataBack
Ontrack

I would try DiskGenius 3.2 or Smart Partition Recovery too
0
 
LVL 92

Expert Comment

by:nobus
ID: 36572006
>>   I am seeking suggestions on how to best bring back the computer itself  <<   what do you want?  is it not running?
for the recovery - be sure NOT to install the recovery soft or anything on that drive- best connect it to a working PC to do the recovery (otherwise the installed progerams can overwrite your data)
0
 
LVL 10

Expert Comment

by:Jim-R
ID: 36576027
Yes to what weedhell said.  To clarify

Do not run that user's computer again.  Remove the hard drive from the ex employee's computer.  Do READ ONLY operations from that drive and save any recovered data on a totally different hard drive.

Install your data recovery programs on a DIFFERENT computer's hard drive and use its Operating System (OS) to examine the ex employee's hard drive.

I am no lawyer, but I suspect you could hold this person responsible for the costs of recovering the data if it involves any work product the employee was paid to do and then subsequently maliciously destroyed in the deletion of that data.  If they are owed wages, I would let them explain to a judge why they should collect any.
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 
LVL 38

Expert Comment

by:BillDL
ID: 36712992
May I suggest that you also add the "Digital Forensics" Zone to your question in addition to having it as a tag:
http://www.experts-exchange.com/Security/Digital_Forensics/
Experts that frequent this Zone are qualified in preserving what they call the "chain of custody" so that any evidence gathered from the computer can be considered reliable in a court or other formal hearing.

They use tools that extract an "image" of the hard drive while not interfering with the hard drive in any way, and they then use other tools to search for and view the data.  Each step has to be documented, and the utility suites they use allow you to make your evidence notes as you go.

" I am working on a resore of the users mailbox."
You may already have invalidated your opportunity to present any evidence you find as being credible.

Even connecting the hard drive as a slave to another computer writes data to it, and although you cold probably show by dates that this is new data, it has the potential to overwrite areas of the drive where data has been deleted but from where that data can usually still be recovered.
0
 
LVL 38

Expert Comment

by:BillDL
ID: 36713026
Of course, the user's mailbox will be on a server, in which case you would really need to make an image of the server and then try and work with the image of it.

It all depends how much is resting on your evidence in determining whether this is something that should be done by a professional in Digital Forensics.

It could be seen that you are biassed in favour of your company, and that you may have deliberately (or subconsciously) ignored information that could potentially exonerate the individual or mitigate the original accusation.  A forensic data recovery expert is not normally interested in the guilt or innocence of an individual, and should present all evidence regardless of who it favours.
0
 
LVL 59

Expert Comment

by:LeeTutor
ID: 37052251
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
XP as a dual boot with Windows 10 10 100
Dell PC - retrieve files from hard drive - pc not bootable 10 88
Mouse goes crazy when flash drive is inserted 7 68
Windows Mail question 15 76
Basic computer tune-up with little or no hardware upgrades. Giving an old computer a tune-up usually results in a minimal performance gain, but a gain nonetheless. Several times a week, I’m faced with users at work who ask to make their computers…
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question