peskie
asked on
Vista: I have a system that an unsavory user has deleted all restore points and deleted all their documentation. How can I bring this system back to search for illicit acts?
I have a user who has left the comany for having done some illegal things. Before leaving the user cleaned their mailbox and deleted all their files along will all restore points. I am working on a resore of the users mailbox. I am seeking suggestions on how to best bring back the computer itself.
Thanks,
Peskie
Thanks,
Peskie
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Yes to what weedhell said. To clarify
Do not run that user's computer again. Remove the hard drive from the ex employee's computer. Do READ ONLY operations from that drive and save any recovered data on a totally different hard drive.
Install your data recovery programs on a DIFFERENT computer's hard drive and use its Operating System (OS) to examine the ex employee's hard drive.
I am no lawyer, but I suspect you could hold this person responsible for the costs of recovering the data if it involves any work product the employee was paid to do and then subsequently maliciously destroyed in the deletion of that data. If they are owed wages, I would let them explain to a judge why they should collect any.
Do not run that user's computer again. Remove the hard drive from the ex employee's computer. Do READ ONLY operations from that drive and save any recovered data on a totally different hard drive.
Install your data recovery programs on a DIFFERENT computer's hard drive and use its Operating System (OS) to examine the ex employee's hard drive.
I am no lawyer, but I suspect you could hold this person responsible for the costs of recovering the data if it involves any work product the employee was paid to do and then subsequently maliciously destroyed in the deletion of that data. If they are owed wages, I would let them explain to a judge why they should collect any.
May I suggest that you also add the "Digital Forensics" Zone to your question in addition to having it as a tag:
https://www.experts-exchange.com/Security/Digital_Forensics/
Experts that frequent this Zone are qualified in preserving what they call the "chain of custody" so that any evidence gathered from the computer can be considered reliable in a court or other formal hearing.
They use tools that extract an "image" of the hard drive while not interfering with the hard drive in any way, and they then use other tools to search for and view the data. Each step has to be documented, and the utility suites they use allow you to make your evidence notes as you go.
" I am working on a resore of the users mailbox."
You may already have invalidated your opportunity to present any evidence you find as being credible.
Even connecting the hard drive as a slave to another computer writes data to it, and although you cold probably show by dates that this is new data, it has the potential to overwrite areas of the drive where data has been deleted but from where that data can usually still be recovered.
https://www.experts-exchange.com/Security/Digital_Forensics/
Experts that frequent this Zone are qualified in preserving what they call the "chain of custody" so that any evidence gathered from the computer can be considered reliable in a court or other formal hearing.
They use tools that extract an "image" of the hard drive while not interfering with the hard drive in any way, and they then use other tools to search for and view the data. Each step has to be documented, and the utility suites they use allow you to make your evidence notes as you go.
" I am working on a resore of the users mailbox."
You may already have invalidated your opportunity to present any evidence you find as being credible.
Even connecting the hard drive as a slave to another computer writes data to it, and although you cold probably show by dates that this is new data, it has the potential to overwrite areas of the drive where data has been deleted but from where that data can usually still be recovered.
Of course, the user's mailbox will be on a server, in which case you would really need to make an image of the server and then try and work with the image of it.
It all depends how much is resting on your evidence in determining whether this is something that should be done by a professional in Digital Forensics.
It could be seen that you are biassed in favour of your company, and that you may have deliberately (or subconsciously) ignored information that could potentially exonerate the individual or mitigate the original accusation. A forensic data recovery expert is not normally interested in the guilt or innocence of an individual, and should present all evidence regardless of who it favours.
It all depends how much is resting on your evidence in determining whether this is something that should be done by a professional in Digital Forensics.
It could be seen that you are biassed in favour of your company, and that you may have deliberately (or subconsciously) ignored information that could potentially exonerate the individual or mitigate the original accusation. A forensic data recovery expert is not normally interested in the guilt or innocence of an individual, and should present all evidence regardless of who it favours.
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
for the recovery - be sure NOT to install the recovery soft or anything on that drive- best connect it to a working PC to do the recovery (otherwise the installed progerams can overwrite your data)