Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Vista: I have a system that an unsavory user has deleted all restore points and deleted all their documentation.  How can I bring this system back to search for illicit acts?

Posted on 2011-09-20
7
Medium Priority
?
357 Views
Last Modified: 2012-05-12
I have a user who has left the comany for  having done some illegal things.  Before leaving the user cleaned their mailbox and deleted all their files along will all restore points.  I am working on a resore of the users mailbox.  I am seeking suggestions on how to best bring back the computer itself.  

Thanks,
Peskie
0
Comment
Question by:peskie
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 3

Accepted Solution

by:
weedhell earned 2000 total points
ID: 36571215
first of all do not boot your system again... Since every time we boot the system files are being written in our disk...
To keep the recover probabilities higher we should not write in the disk again...
 take the disk out and plug it in another pc with an SO installed
install some of these recover software and remember never write anything in hdd always save the recovery files in another hdd...

pc Inspector -FREE -
FREE  -  Recuva
FREE  -  Stellar
GetDataBack
Ontrack

I would try DiskGenius 3.2 or Smart Partition Recovery too
0
 
LVL 93

Expert Comment

by:nobus
ID: 36572006
>>   I am seeking suggestions on how to best bring back the computer itself  <<   what do you want?  is it not running?
for the recovery - be sure NOT to install the recovery soft or anything on that drive- best connect it to a working PC to do the recovery (otherwise the installed progerams can overwrite your data)
0
 
LVL 10

Expert Comment

by:Jim-R
ID: 36576027
Yes to what weedhell said.  To clarify

Do not run that user's computer again.  Remove the hard drive from the ex employee's computer.  Do READ ONLY operations from that drive and save any recovered data on a totally different hard drive.

Install your data recovery programs on a DIFFERENT computer's hard drive and use its Operating System (OS) to examine the ex employee's hard drive.

I am no lawyer, but I suspect you could hold this person responsible for the costs of recovering the data if it involves any work product the employee was paid to do and then subsequently maliciously destroyed in the deletion of that data.  If they are owed wages, I would let them explain to a judge why they should collect any.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 38

Expert Comment

by:BillDL
ID: 36712992
May I suggest that you also add the "Digital Forensics" Zone to your question in addition to having it as a tag:
http://www.experts-exchange.com/Security/Digital_Forensics/
Experts that frequent this Zone are qualified in preserving what they call the "chain of custody" so that any evidence gathered from the computer can be considered reliable in a court or other formal hearing.

They use tools that extract an "image" of the hard drive while not interfering with the hard drive in any way, and they then use other tools to search for and view the data.  Each step has to be documented, and the utility suites they use allow you to make your evidence notes as you go.

" I am working on a resore of the users mailbox."
You may already have invalidated your opportunity to present any evidence you find as being credible.

Even connecting the hard drive as a slave to another computer writes data to it, and although you cold probably show by dates that this is new data, it has the potential to overwrite areas of the drive where data has been deleted but from where that data can usually still be recovered.
0
 
LVL 38

Expert Comment

by:BillDL
ID: 36713026
Of course, the user's mailbox will be on a server, in which case you would really need to make an image of the server and then try and work with the image of it.

It all depends how much is resting on your evidence in determining whether this is something that should be done by a professional in Digital Forensics.

It could be seen that you are biassed in favour of your company, and that you may have deliberately (or subconsciously) ignored information that could potentially exonerate the individual or mitigate the original accusation.  A forensic data recovery expert is not normally interested in the guilt or innocence of an individual, and should present all evidence regardless of who it favours.
0
 
LVL 59

Expert Comment

by:LeeTutor
ID: 37052251
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Like many organizations, your foray into cloud computing may have started with an ancillary or security service, like email spam and virus protection. For some, the first or second step into the cloud was moving email off-premise. For others, a clou…
I'm a big fan of Windows' offline folder caching and have used it on my laptops for over a decade.  One thing I don't like about it, however, is how difficult Microsoft has made it for the cache to be moved out of the Windows folder.  Here's how to …
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…
Want to learn how to record your desktop screen without having to use an outside camera. Click on this video and learn how to use the cool google extension called "Screencastify"! Step 1: Open a new google tab Step 2: Go to the left hand upper corn…

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question