Solved

Vista: I have a system that an unsavory user has deleted all restore points and deleted all their documentation.  How can I bring this system back to search for illicit acts?

Posted on 2011-09-20
7
350 Views
Last Modified: 2012-05-12
I have a user who has left the comany for  having done some illegal things.  Before leaving the user cleaned their mailbox and deleted all their files along will all restore points.  I am working on a resore of the users mailbox.  I am seeking suggestions on how to best bring back the computer itself.  

Thanks,
Peskie
0
Comment
Question by:peskie
7 Comments
 
LVL 3

Accepted Solution

by:
weedhell earned 500 total points
ID: 36571215
first of all do not boot your system again... Since every time we boot the system files are being written in our disk...
To keep the recover probabilities higher we should not write in the disk again...
 take the disk out and plug it in another pc with an SO installed
install some of these recover software and remember never write anything in hdd always save the recovery files in another hdd...

pc Inspector -FREE -
FREE  -  Recuva
FREE  -  Stellar
GetDataBack
Ontrack

I would try DiskGenius 3.2 or Smart Partition Recovery too
0
 
LVL 91

Expert Comment

by:nobus
ID: 36572006
>>   I am seeking suggestions on how to best bring back the computer itself  <<   what do you want?  is it not running?
for the recovery - be sure NOT to install the recovery soft or anything on that drive- best connect it to a working PC to do the recovery (otherwise the installed progerams can overwrite your data)
0
 
LVL 10

Expert Comment

by:Jim-R
ID: 36576027
Yes to what weedhell said.  To clarify

Do not run that user's computer again.  Remove the hard drive from the ex employee's computer.  Do READ ONLY operations from that drive and save any recovered data on a totally different hard drive.

Install your data recovery programs on a DIFFERENT computer's hard drive and use its Operating System (OS) to examine the ex employee's hard drive.

I am no lawyer, but I suspect you could hold this person responsible for the costs of recovering the data if it involves any work product the employee was paid to do and then subsequently maliciously destroyed in the deletion of that data.  If they are owed wages, I would let them explain to a judge why they should collect any.
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 
LVL 38

Expert Comment

by:BillDL
ID: 36712992
May I suggest that you also add the "Digital Forensics" Zone to your question in addition to having it as a tag:
http://www.experts-exchange.com/Security/Digital_Forensics/
Experts that frequent this Zone are qualified in preserving what they call the "chain of custody" so that any evidence gathered from the computer can be considered reliable in a court or other formal hearing.

They use tools that extract an "image" of the hard drive while not interfering with the hard drive in any way, and they then use other tools to search for and view the data.  Each step has to be documented, and the utility suites they use allow you to make your evidence notes as you go.

" I am working on a resore of the users mailbox."
You may already have invalidated your opportunity to present any evidence you find as being credible.

Even connecting the hard drive as a slave to another computer writes data to it, and although you cold probably show by dates that this is new data, it has the potential to overwrite areas of the drive where data has been deleted but from where that data can usually still be recovered.
0
 
LVL 38

Expert Comment

by:BillDL
ID: 36713026
Of course, the user's mailbox will be on a server, in which case you would really need to make an image of the server and then try and work with the image of it.

It all depends how much is resting on your evidence in determining whether this is something that should be done by a professional in Digital Forensics.

It could be seen that you are biassed in favour of your company, and that you may have deliberately (or subconsciously) ignored information that could potentially exonerate the individual or mitigate the original accusation.  A forensic data recovery expert is not normally interested in the guilt or innocence of an individual, and should present all evidence regardless of who it favours.
0
 
LVL 59

Expert Comment

by:LeeTutor
ID: 37052251
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I use more than 1 computer in my office for various reasons. Multiple keyboards and mice take up more than just extra space, they make working a little more complicated. Using one mouse and keyboard for all of my computers makes life easier. This co…
I'm a big fan of Windows' offline folder caching and have used it on my laptops for over a decade.  One thing I don't like about it, however, is how difficult Microsoft has made it for the cache to be moved out of the Windows folder.  Here's how to …
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now