Solved

Vista: I have a system that an unsavory user has deleted all restore points and deleted all their documentation.  How can I bring this system back to search for illicit acts?

Posted on 2011-09-20
7
349 Views
Last Modified: 2012-05-12
I have a user who has left the comany for  having done some illegal things.  Before leaving the user cleaned their mailbox and deleted all their files along will all restore points.  I am working on a resore of the users mailbox.  I am seeking suggestions on how to best bring back the computer itself.  

Thanks,
Peskie
0
Comment
Question by:peskie
7 Comments
 
LVL 3

Accepted Solution

by:
weedhell earned 500 total points
Comment Utility
first of all do not boot your system again... Since every time we boot the system files are being written in our disk...
To keep the recover probabilities higher we should not write in the disk again...
 take the disk out and plug it in another pc with an SO installed
install some of these recover software and remember never write anything in hdd always save the recovery files in another hdd...

pc Inspector -FREE -
FREE  -  Recuva
FREE  -  Stellar
GetDataBack
Ontrack

I would try DiskGenius 3.2 or Smart Partition Recovery too
0
 
LVL 91

Expert Comment

by:nobus
Comment Utility
>>   I am seeking suggestions on how to best bring back the computer itself  <<   what do you want?  is it not running?
for the recovery - be sure NOT to install the recovery soft or anything on that drive- best connect it to a working PC to do the recovery (otherwise the installed progerams can overwrite your data)
0
 
LVL 10

Expert Comment

by:Jim-R
Comment Utility
Yes to what weedhell said.  To clarify

Do not run that user's computer again.  Remove the hard drive from the ex employee's computer.  Do READ ONLY operations from that drive and save any recovered data on a totally different hard drive.

Install your data recovery programs on a DIFFERENT computer's hard drive and use its Operating System (OS) to examine the ex employee's hard drive.

I am no lawyer, but I suspect you could hold this person responsible for the costs of recovering the data if it involves any work product the employee was paid to do and then subsequently maliciously destroyed in the deletion of that data.  If they are owed wages, I would let them explain to a judge why they should collect any.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 38

Expert Comment

by:Insignificant Volunteer
Comment Utility
May I suggest that you also add the "Digital Forensics" Zone to your question in addition to having it as a tag:
http://www.experts-exchange.com/Security/Digital_Forensics/
Experts that frequent this Zone are qualified in preserving what they call the "chain of custody" so that any evidence gathered from the computer can be considered reliable in a court or other formal hearing.

They use tools that extract an "image" of the hard drive while not interfering with the hard drive in any way, and they then use other tools to search for and view the data.  Each step has to be documented, and the utility suites they use allow you to make your evidence notes as you go.

" I am working on a resore of the users mailbox."
You may already have invalidated your opportunity to present any evidence you find as being credible.

Even connecting the hard drive as a slave to another computer writes data to it, and although you cold probably show by dates that this is new data, it has the potential to overwrite areas of the drive where data has been deleted but from where that data can usually still be recovered.
0
 
LVL 38

Expert Comment

by:Insignificant Volunteer
Comment Utility
Of course, the user's mailbox will be on a server, in which case you would really need to make an image of the server and then try and work with the image of it.

It all depends how much is resting on your evidence in determining whether this is something that should be done by a professional in Digital Forensics.

It could be seen that you are biassed in favour of your company, and that you may have deliberately (or subconsciously) ignored information that could potentially exonerate the individual or mitigate the original accusation.  A forensic data recovery expert is not normally interested in the guilt or innocence of an individual, and should present all evidence regardless of who it favours.
0
 
LVL 59

Expert Comment

by:LeeTutor
Comment Utility
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Article by: SHIELD1
The 5 R's 1. Repair 2. Restore 3. Reinstall 4. Remote admin 5. Run away OK so I'm not the most skilled engineer around but I definitely have an abundance of experience: electronic repairs since I was 13 and PC and computer hardware repair…
No matter the version of Windows you are using, you may have some problems with Windows Search running too slow or possibly not running at all. Before jumping into how you can solve this issue, just know there are many other viable alternative deskt…
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now