digital forensics

Posted on 2013-08-28
Medium Priority
Last Modified: 2013-10-15
we have a windows 7 laptop (the user left the company) but we feel he may have taken valuable information with him over the past month or so. (contacts, data, etc).

Is there a free/cheap digital forensics software that anyone can recommend using.

need to mainly track and see if anything was downloaded, deleted,
Question by:seven45
  • 2
  • 2
  • 2
  • +3

Expert Comment

ID: 39447159
You want what is called a DLP Solution (Data Loss Prevention).  I use McAfee DLP and it works really good, but here is an article with a few suggestions so you can do some research and pick the best one for you.


Symantec also offers a solution:


Let us know which worked best for you!

Author Comment

ID: 39447179
Hi,  please correct me if im wrong--but aren't they to capture events that happen once the solution is in place.   I'm looking for software that can look at logs, etc on the existing laptop that was already used to extract data, contacts, etc when there was no so prevention software in place.

Expert Comment

ID: 39447216
Unfortunately, this is the kind of thing you need to enable.  Because of the increased processing required to monitor and store these kinds of logs, it is disabled by default.  You can use this to see if it is enabled in your environment:


Third party tools allow for better reporting, however, and can even alert you via email if someone tries to put stuff on a thumb drive or something.  Your best bet aside from this is just to keep users out of the stuff they don't need and keep regular backups.
Increase Security & Decrease Risk with NSPM Tools

Analyst firm, Enterprise Management Associates (EMA) reveals significant benefits to enterprises when using Network Security Policy Management (NSPM) solutions, while organizations without, experienced issues including non standard security policies and failed cloud migrations

LVL 66

Expert Comment

ID: 39447511
I see it more of monitoring his personnel laptop as well as the server he has access too, turn on the object access audit for the windows server especially he is of administrator privileged. And likely the case for use of portable device and sending chunks of information out to his web email or personnel email is indicative of data leakage. Even attempt of installing software such as eraser, truecrypt, tor browser (or like) are soemthing to alert.

See below for some interest

Employee monitoring (catch - license agreement would requires that you inform anyone you may monitor with SpectorSoft products)

- http://www.spectorsoft.com/products/SpectorPro_Windows/faqs.asp
- http://www.refog.com/employee-computer-monitoring-software.html

Forensic trails - http://www.irongeek.com/i.php?page=security/windows-forensics-registry-and-file-system-spots
File inspector - http://www.pcinspector.de/?language=1
Browser Forensic  - http://digitoktavianto.web.id/analysis-web-browser-forensic-using-browser-forensic-tools.html

Expert Comment

ID: 39450133
You'll want a forensic image first. Before you start investigating. Otherwise, you may be overwriting the evidence you're looking for. Just booting the laptop can change the data. If you intend litigation, it will reduce the risk of failure if you have a forensic company do the acquisition and analysis. Evidence collection must be done properly in order to use the results in court. This article expains the pitfalls: http://apps.americanbar.org/lpm/lpt/articles/tch11071.shtml 

If you want to hire a forensic company, it helps to have a list:

After you've consulted with your legal advisor and/or higher-ups, and assuming the organization is still willing to take the risks involved in a DIY operation, sign up for a SANS account (https://www.sans.org/account/login) and download the SIFT iso, then burn it to a DVD. http://computer-forensics.sans.org/community/downloads
There is documentation on the disc and the website. Use the SANS poster (http://computer-forensics.sans.org/blog/2012/06/18/sans-digital-forensics-and-incident-response-poster-released) to narrow down what you're looking for and find the evidence. The windows artifact section of the poster is broken into categories: File Download, Program Execution, File Opening/Creation, Deleted File or File Knowledge, Physical location, USB or Drive usage, Account Usage and Browser Usage. Each category has artifacts that can help you identify what was done (or not).
In addition, if you're operating in a domain environment, the account login/logoff info will be on the domain controller. Don't forget about email in case anything was mailed to a personal account, since that is an easy way to transfer a contact list.

LVL 66

Expert Comment

ID: 39451002
One use quick registry references of interest to sieve the treasured trails on the target machine include this useful check referencing this below (see the various appl entries, MRU entries include mapped drive/recent open files/saved/copied, nickname/contact list of icq/messenger, file sharing, temp email attachment directory, userassist on program execution counts)

LVL 38

Expert Comment

by:Rich Rumble
ID: 39451347
If you don't have anything but the default event items enabled, then you can't catch anything he or she may have done. Files and folders aren't monitored by default in windows, and firewall and router logs would not tell you what he or she did other than give you IP address's or maybe sites they visited. Forensics is for when you have something preserved and need a deep dive on all evidence. If you are not preserving logs, or auditing file events. Even the LT itself doesn't store that much data about what he/she did. You can look at the MRU list (most recently used) in the registry, look at event logs, search through IE and FireFox browser history... There are things you can do, but you should have a professional do it. If you can contact one, they can instruct you on making an image of the LT and sending that to them, no physical need for the LT in most cases. The more you mess with that LT without an image the harder it is for them to do their forensics, there is no point-and-click software for it, because rule#1 is don't use the real LT, use an image of it. #2 is don't install anything further on the image, boot it up if you have to, but do all you can offline first.
LVL 32

Accepted Solution

aleghart earned 2000 total points
ID: 39514302
It sounds like the OP wants forensic analysis...post-event.  Not preventative with DLP, and not monitoring/alerting with software like SpectorSoft (which I do like).

If you're on a zero budget, and you don't care about pursuing legal/criminal processes, you might be able to gather some data with your own forensic analysis.  Since you have no experience, and you won't have a valid chain-of-custody, don't expect that you can use the information for much more than your own edification.  If you want legal action or criminal prosecution, you need to turn it over to a professional.

Passmark has a free version of their analysis product osForensics.  The paid version allows you to manage more cases, but you should start with the free version before spending money.

For better preservation of untainted data, consider:

if it's still running
disconnect it's network connections (LAN, wireless, bluetooth)
don't let the screen lock. Use a mouse jiggler to keep the screensaver from kicking in
don't alter or use the computer in any way
don't boot the device

if it's not running
don't boot it
disconnect all network connection & USB devices
remove hard drive
use a write-blocking device to keep data 100% original

Author Closing Comment

ID: 39574168
Thx.  OS Forensics did the trick for me.

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

The Super Bowl is just days away. Millions of advertising dollars will be spent in just a few hours to drive people to websites around the globe. Optimizing your site in anticipation of a big event like this (and the traffic surges that follow) will…
A basic introduction to Website Security and the absolute minimal steps that anyone should take in order to protect against hostile intrusions. This is offered as a guide to getting started, not an exhaustive list of all precautions. Enjoy...
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question