digital forensics

we have a windows 7 laptop (the user left the company) but we feel he may have taken valuable information with him over the past month or so. (contacts, data, etc).

Is there a free/cheap digital forensics software that anyone can recommend using.

need to mainly track and see if anything was downloaded, deleted,
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

You want what is called a DLP Solution (Data Loss Prevention).  I use McAfee DLP and it works really good, but here is an article with a few suggestions so you can do some research and pick the best one for you.

Symantec also offers a solution:

Let us know which worked best for you!
seven45Author Commented:
Hi,  please correct me if im wrong--but aren't they to capture events that happen once the solution is in place.   I'm looking for software that can look at logs, etc on the existing laptop that was already used to extract data, contacts, etc when there was no so prevention software in place.
Unfortunately, this is the kind of thing you need to enable.  Because of the increased processing required to monitor and store these kinds of logs, it is disabled by default.  You can use this to see if it is enabled in your environment:

Third party tools allow for better reporting, however, and can even alert you via email if someone tries to put stuff on a thumb drive or something.  Your best bet aside from this is just to keep users out of the stuff they don't need and keep regular backups.
Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

btanExec ConsultantCommented:
I see it more of monitoring his personnel laptop as well as the server he has access too, turn on the object access audit for the windows server especially he is of administrator privileged. And likely the case for use of portable device and sending chunks of information out to his web email or personnel email is indicative of data leakage. Even attempt of installing software such as eraser, truecrypt, tor browser (or like) are soemthing to alert.

See below for some interest

Employee monitoring (catch - license agreement would requires that you inform anyone you may monitor with SpectorSoft products)


Forensic trails -
File inspector -
Browser Forensic  -
You'll want a forensic image first. Before you start investigating. Otherwise, you may be overwriting the evidence you're looking for. Just booting the laptop can change the data. If you intend litigation, it will reduce the risk of failure if you have a forensic company do the acquisition and analysis. Evidence collection must be done properly in order to use the results in court. This article expains the pitfalls: 

If you want to hire a forensic company, it helps to have a list:

After you've consulted with your legal advisor and/or higher-ups, and assuming the organization is still willing to take the risks involved in a DIY operation, sign up for a SANS account ( and download the SIFT iso, then burn it to a DVD.
There is documentation on the disc and the website. Use the SANS poster ( to narrow down what you're looking for and find the evidence. The windows artifact section of the poster is broken into categories: File Download, Program Execution, File Opening/Creation, Deleted File or File Knowledge, Physical location, USB or Drive usage, Account Usage and Browser Usage. Each category has artifacts that can help you identify what was done (or not).
In addition, if you're operating in a domain environment, the account login/logoff info will be on the domain controller. Don't forget about email in case anything was mailed to a personal account, since that is an easy way to transfer a contact list.

btanExec ConsultantCommented:
One use quick registry references of interest to sieve the treasured trails on the target machine include this useful check referencing this below (see the various appl entries, MRU entries include mapped drive/recent open files/saved/copied, nickname/contact list of icq/messenger, file sharing, temp email attachment directory, userassist on program execution counts)
Rich RumbleSecurity SamuraiCommented:
If you don't have anything but the default event items enabled, then you can't catch anything he or she may have done. Files and folders aren't monitored by default in windows, and firewall and router logs would not tell you what he or she did other than give you IP address's or maybe sites they visited. Forensics is for when you have something preserved and need a deep dive on all evidence. If you are not preserving logs, or auditing file events. Even the LT itself doesn't store that much data about what he/she did. You can look at the MRU list (most recently used) in the registry, look at event logs, search through IE and FireFox browser history... There are things you can do, but you should have a professional do it. If you can contact one, they can instruct you on making an image of the LT and sending that to them, no physical need for the LT in most cases. The more you mess with that LT without an image the harder it is for them to do their forensics, there is no point-and-click software for it, because rule#1 is don't use the real LT, use an image of it. #2 is don't install anything further on the image, boot it up if you have to, but do all you can offline first.
It sounds like the OP wants forensic  Not preventative with DLP, and not monitoring/alerting with software like SpectorSoft (which I do like).

If you're on a zero budget, and you don't care about pursuing legal/criminal processes, you might be able to gather some data with your own forensic analysis.  Since you have no experience, and you won't have a valid chain-of-custody, don't expect that you can use the information for much more than your own edification.  If you want legal action or criminal prosecution, you need to turn it over to a professional.

Passmark has a free version of their analysis product osForensics.  The paid version allows you to manage more cases, but you should start with the free version before spending money.

For better preservation of untainted data, consider:

if it's still running
disconnect it's network connections (LAN, wireless, bluetooth)
don't let the screen lock. Use a mouse jiggler to keep the screensaver from kicking in
don't alter or use the computer in any way
don't boot the device

if it's not running
don't boot it
disconnect all network connection & USB devices
remove hard drive
use a write-blocking device to keep data 100% original

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
seven45Author Commented:
Thx.  OS Forensics did the trick for me.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Digital Forensics

From novice to tech pro — start learning today.