Solved

forensic review

Posted on 2014-03-04
6
313 Views
Last Modified: 2014-04-10
Hi all,

I have a client where one of the employees left and he feels the employee stole some data.

I was wondering if there is any program that would allow me to do a forensic review, for example determine if any data was copied to a USB drive.

The computer is not connected to a  domain, it's a Windows 7 standalone

Any help is greatly appreciated.

RudyM
0
Comment
Question by:rudym88
6 Comments
 
LVL 5

Expert Comment

by:ChopOMatic
Comment Utility
Rudy, you seriously need to hire a digital forensic professional to do this. I've been doing it full time for 11 years, and at least 80% of all my work is data theft by employees. I can't fathom being able to cover all the bases without a ton of training and experience. You do not want to tackle this, and if you do, you will almost certainly trample and invalidate any evidence that exists. Pull the plug on the machine, put it on a shelf, and don't touch it until you're handing it over to a pro.
0
 
LVL 69

Assisted Solution

by:Merete
Merete earned 250 total points
Comment Utility
determine if any data was copied to a USB drive
No.
Windows may tell you the recently used files or recently accessed files.
But there is noway to know if someone recently copied any files to a USB device
 as no logs could report that user's activity not even forensics, forensics usually look for deleted files on a drive, and only when that drive is removed from the computer ie write blocked hard drive.
The software is installed on a separate computer that will analyse the drive.
Stuff that has been removed or so you think but is actually still there.
if the drive has not been written to since. I stress that the drive must not have been used since then.
To see deleted files on a drive not on windows, the drive must be outside of windows
You can use Get Data Back from Runtime
data-recovery-software.htm
You need to take the drive out and place it either in a USB external enclosure or slot it in to second position then you can use Get Data Back
Get Data Back has a fully functioning trial, so you can test it, choose which type of recovery example  formated drive or deleted files  and it will scan the drive for the deleted files,
There is lot of different data recovery products.
https://www.runtime.org/data-recovery-products.htm
Virtual Forensic Computing (VFC)GetData
http://www.fulcrum.net.au/product_disp.php?prod_id=216&man_id=124
0
 
LVL 37

Accepted Solution

by:
Bing CISM / CISSP earned 250 total points
Comment Utility
> if any data was copied to a USB drive
> if the drive has not been written to since.

as Merete mentioned, the short answer is NO as there is no way to determine if any file was copied to the USB drive.

> no logs could report that user's activity not even forensics

not that really. there is still plenty information you could dig out from the Windows registry. for example, from a technical point of view, although it is not possible to know any COPY action ever occurred but from certain registry items it is still possible to determine:

1. if any USB drive was ACCESSED.
2. if ever accessed, the unique ID of USB drive that was accessed.
3. the time of last access to the system.

however, as ChopOMatic mentioned, you need to have the required experience and skills to touch the digital evidence especially if you are serious and going to bring the evidence to the court. hiring a forensics professional is a proper way though it might be expensive.

basically, if any hesitation, simply don't touch the computer at all. at least, remove and keep the HD at a safe place until further legal action is required.
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 4

Expert Comment

by:michaelalphi
Comment Utility
Hi Rudy,
Probably the similar concern I see here http://community.spiceworks.com/topic/452624-server-software-that-shows-file-activity?page=1#entry-3052734.
I hope, it can help you.
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
Comment Utility
FYI - Top 20 Free Digital Forensic Investigation Tools for SysAdmins
http://www.gfi.com/blog/top-20-free-digital-forensic-investigation-tools-for-sysadmins/

again, be aware that a skiled professional is however required for using these tools.
0
 
LVL 38

Expert Comment

by:BillDL
Comment Utility
Rudy

Find out from the client what he or she would do if it could ever be proved that the employee had stolen data.

Somehow I doubt that the intention would be to have an argument over Facebook with the employee and do a bit of name calling.

Assuming that legal steps would be taken, then don't get in between the computer and a digital forensic scientist.  If you do, any and all evidence retrieved, no matter how damning it might be to the client's employee, would be completely invalidated.  Regardless of your prowess with forensic utilities and how many IT qualifications you may have earned, you are still not qualified to stand up in a court or even provide a statement about your findings unless you are a certified professional in forensic analysis.  You wouldn't be asking this if you were, so take heed of what ChopOMatic stated.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Many admins will agree: WSUS is is a nice invention but using it on the client side when updating a newly installed computer is still time consuming as you have to do several reboots and furthermore, the procedure of installing updates, rebooting an…
Citrix XenApp, Internet Explorer 11 set to Enterprise Mode and using central hosted sites.xml file.
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now