Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 348
  • Last Modified:

forensic review

Hi all,

I have a client where one of the employees left and he feels the employee stole some data.

I was wondering if there is any program that would allow me to do a forensic review, for example determine if any data was copied to a USB drive.

The computer is not connected to a  domain, it's a Windows 7 standalone

Any help is greatly appreciated.

RudyM
0
rudym88
Asked:
rudym88
2 Solutions
 
ChopOMaticCommented:
Rudy, you seriously need to hire a digital forensic professional to do this. I've been doing it full time for 11 years, and at least 80% of all my work is data theft by employees. I can't fathom being able to cover all the bases without a ton of training and experience. You do not want to tackle this, and if you do, you will almost certainly trample and invalidate any evidence that exists. Pull the plug on the machine, put it on a shelf, and don't touch it until you're handing it over to a pro.
0
 
MereteCommented:
determine if any data was copied to a USB drive
No.
Windows may tell you the recently used files or recently accessed files.
But there is noway to know if someone recently copied any files to a USB device
 as no logs could report that user's activity not even forensics, forensics usually look for deleted files on a drive, and only when that drive is removed from the computer ie write blocked hard drive.
The software is installed on a separate computer that will analyse the drive.
Stuff that has been removed or so you think but is actually still there.
if the drive has not been written to since. I stress that the drive must not have been used since then.
To see deleted files on a drive not on windows, the drive must be outside of windows
You can use Get Data Back from Runtime
data-recovery-software.htm
You need to take the drive out and place it either in a USB external enclosure or slot it in to second position then you can use Get Data Back
Get Data Back has a fully functioning trial, so you can test it, choose which type of recovery example  formated drive or deleted files  and it will scan the drive for the deleted files,
There is lot of different data recovery products.
https://www.runtime.org/data-recovery-products.htm
Virtual Forensic Computing (VFC)GetData
http://www.fulcrum.net.au/product_disp.php?prod_id=216&man_id=124
0
 
bbaoIT ConsultantCommented:
> if any data was copied to a USB drive
> if the drive has not been written to since.

as Merete mentioned, the short answer is NO as there is no way to determine if any file was copied to the USB drive.

> no logs could report that user's activity not even forensics

not that really. there is still plenty information you could dig out from the Windows registry. for example, from a technical point of view, although it is not possible to know any COPY action ever occurred but from certain registry items it is still possible to determine:

1. if any USB drive was ACCESSED.
2. if ever accessed, the unique ID of USB drive that was accessed.
3. the time of last access to the system.

however, as ChopOMatic mentioned, you need to have the required experience and skills to touch the digital evidence especially if you are serious and going to bring the evidence to the court. hiring a forensics professional is a proper way though it might be expensive.

basically, if any hesitation, simply don't touch the computer at all. at least, remove and keep the HD at a safe place until further legal action is required.
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
michaelalphiCommented:
Hi Rudy,
Probably the similar concern I see here http://community.spiceworks.com/topic/452624-server-software-that-shows-file-activity?page=1#entry-3052734.
I hope, it can help you.
0
 
bbaoIT ConsultantCommented:
FYI - Top 20 Free Digital Forensic Investigation Tools for SysAdmins
http://www.gfi.com/blog/top-20-free-digital-forensic-investigation-tools-for-sysadmins/

again, be aware that a skiled professional is however required for using these tools.
0
 
BillDLCommented:
Rudy

Find out from the client what he or she would do if it could ever be proved that the employee had stolen data.

Somehow I doubt that the intention would be to have an argument over Facebook with the employee and do a bit of name calling.

Assuming that legal steps would be taken, then don't get in between the computer and a digital forensic scientist.  If you do, any and all evidence retrieved, no matter how damning it might be to the client's employee, would be completely invalidated.  Regardless of your prowess with forensic utilities and how many IT qualifications you may have earned, you are still not qualified to stand up in a court or even provide a statement about your findings unless you are a certified professional in forensic analysis.  You wouldn't be asking this if you were, so take heed of what ChopOMatic stated.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now