Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

forensic review

Posted on 2014-03-04
6
Medium Priority
?
338 Views
Last Modified: 2014-04-10
Hi all,

I have a client where one of the employees left and he feels the employee stole some data.

I was wondering if there is any program that would allow me to do a forensic review, for example determine if any data was copied to a USB drive.

The computer is not connected to a  domain, it's a Windows 7 standalone

Any help is greatly appreciated.

RudyM
0
Comment
Question by:rudym88
6 Comments
 
LVL 5

Expert Comment

by:ChopOMatic
ID: 39905381
Rudy, you seriously need to hire a digital forensic professional to do this. I've been doing it full time for 11 years, and at least 80% of all my work is data theft by employees. I can't fathom being able to cover all the bases without a ton of training and experience. You do not want to tackle this, and if you do, you will almost certainly trample and invalidate any evidence that exists. Pull the plug on the machine, put it on a shelf, and don't touch it until you're handing it over to a pro.
0
 
LVL 70

Assisted Solution

by:Merete
Merete earned 1000 total points
ID: 39905433
determine if any data was copied to a USB drive
No.
Windows may tell you the recently used files or recently accessed files.
But there is noway to know if someone recently copied any files to a USB device
 as no logs could report that user's activity not even forensics, forensics usually look for deleted files on a drive, and only when that drive is removed from the computer ie write blocked hard drive.
The software is installed on a separate computer that will analyse the drive.
Stuff that has been removed or so you think but is actually still there.
if the drive has not been written to since. I stress that the drive must not have been used since then.
To see deleted files on a drive not on windows, the drive must be outside of windows
You can use Get Data Back from Runtime
data-recovery-software.htm
You need to take the drive out and place it either in a USB external enclosure or slot it in to second position then you can use Get Data Back
Get Data Back has a fully functioning trial, so you can test it, choose which type of recovery example  formated drive or deleted files  and it will scan the drive for the deleted files,
There is lot of different data recovery products.
https://www.runtime.org/data-recovery-products.htm
Virtual Forensic Computing (VFC)GetData
http://www.fulcrum.net.au/product_disp.php?prod_id=216&man_id=124
0
 
LVL 37

Accepted Solution

by:
bbao earned 1000 total points
ID: 39905650
> if any data was copied to a USB drive
> if the drive has not been written to since.

as Merete mentioned, the short answer is NO as there is no way to determine if any file was copied to the USB drive.

> no logs could report that user's activity not even forensics

not that really. there is still plenty information you could dig out from the Windows registry. for example, from a technical point of view, although it is not possible to know any COPY action ever occurred but from certain registry items it is still possible to determine:

1. if any USB drive was ACCESSED.
2. if ever accessed, the unique ID of USB drive that was accessed.
3. the time of last access to the system.

however, as ChopOMatic mentioned, you need to have the required experience and skills to touch the digital evidence especially if you are serious and going to bring the evidence to the court. hiring a forensics professional is a proper way though it might be expensive.

basically, if any hesitation, simply don't touch the computer at all. at least, remove and keep the HD at a safe place until further legal action is required.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 4

Expert Comment

by:michaelalphi
ID: 39905667
Hi Rudy,
Probably the similar concern I see here http://community.spiceworks.com/topic/452624-server-software-that-shows-file-activity?page=1#entry-3052734.
I hope, it can help you.
0
 
LVL 37

Expert Comment

by:bbao
ID: 39905673
FYI - Top 20 Free Digital Forensic Investigation Tools for SysAdmins
http://www.gfi.com/blog/top-20-free-digital-forensic-investigation-tools-for-sysadmins/

again, be aware that a skiled professional is however required for using these tools.
0
 
LVL 39

Expert Comment

by:BillDL
ID: 39920350
Rudy

Find out from the client what he or she would do if it could ever be proved that the employee had stolen data.

Somehow I doubt that the intention would be to have an argument over Facebook with the employee and do a bit of name calling.

Assuming that legal steps would be taken, then don't get in between the computer and a digital forensic scientist.  If you do, any and all evidence retrieved, no matter how damning it might be to the client's employee, would be completely invalidated.  Regardless of your prowess with forensic utilities and how many IT qualifications you may have earned, you are still not qualified to stand up in a court or even provide a statement about your findings unless you are a certified professional in forensic analysis.  You wouldn't be asking this if you were, so take heed of what ChopOMatic stated.
0

Featured Post

Lessons on Wi-Fi & Recommendations on KRACK

Simplicity and security can be a difficult  balance for any business to tackle. Join us on December 6th for a look at your company's biggest security gap. We will also address the most recent attack, "KRACK" and provide recommendations on how to secure your Wi-Fi network today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

INTRODUCTION The purpose of this document is to demonstrate the Installation and configuration of the Data Protection Manager product. Note that this demonstration was prepared on the basis of Windows OS is 2008 R2 and DPM 2010. DATA PROTECTI…
Citrix XenApp, Internet Explorer 11 set to Enterprise Mode and using central hosted sites.xml file.
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question