Link to home
Start Free TrialLog in
Avatar of rudym88
rudym88

asked on

forensic review

Hi all,

I have a client where one of the employees left and he feels the employee stole some data.

I was wondering if there is any program that would allow me to do a forensic review, for example determine if any data was copied to a USB drive.

The computer is not connected to a  domain, it's a Windows 7 standalone

Any help is greatly appreciated.

RudyM
Avatar of ChopOMatic
ChopOMatic
Flag of United States of America image

Rudy, you seriously need to hire a digital forensic professional to do this. I've been doing it full time for 11 years, and at least 80% of all my work is data theft by employees. I can't fathom being able to cover all the bases without a ton of training and experience. You do not want to tackle this, and if you do, you will almost certainly trample and invalidate any evidence that exists. Pull the plug on the machine, put it on a shelf, and don't touch it until you're handing it over to a pro.
SOLUTION
Avatar of Merete
Merete
Flag of Australia image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of michaelalphi
michaelalphi

Hi Rudy,
Probably the similar concern I see here http://community.spiceworks.com/topic/452624-server-software-that-shows-file-activity?page=1#entry-3052734.
I hope, it can help you.
FYI - Top 20 Free Digital Forensic Investigation Tools for SysAdmins
http://www.gfi.com/blog/top-20-free-digital-forensic-investigation-tools-for-sysadmins/

again, be aware that a skiled professional is however required for using these tools.
Rudy

Find out from the client what he or she would do if it could ever be proved that the employee had stolen data.

Somehow I doubt that the intention would be to have an argument over Facebook with the employee and do a bit of name calling.

Assuming that legal steps would be taken, then don't get in between the computer and a digital forensic scientist.  If you do, any and all evidence retrieved, no matter how damning it might be to the client's employee, would be completely invalidated.  Regardless of your prowess with forensic utilities and how many IT qualifications you may have earned, you are still not qualified to stand up in a court or even provide a statement about your findings unless you are a certified professional in forensic analysis.  You wouldn't be asking this if you were, so take heed of what ChopOMatic stated.