Solved

forensic review

Posted on 2014-03-04
6
324 Views
Last Modified: 2014-04-10
Hi all,

I have a client where one of the employees left and he feels the employee stole some data.

I was wondering if there is any program that would allow me to do a forensic review, for example determine if any data was copied to a USB drive.

The computer is not connected to a  domain, it's a Windows 7 standalone

Any help is greatly appreciated.

RudyM
0
Comment
Question by:rudym88
6 Comments
 
LVL 5

Expert Comment

by:ChopOMatic
ID: 39905381
Rudy, you seriously need to hire a digital forensic professional to do this. I've been doing it full time for 11 years, and at least 80% of all my work is data theft by employees. I can't fathom being able to cover all the bases without a ton of training and experience. You do not want to tackle this, and if you do, you will almost certainly trample and invalidate any evidence that exists. Pull the plug on the machine, put it on a shelf, and don't touch it until you're handing it over to a pro.
0
 
LVL 70

Assisted Solution

by:Merete
Merete earned 250 total points
ID: 39905433
determine if any data was copied to a USB drive
No.
Windows may tell you the recently used files or recently accessed files.
But there is noway to know if someone recently copied any files to a USB device
 as no logs could report that user's activity not even forensics, forensics usually look for deleted files on a drive, and only when that drive is removed from the computer ie write blocked hard drive.
The software is installed on a separate computer that will analyse the drive.
Stuff that has been removed or so you think but is actually still there.
if the drive has not been written to since. I stress that the drive must not have been used since then.
To see deleted files on a drive not on windows, the drive must be outside of windows
You can use Get Data Back from Runtime
data-recovery-software.htm
You need to take the drive out and place it either in a USB external enclosure or slot it in to second position then you can use Get Data Back
Get Data Back has a fully functioning trial, so you can test it, choose which type of recovery example  formated drive or deleted files  and it will scan the drive for the deleted files,
There is lot of different data recovery products.
https://www.runtime.org/data-recovery-products.htm
Virtual Forensic Computing (VFC)GetData
http://www.fulcrum.net.au/product_disp.php?prod_id=216&man_id=124
0
 
LVL 37

Accepted Solution

by:
bbao earned 250 total points
ID: 39905650
> if any data was copied to a USB drive
> if the drive has not been written to since.

as Merete mentioned, the short answer is NO as there is no way to determine if any file was copied to the USB drive.

> no logs could report that user's activity not even forensics

not that really. there is still plenty information you could dig out from the Windows registry. for example, from a technical point of view, although it is not possible to know any COPY action ever occurred but from certain registry items it is still possible to determine:

1. if any USB drive was ACCESSED.
2. if ever accessed, the unique ID of USB drive that was accessed.
3. the time of last access to the system.

however, as ChopOMatic mentioned, you need to have the required experience and skills to touch the digital evidence especially if you are serious and going to bring the evidence to the court. hiring a forensics professional is a proper way though it might be expensive.

basically, if any hesitation, simply don't touch the computer at all. at least, remove and keep the HD at a safe place until further legal action is required.
0
Webinar: Aligning, Automating, Winning

Join Dan Russo, Senior Manager of Operations Intelligence, for an in-depth discussion on how Dealertrack, leading provider of integrated digital solutions for the automotive industry, transformed their DevOps processes to increase collaboration and move with greater velocity.

 
LVL 4

Expert Comment

by:michaelalphi
ID: 39905667
Hi Rudy,
Probably the similar concern I see here http://community.spiceworks.com/topic/452624-server-software-that-shows-file-activity?page=1#entry-3052734.
I hope, it can help you.
0
 
LVL 37

Expert Comment

by:bbao
ID: 39905673
FYI - Top 20 Free Digital Forensic Investigation Tools for SysAdmins
http://www.gfi.com/blog/top-20-free-digital-forensic-investigation-tools-for-sysadmins/

again, be aware that a skiled professional is however required for using these tools.
0
 
LVL 38

Expert Comment

by:BillDL
ID: 39920350
Rudy

Find out from the client what he or she would do if it could ever be proved that the employee had stolen data.

Somehow I doubt that the intention would be to have an argument over Facebook with the employee and do a bit of name calling.

Assuming that legal steps would be taken, then don't get in between the computer and a digital forensic scientist.  If you do, any and all evidence retrieved, no matter how damning it might be to the client's employee, would be completely invalidated.  Regardless of your prowess with forensic utilities and how many IT qualifications you may have earned, you are still not qualified to stand up in a court or even provide a statement about your findings unless you are a certified professional in forensic analysis.  You wouldn't be asking this if you were, so take heed of what ChopOMatic stated.
0

Featured Post

How our DevOps Teams Maximize Uptime

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us. Read the use case whitepaper.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
GPO not applied 4 87
Setup Windows Server 2012 as a Domain 4 77
Want search/indexing app for Android 13 101
Places to advertise 6 65
Many admins will agree: WSUS is is a nice invention but using it on the client side when updating a newly installed computer is still time consuming as you have to do several reboots and furthermore, the procedure of installing updates, rebooting an…
I wrote an article (http://www.experts-exchange.com/articles/2245/Anti-rootkit-software.html) some time ago with a reference to nLite  (http://www.nliteos.com/)slipstreaming software.  I recently changed that link to point to NTLite (https://www.ntl…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
Finding and deleting duplicate (picture) files can be a time consuming task. My wife and I, our three kids and their families all share one dilemma: Managing our pictures. Between desktops, laptops, phones, tablets, and cameras; over the last decade…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question