Solved

forensic review

Posted on 2014-03-04
6
326 Views
Last Modified: 2014-04-10
Hi all,

I have a client where one of the employees left and he feels the employee stole some data.

I was wondering if there is any program that would allow me to do a forensic review, for example determine if any data was copied to a USB drive.

The computer is not connected to a  domain, it's a Windows 7 standalone

Any help is greatly appreciated.

RudyM
0
Comment
Question by:rudym88
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 5

Expert Comment

by:ChopOMatic
ID: 39905381
Rudy, you seriously need to hire a digital forensic professional to do this. I've been doing it full time for 11 years, and at least 80% of all my work is data theft by employees. I can't fathom being able to cover all the bases without a ton of training and experience. You do not want to tackle this, and if you do, you will almost certainly trample and invalidate any evidence that exists. Pull the plug on the machine, put it on a shelf, and don't touch it until you're handing it over to a pro.
0
 
LVL 70

Assisted Solution

by:Merete
Merete earned 250 total points
ID: 39905433
determine if any data was copied to a USB drive
No.
Windows may tell you the recently used files or recently accessed files.
But there is noway to know if someone recently copied any files to a USB device
 as no logs could report that user's activity not even forensics, forensics usually look for deleted files on a drive, and only when that drive is removed from the computer ie write blocked hard drive.
The software is installed on a separate computer that will analyse the drive.
Stuff that has been removed or so you think but is actually still there.
if the drive has not been written to since. I stress that the drive must not have been used since then.
To see deleted files on a drive not on windows, the drive must be outside of windows
You can use Get Data Back from Runtime
data-recovery-software.htm
You need to take the drive out and place it either in a USB external enclosure or slot it in to second position then you can use Get Data Back
Get Data Back has a fully functioning trial, so you can test it, choose which type of recovery example  formated drive or deleted files  and it will scan the drive for the deleted files,
There is lot of different data recovery products.
https://www.runtime.org/data-recovery-products.htm
Virtual Forensic Computing (VFC)GetData
http://www.fulcrum.net.au/product_disp.php?prod_id=216&man_id=124
0
 
LVL 37

Accepted Solution

by:
bbao earned 250 total points
ID: 39905650
> if any data was copied to a USB drive
> if the drive has not been written to since.

as Merete mentioned, the short answer is NO as there is no way to determine if any file was copied to the USB drive.

> no logs could report that user's activity not even forensics

not that really. there is still plenty information you could dig out from the Windows registry. for example, from a technical point of view, although it is not possible to know any COPY action ever occurred but from certain registry items it is still possible to determine:

1. if any USB drive was ACCESSED.
2. if ever accessed, the unique ID of USB drive that was accessed.
3. the time of last access to the system.

however, as ChopOMatic mentioned, you need to have the required experience and skills to touch the digital evidence especially if you are serious and going to bring the evidence to the court. hiring a forensics professional is a proper way though it might be expensive.

basically, if any hesitation, simply don't touch the computer at all. at least, remove and keep the HD at a safe place until further legal action is required.
0
Raise the IQ of Your IT Alerts

From IT major incidents to manufacturing line slowdowns, every business process generates insights that need to reach the people required to take action. You need a platform that integrates with your business tools to create fully enabled DevOps toolchains.

You need xMatters.

 
LVL 4

Expert Comment

by:michaelalphi
ID: 39905667
Hi Rudy,
Probably the similar concern I see here http://community.spiceworks.com/topic/452624-server-software-that-shows-file-activity?page=1#entry-3052734.
I hope, it can help you.
0
 
LVL 37

Expert Comment

by:bbao
ID: 39905673
FYI - Top 20 Free Digital Forensic Investigation Tools for SysAdmins
http://www.gfi.com/blog/top-20-free-digital-forensic-investigation-tools-for-sysadmins/

again, be aware that a skiled professional is however required for using these tools.
0
 
LVL 38

Expert Comment

by:BillDL
ID: 39920350
Rudy

Find out from the client what he or she would do if it could ever be proved that the employee had stolen data.

Somehow I doubt that the intention would be to have an argument over Facebook with the employee and do a bit of name calling.

Assuming that legal steps would be taken, then don't get in between the computer and a digital forensic scientist.  If you do, any and all evidence retrieved, no matter how damning it might be to the client's employee, would be completely invalidated.  Regardless of your prowess with forensic utilities and how many IT qualifications you may have earned, you are still not qualified to stand up in a court or even provide a statement about your findings unless you are a certified professional in forensic analysis.  You wouldn't be asking this if you were, so take heed of what ChopOMatic stated.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The password reset disk is often mentioned as the best solution to deal with the lost Windows password problem. In Windows 2008, 7, Vista and XP, a password reset disk can be easily created. But besides Windows 7/Vista/XP, Windows Server 2008 and ot…
A while back when OPSMGR 2012 was released we were very excited about getting it into our environment and upgrading our 2007 implementation,  we started our planning and we then proceeded with our implementation. All went as planned & our system …
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question