Solved

Trace Documents being moved from Pc to Flashdrive

Posted on 2014-12-11
6
152 Views
Last Modified: 2014-12-17
I have a new client that just terminated an employee. Right after that event, they checked the employee's Pc and found company documents missing from his stand alone peer to peer Pc. They never took any backups.

I installed Recuva and ran a full system scan for deleted files. The only files found were from a few months ago and there were only a few files per day deleted at that time. Nothing that would point to a mass deletion which is what I was looking for.
https://www.piriform.com/recuva
 
I suspect he moved all documents to a USB flash drive and took it with him.

Is there any way to track this down in Windows Logs?
0
Comment
Question by:Tony Giangreco
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 54

Accepted Solution

by:
McKnife earned 167 total points
ID: 40495073
No, there isn't. This would require settings for file auditing in place already before the copying.
0
 
LVL 25

Author Comment

by:Tony Giangreco
ID: 40495090
That's what I expected. No surprise. Just another instance if the customer not being proactive!
0
 
LVL 20

Assisted Solution

by:marsilies
marsilies earned 167 total points
ID: 40495152
"Moving" a file to a different drive is basically just a copy + delete function. First the OS copies the file to the destination, then deletes it from the source location. So undelete programs will recover "moved" files, assuming they haven't been overwritten.

You may want to try "Previous Versions" built into Windows 7 to recover the files. See instructions here:
http://www.howtogeek.com/56891/use-windows-7s-previous-versions-to-go-back-in-time-and-save-your-files/

Another possibility is that they were moved elsewhere on the same drive and/or hidden. They wouldn't show up as deleted then. You can use this tool to look for hidden files:
http://securityxploded.com/hidden-file-finder.php

For moved files, search the whole drive:
http://www.ehow.com/how_5880516_file-moved.html


Other possibilities are that the files were never saved on the PC's drive: the user may have created and kept everything on a USB drive in order to work on the files at home.  Or, if the user was malicious, used a file wiping program to "shred" or overwrite the files on the disk, making undelete impossible.
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
LVL 81

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 166 total points
ID: 40495308
Good reasoning for using a domain.. during the termination interview the user account is disabled in AD
0
 
LVL 25

Author Comment

by:Tony Giangreco
ID: 40495313
I agree with the comments. I'll try those tools Saturday morning when I'm there.
0
 
LVL 25

Author Closing Comment

by:Tony Giangreco
ID: 40505924
Thanks for confirming my expectations on this one.
0

Featured Post

Secure Your WordPress Site: 5 Essential Approaches

WordPress is the web's most popular CMS, but its dominance also makes it a target for attackers. Our eBook will show you how to:

Prevent costly exploits of core and plugin vulnerabilities
Repel automated attacks
Lock down your dashboard, secure your code, and protect your users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Learn how the use of a bunch of disparate tools requiring a lot of manual attention led to a series of unfortunate backup events for one company.
In this article we will learn how to backup a VMware farm using Nakivo Backup & Replication. In this tutorial we will install the software on a Windows 2012 R2 Server.
The viewer will learn how to successfully download and install the SARDU utility on Windows 7, without downloading adware.
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question