?
Solved

Trace Documents being moved from Pc to Flashdrive

Posted on 2014-12-11
6
Medium Priority
?
160 Views
Last Modified: 2014-12-17
I have a new client that just terminated an employee. Right after that event, they checked the employee's Pc and found company documents missing from his stand alone peer to peer Pc. They never took any backups.

I installed Recuva and ran a full system scan for deleted files. The only files found were from a few months ago and there were only a few files per day deleted at that time. Nothing that would point to a mass deletion which is what I was looking for.
https://www.piriform.com/recuva
 
I suspect he moved all documents to a USB flash drive and took it with him.

Is there any way to track this down in Windows Logs?
0
Comment
Question by:Tony Giangreco
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 56

Accepted Solution

by:
McKnife earned 668 total points
ID: 40495073
No, there isn't. This would require settings for file auditing in place already before the copying.
0
 
LVL 25

Author Comment

by:Tony Giangreco
ID: 40495090
That's what I expected. No surprise. Just another instance if the customer not being proactive!
0
 
LVL 20

Assisted Solution

by:marsilies
marsilies earned 668 total points
ID: 40495152
"Moving" a file to a different drive is basically just a copy + delete function. First the OS copies the file to the destination, then deletes it from the source location. So undelete programs will recover "moved" files, assuming they haven't been overwritten.

You may want to try "Previous Versions" built into Windows 7 to recover the files. See instructions here:
http://www.howtogeek.com/56891/use-windows-7s-previous-versions-to-go-back-in-time-and-save-your-files/

Another possibility is that they were moved elsewhere on the same drive and/or hidden. They wouldn't show up as deleted then. You can use this tool to look for hidden files:
http://securityxploded.com/hidden-file-finder.php

For moved files, search the whole drive:
http://www.ehow.com/how_5880516_file-moved.html


Other possibilities are that the files were never saved on the PC's drive: the user may have created and kept everything on a USB drive in order to work on the files at home.  Or, if the user was malicious, used a file wiping program to "shred" or overwrite the files on the disk, making undelete impossible.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 82

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 664 total points
ID: 40495308
Good reasoning for using a domain.. during the termination interview the user account is disabled in AD
0
 
LVL 25

Author Comment

by:Tony Giangreco
ID: 40495313
I agree with the comments. I'll try those tools Saturday morning when I'm there.
0
 
LVL 25

Author Closing Comment

by:Tony Giangreco
ID: 40505924
Thanks for confirming my expectations on this one.
0

Featured Post

Percona Live Europe 2017 | Sep 25 - 27, 2017

The Percona Live Open Source Database Conference Europe 2017 is the premier event for the diverse and active European open source database community, as well as businesses that develop and use open source database software.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you try to extract and to view the contents of a Microsoft Update Standalone Package (MSU) for Windows Vista, you cannot extract the files from the MSU. Here we are going to explain how to extract those hotfix details without using any third pa…
A quick guide on how to use Group Policy to create a custom power plan and set it active on Windows 7.
This Micro Tutorial will teach you the basics of configuring your computer to improve its speed. It will also teach you how to disable programs that are running in the background simultaneously. This will be demonstrated using Windows 7 operating…
This Micro Tutorial will teach you how to the overview of Microsoft Security Essentials. This is a free anti-virus software that guards your PC against viruses, spyware, worms, and other malicious software. This will be demonstrated using Windows…
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question