Trace Documents being moved from Pc to Flashdrive

I have a new client that just terminated an employee. Right after that event, they checked the employee's Pc and found company documents missing from his stand alone peer to peer Pc. They never took any backups.

I installed Recuva and ran a full system scan for deleted files. The only files found were from a few months ago and there were only a few files per day deleted at that time. Nothing that would point to a mass deletion which is what I was looking for.
https://www.piriform.com/recuva
 
I suspect he moved all documents to a USB flash drive and took it with him.

Is there any way to track this down in Windows Logs?
LVL 25
Tony GiangrecoAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

McKnifeCommented:
No, there isn't. This would require settings for file auditing in place already before the copying.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Tony GiangrecoAuthor Commented:
That's what I expected. No surprise. Just another instance if the customer not being proactive!
0
marsiliesCommented:
"Moving" a file to a different drive is basically just a copy + delete function. First the OS copies the file to the destination, then deletes it from the source location. So undelete programs will recover "moved" files, assuming they haven't been overwritten.

You may want to try "Previous Versions" built into Windows 7 to recover the files. See instructions here:
http://www.howtogeek.com/56891/use-windows-7s-previous-versions-to-go-back-in-time-and-save-your-files/

Another possibility is that they were moved elsewhere on the same drive and/or hidden. They wouldn't show up as deleted then. You can use this tool to look for hidden files:
http://securityxploded.com/hidden-file-finder.php

For moved files, search the whole drive:
http://www.ehow.com/how_5880516_file-moved.html


Other possibilities are that the files were never saved on the PC's drive: the user may have created and kept everything on a USB drive in order to work on the files at home.  Or, if the user was malicious, used a file wiping program to "shred" or overwrite the files on the disk, making undelete impossible.
0
Newly released Acronis True Image 2019

In announcing the release of the 15th Anniversary Edition of Acronis True Image 2019, the company revealed that its artificial intelligence-based anti-ransomware technology – stopped more than 200,000 ransomware attacks on 150,000 customers last year.

David Johnson, CD, MVPOwnerCommented:
Good reasoning for using a domain.. during the termination interview the user account is disabled in AD
0
Tony GiangrecoAuthor Commented:
I agree with the comments. I'll try those tools Saturday morning when I'm there.
0
Tony GiangrecoAuthor Commented:
Thanks for confirming my expectations on this one.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 7

From novice to tech pro — start learning today.