Avatar of yballan
yballan
Flag for United States of America asked on

Forensic work for Exchange 2010

Dear experts,

We recently had an employee leave our company, and are strongly suspecting that she has taken some of our company data and went to a competitor, since we lost our large account with one of our clients, and found out that the account followed her.
I have been instructed to restore any deleted file and emails on her laptop.
I used GetDataBack for files, and PST Walker to find hard deleted mails, but that is about all I could do.
She had a habit of always emptying out her Deleted Item box, even if I go back on our Exchange backup, I cannot seem to find anything else.
Is there another way for us to recover deleted messages from the Exchange?  I was also asked if there is any way we can find out if she copied files off of our network folders to an external source, but since we don't have any network monitoring tools currently running, I am assuming that we cannot find such info.  In the future, what should be our practice to avoid this type of situations?

Please advise.
Digital ForensicsExchangeNetwork Architecture

Avatar of undefined
Last Comment
btan

8/22/2022 - Mon
paarun

As you say that the employee left recently, could you restore her mailbox from one of the recent backups and check dumpster data? Also, going further I would strongly suggest that you use a Data Leakage Prevention solution to monitor sensitive data in your environment.
ASKER CERTIFIED SOLUTION
Amit

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
SOLUTION
btan

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
yballan

ASKER
Dear paarun,

Thank you for your response, but she had a habit of hard deleting mail messages every day, so none of the backups have any items in deleted item folder.
yballan

ASKER
Thank you, Amit and btan.

I will use your information to form a policy for the future for my company, but it does look l do not have much to go on as of now.
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
btan

thanks that is right steps to ensure top down approach for governance and ensure user acceptance and policy cover such aspect, but importantly create that "deterring" effect by enabling audit trails, login splash screen on the use of company property and regular asset and audit check will be good as well...activities to be verified and validated on the ground always with strict regime is always better as it "walk the talk" and not "paper play" per se...