Link to home
Create AccountLog in
Avatar of yballan
yballanFlag for United States of America

asked on

Forensic work for Exchange 2010

Dear experts,

We recently had an employee leave our company, and are strongly suspecting that she has taken some of our company data and went to a competitor, since we lost our large account with one of our clients, and found out that the account followed her.
I have been instructed to restore any deleted file and emails on her laptop.
I used GetDataBack for files, and PST Walker to find hard deleted mails, but that is about all I could do.
She had a habit of always emptying out her Deleted Item box, even if I go back on our Exchange backup, I cannot seem to find anything else.
Is there another way for us to recover deleted messages from the Exchange?  I was also asked if there is any way we can find out if she copied files off of our network folders to an external source, but since we don't have any network monitoring tools currently running, I am assuming that we cannot find such info.  In the future, what should be our practice to avoid this type of situations?

Please advise.
Avatar of paarun
paarun

As you say that the employee left recently, could you restore her mailbox from one of the recent backups and check dumpster data? Also, going further I would strongly suggest that you use a Data Leakage Prevention solution to monitor sensitive data in your environment.
ASKER CERTIFIED SOLUTION
Avatar of Amit
Amit
Flag of India image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Avatar of yballan

ASKER

Dear paarun,

Thank you for your response, but she had a habit of hard deleting mail messages every day, so none of the backups have any items in deleted item folder.
Avatar of yballan

ASKER

Thank you, Amit and btan.

I will use your information to form a policy for the future for my company, but it does look l do not have much to go on as of now.
thanks that is right steps to ensure top down approach for governance and ensure user acceptance and policy cover such aspect, but importantly create that "deterring" effect by enabling audit trails, login splash screen on the use of company property and regular asset and audit check will be good as well...activities to be verified and validated on the ground always with strict regime is always better as it "walk the talk" and not "paper play" per se...