Forensic work for Exchange 2010

Dear experts,

We recently had an employee leave our company, and are strongly suspecting that she has taken some of our company data and went to a competitor, since we lost our large account with one of our clients, and found out that the account followed her.
I have been instructed to restore any deleted file and emails on her laptop.
I used GetDataBack for files, and PST Walker to find hard deleted mails, but that is about all I could do.
She had a habit of always emptying out her Deleted Item box, even if I go back on our Exchange backup, I cannot seem to find anything else.
Is there another way for us to recover deleted messages from the Exchange?  I was also asked if there is any way we can find out if she copied files off of our network folders to an external source, but since we don't have any network monitoring tools currently running, I am assuming that we cannot find such info.  In the future, what should be our practice to avoid this type of situations?

Please advise.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

As you say that the employee left recently, could you restore her mailbox from one of the recent backups and check dumpster data? Also, going further I would strongly suggest that you use a Data Leakage Prevention solution to monitor sensitive data in your environment.
AmitIT ArchitectCommented:
It is too late. For future, best to keep such account on litigation hold and also enable mailbox level auditing feature given in Exchange 2010. Both solution will help you to track down user actions. This is free from Microsoft and you don't need to spend money on any other tool. Let me know, if you have any doubt.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
btanExec ConsultantCommented:
Pretty tough for recovery especially as time passes and new mail arrives or after the PST is compacted, the ability to recover deleted messages go down dramatically. Compacting the data file after emptying the Deleted items folder will eliminate the ability to recover deleted items. Also deleted items may be covered by a Deleted Item Retention policy in Exchange, preventing the user from deleting the messages from Recover Deleted Items. If the organization archives messages as they arrive they could be somewhere in the network.

There are sharing on schemes in Enterprise whereby the Exchange is in its configuration with Litigation Hold or Single Item Recovery enabled. This is for to "event trap" when the e-mail was changed, the Exchange administrator (or authorised party) can export the her mailbox to a PST file without excluding the Recoverable Items folder, when the engaged forensics investigator (or designated party) accesses the PST file, it will contain this folder with the original versions of every altered or deleted e-mails. However, even that the case, if she has done a "clean" job, by hard deleting in this case, it make it quite impossible even delving into her mailbox and PST in machine.

There can be evidence search on her attempt to install unofficial or unsanctioned s/w such as CCleaner or Encryption s/w like Truecrypt as part of her scheme but it is not enough to bring it to the case shared to pinpoint she has leaked the info. Her online asset or file sharing, if the organisation used Google apps or office 365 may leave trails but likely not all are using cloud services and her intent likely not deposit any of such transaction there and then. She definitely need means to leak if her email is supposed to one of her leak channel where she sent out attachment to web email. But unlikely the rights is granted to search her web email. If there is central web gateway guarding all internet accessin company, it may drop some hing of her daily or anomalous activities. Likely another slim chances as most do not lockdown or she may just have the HTTP traffic encrypted - most web email is SSL based already..

So external portable storage is high chance she also tapped for such intent to exfiltrate the document. You can check out USBDeview - View all installed/connected USB devices on your system.

Also looking at her web activities via the browser cache and wireless hotspot (on SSID joined) may be useful too. Here is a list of forensic tool for info 

As a whole, even proof of any act of removal on a given time/date, can become also a weak assertion if the trail and activities of her PC can still be subjected to denial and debate without such mentioned hard PC trails and acknowledgment from her part to reveal more to stay on an innocent state. There is need to be establish a reliable, legally acceptable proof on chain of custody if possible. Even a Digital Right Managed (RMS) capable system that can prove that target can only access the file in the way that is governed by a system that does not allow copying and provides a cryptographic receipt for deletion. This may still fall under weak assertion without joining other "possible dots" such as of her past activities and any of her work ethics issues reported ...
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

yballanAuthor Commented:
Dear paarun,

Thank you for your response, but she had a habit of hard deleting mail messages every day, so none of the backups have any items in deleted item folder.
yballanAuthor Commented:
Thank you, Amit and btan.

I will use your information to form a policy for the future for my company, but it does look l do not have much to go on as of now.
btanExec ConsultantCommented:
thanks that is right steps to ensure top down approach for governance and ensure user acceptance and policy cover such aspect, but importantly create that "deterring" effect by enabling audit trails, login splash screen on the use of company property and regular asset and audit check will be good as well...activities to be verified and validated on the ground always with strict regime is always better as it "walk the talk" and not "paper play" per se...
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Digital Forensics

From novice to tech pro — start learning today.