±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36464
New Yesterday: 1 Visitors: 175

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Data Transfer ... three months ago, any evidence?

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2  Next 
  

novadonuk
Member
 

Data Transfer ... three months ago, any evidence?

Post Posted: Dec 18, 06 18:45

Hi guys, gals.

I was hoping I could get some advice on this one please ...

Basically a company suspects an x-employee (who has left to work for a competitor) has removed cruical data from their Laptop computer.

In our conversation we discussed the useage the laptop has had since the employee left and it would appear the laptop has been used for three months "lightly" by the new user.

However, their IT Department removed unauthorised programs, and traces of the previous user i.e. changing the user name and computer name plus other documents.

Would there be any traces of data transfer even with the additonal useage, if so where would I look? I would appreciate any feedback as any help would be extremely useful.

Best regards,

Icon_serf  
 
  

AndyFox
Member
 

Re: Data Transfer ... three months ago, any evidence?

Post Posted: Dec 18, 06 21:19

Hi Icon Serf

shouldn't you be able to re-install the OS to the dates you need?
Also a manual search in Encase for documents/emaiul and dates should do you - would have thought there were still dox+text in the unallocated clusters...? these may tell you when a device was attached..or when a document was last on the computer and thus where is it now...
_________________
Andy Fox
Digital Forensics Director
Audax Digital Forensics
www.audaxuk.com 
 
  

keydet89
Senior Member
 

Re: Data Transfer ... three months ago, any evidence?

Post Posted: Dec 19, 06 01:03

There may be some traces left behind, depending upon the operating system is use. I can speak to what may be there, if the OS was Windows (and I'd have to know which version, etc.).

At this point, there are just too many gaps and too much unknown information.

H  
 
  

novadonuk
Member
 

Re: Data Transfer ... three months ago, any evidence?

Post Posted: Dec 19, 06 15:27

Hi Guys,

Thanks for your response.

I have had another chat with the client and he can confirm XP Pro was installed. We are in the process of quoting the client for the work. So I may not be able to provide as much information as I would like to.

Thanks again

Icon_serf  
 
  

deckard
Senior Member
 

Re: Data Transfer ... three months ago, any evidence?

Post Posted: Dec 19, 06 18:26

isn't it difficult to quote a client for work that you don't know can be done, and if so, how it is to be done at least on a broad scale? In CF you need to be very careful not to overstep the limits of your knowledge store. A client's job where he has assets and money on the line is not a valid learning environment.

Better make sure your GL and EO coverage is up t date if you step out like that
_________________
Replicants are like any other machine - they're either a benefit or a hazard. If they're a benefit, it's not my problem 
 
  

novadonuk
Member
 

Re: Data Transfer ... three months ago, any evidence?

Post Posted: Dec 19, 06 18:35

Thanks dickard

Your comments are appreciated.

Regards

Icon_serf  
 
  

chrisprickaerts
Newbie
 

Re: Data Transfer ... three months ago, any evidence?

Post Posted: Dec 19, 06 23:42

Hi Icon_serf,

In any case have the computer be secured, place it in a room/safe so no one has access to it , or have the customer order to create a sound forensic copy. That way no further traces me get lost in the process.

Next be open about chances, without too much technical info my guess would be to be very conservative about this specific case. If profiles have been erased/renamed by their own IT , any lawyer of the opposal council will debate the fact that they might have planted any evidence to be found (or at least had the opportunity).

Furthermore, although evidence might be found, either in logical files or free/slack space, keep in mind that it probably WILL be very difficult to place the individual behind the keyboard, that's considering you have any timestamps at all....

Just being honest. I've seen many forensic IT investigations run on one or two files of file fragments only to be blown in court because it was very, very circumstantial.

All this is part of customer expectation management Smile

If they still want to pursue the investigation (which I would certainly advise) you are in a much better situation if you turn up empty handed.

Also, check to see if they have an e-mail environment and if so, request the backup tapes going back to that period. He might have communicated via e-mail with the other party about the presumed theft.

Good luck,


Chris  
 

Page 1 of 2
Page 1, 2  Next