company hardware in...
 
Notifications
Clear all

company hardware investigation - tracing deleted files

12 Posts
8 Users
0 Reactions
1,510 Views
(@vip088)
New Member
Joined: 16 years ago
Posts: 4
Topic starter  

Not sure if I'm posting under the right topic. Still - any advice much appreciated.

I'm having problems with my group director (2nd disciplinary due on Mon within 1 month; the matter was dropped after the 1st one). To cut it short I'm being pushed out of the company by all available means, including deleting my work.

It happened few times. The latest one - the whole project folder was deleted and an empty one created instead. That was on Fri - with deadline on following Mon for the project proposal to be sent out. As project admin, I'm the only one who has suffered. As I found out, project manager wasn't saving any work in a project folder - not a single draft on the S (which is standard company practice of saving docs/any work). He's also in the game (ousting me out).

I'm tempted to raise grievance including the missing files. However I was advised by our IT guy that it would be very difficult to prove a) who deleted files; b) that it was done deliberately.

I sought advise on some other site and was referred to Forensic Focus.

Our system is set up to save everything twice a day at 12 and 4 pm. So whatever is deleted could be recoverable. If not from the last saved version, then from the back-ups. In my case I lost docs I've worked on on Thu - and on Fri, by the time I realised the loss, for whatever reason yesterday's tape was already being used for back up. Now, that was unusual action by another IT guy, against company procedures, but there is no much supervision on this.

All in all, I had to recreate all docs, just about in time to get the proposal out of the door. I didn't raise the issue - as I'm sure it would have prompted more backstabbing. Also, whoever was doing that, would not only escalate it but also take precautions not to be caught.

As you figured out already, I'm absolutely not into hardware or any -ware 😉 but it really bothers me - inability to prove it, should I raise it.

Is that the case?

I gaher in USA it's criminal offence to delete files. Couldn't find a single statement/confirmations that it's so in UK too.

The 'junior' IT guy said he could find out who deleted my files, but 'it would take ages'. He never did. The senior one warned it wouldn't be possible to prove.

Who is right? If I fail to prove anything internally, how do I go about it? Do I contact police?

The bottom line - things going this way I need to look for another job anyway. But this latest development really got me. I want a riot!

What chance?


   
Quote
(@mscotgrove)
Prominent Member
Joined: 17 years ago
Posts: 940
 

Stage one I think is to get a complete, sector by sector image of your drive and not let anyone add any files to it before this has been done. After that you can use many forensic tools to search for deleted files etc.

In the mean time, turn your computer off.

If you are allowed to, I wopuld remove the drive and get it hardware cloned, with two copies - one for you, and one for the company.


   
ReplyQuote
erowe
(@erowe)
Estimable Member
Joined: 18 years ago
Posts: 144
 

Stage two, if you are using Windows workstations/servers, might be to set up auditing (i.e. logging) on your local PC as well as on the network folders in question.

I would audit, Account Logon Events, Logon Events, and Object Access Events - in particular for deletion or modification of any files that you are concerned with.

Then sit back and wait for the next incident. The Object Access Event logging should catch which user as well as which PC was used to modify or delete the files in question. The Account Logon Event and the Logon Event auditing will allow you to track who might be in the office at the time the event happened.

If logging is already on (it is off by default) you may want to grab and analyze a copy of the logs.

Also, if you are working with a 2003 server or Vista, you may want to set up volume shadow copies to make recovery from deletions/changes easier. (No need to hunt through backups tapes to get the deleted files.)


   
ReplyQuote
 IanF
(@ianf)
Trusted Member
Joined: 17 years ago
Posts: 55
 

vip088 - looks like you do not work in the IT department and have no responsibility for the IT infrastructure in your company - is this correct ?
This being the case I doubt you will be in a position without permission from the IT director to start implementing any of the suggestions above.

My advise would be to put the previous incidents down to experience unless you are in a position to force an investigation into the missing files (for now !!).

For the future - keep a log of all your work and also all of the files your create. Continue to save all of your work to the S shared drive but also keep copies of all on your own personal desktop (I'm assuming that you have exclusive access to it and have write access to the harddrive), failing that do you have a personal network share for things like your mail archive etc ? Access control to this share should be restricted to you and the IT sysadmins.
You could schedule a simple DOS batch file to compress/XCOPY your working directory to your destinatioin drive of choice and also do a dir/s which would list all files within all subdirs and then spool the output to a log file. At least then you would have your work backed up and a record of all the files in a folder at a particular time - if the incident happened again you could use this to approach the IT Director etc to initiate investigations. A forensic investigation should be able to use this as a starting point for the investigation.

As far as illegality to delete files - I doubt there is any type of law that will cover this if it was a company employee that deleted company property - they could claim they just overwrote the folder with an empty one by mistake …. It would be a different story if it was a malicious hacker with no permission to operate within that particular IT infrastructure.


   
ReplyQuote
(@vip088)
New Member
Joined: 16 years ago
Posts: 4
Topic starter  

thanks to all of you.

you are right, as I said - no clue about hardware or any '-ware'. Yet I think I can manage to follow your advise.

Pity that proving anything may still hit the proverbial wall afterall.

I shall use these measures you kindly shared with me - and wait for the next incident, oh - and look for another job.

thanks again - if you think I'd benefit from any specific literature for idiots/dummies (sic!) on the topic, please let me know )

regards
not so disheartened anymore vip088


   
ReplyQuote
erowe
(@erowe)
Estimable Member
Joined: 18 years ago
Posts: 144
 

Some light reading for anyone interested in windows log file analysis - a useful way to see what user's are up to on the network

"The Windows Server 2003 Security Log Revealed" as well as "Security Log Encyclopedia" - both by Randy Franklin Smith (a bit expensive and not very many pages, but a good starting point nonetheless).

As well as perhaps either Microsoft TechNet or the Security Log Encyclopedia

http//www.ultimatewindowssecurity.com/encyclopedia.html


   
ReplyQuote
manuld
(@manuld)
Active Member
Joined: 19 years ago
Posts: 15
 

Stage 1 is to get an employment lawyer and then a computer forensic company. If what you say is true, then your employer will likely be ordered to pay the costs.


   
ReplyQuote
(@vip088)
New Member
Joined: 16 years ago
Posts: 4
Topic starter  

food for thought!

I shall wait to see the outcome of the 2nd disciplinary first, i.e. find out the extent of this farce.

I was warned not to burn bridges - but this is already a topic for some other website - about installing explosives into 'bridge constructions' maybe? twisted

In the meantime I shall study and change/save/protect what I can, avoid situations I can't do anything about - and pray I can always tell one from another )


   
ReplyQuote
(@ctendell)
Trusted Member
Joined: 16 years ago
Posts: 62
 

I agree with IanF, make regular backups of your data personally. Keep a log of what you have and get another non biased 3rd party involved. This way it can be witnessed if ever needed.


   
ReplyQuote
(@deonvj)
Active Member
Joined: 16 years ago
Posts: 8
 

I would also suggest that if you are worried about having your network backup tampered with, that you then make a secondary backup to a portable drive which you can store offline and will prevent tampering by way of network access. With relevant logging.


   
ReplyQuote
Page 1 / 2
Share: