Data Transfer ... three months ago, any evidence?
Hi guys, gals.
I was hoping I could get some advice on this one please …
Basically a company suspects an x-employee (who has left to work for a competitor) has removed cruical data from their Laptop computer.
In our conversation we discussed the useage the laptop has had since the employee left and it would appear the laptop has been used for three months "lightly" by the new user.
However, their IT Department removed unauthorised programs, and traces of the previous user i.e. changing the user name and computer name plus other documents.
Would there be any traces of data transfer even with the additonal useage, if so where would I look? I would appreciate any feedback as any help would be extremely useful.
Hi Icon Serf
shouldn't you be able to re-install the OS to the dates you need?
Also a manual search in Encase for documents/emaiul and dates should do you - would have thought there were still dox+text in the unallocated clusters…? these may tell you when a device was attached..or when a document was last on the computer and thus where is it now…
There may be some traces left behind, depending upon the operating system is use. I can speak to what may be there, if the OS was Windows (and I'd have to know which version, etc.).
At this point, there are just too many gaps and too much unknown information.
Thanks for your response.
I have had another chat with the client and he can confirm XP Pro was installed. We are in the process of quoting the client for the work. So I may not be able to provide as much information as I would like to.
isn't it difficult to quote a client for work that you don't know can be done, and if so, how it is to be done at least on a broad scale? In CF you need to be very careful not to overstep the limits of your knowledge store. A client's job where he has assets and money on the line is not a valid learning environment.
Better make sure your GL and EO coverage is up t date if you step out like that
Your comments are appreciated.
In any case have the computer be secured, place it in a room/safe so no one has access to it , or have the customer order to create a sound forensic copy. That way no further traces me get lost in the process.
Next be open about chances, without too much technical info my guess would be to be very conservative about this specific case. If profiles have been erased/renamed by their own IT , any lawyer of the opposal council will debate the fact that they might have planted any evidence to be found (or at least had the opportunity).
Furthermore, although evidence might be found, either in logical files or free/slack space, keep in mind that it probably WILL be very difficult to place the individual behind the keyboard, that's considering you have any timestamps at all….
Just being honest. I've seen many forensic IT investigations run on one or two files of file fragments only to be blown in court because it was very, very circumstantial.
All this is part of customer expectation management )
If they still want to pursue the investigation (which I would certainly advise) you are in a much better situation if you turn up empty handed.
Also, check to see if they have an e-mail environment and if so, request the backup tapes going back to that period. He might have communicated via e-mail with the other party about the presumed theft.
Thank you very much for your comments. I agree totally with what you are saying, and will follow your advice. I will be honest, and let them know what they can expect. Cheers,
With that, I would like to bring an end to the thread - as I feel I have enough support to make an informed decision.
Again, I would like to thank everyone's input
Merry Christmas, and Happy New Year.