Hi Guys,
I've recently acquired a laptop to look for evidence that its user has been up to no good. Its user has since left the company and become an executive figure for a rival company. This is quite an ambiguous post as the evidence Im looking for could be anything.
Usint FTK, the system seems very clean. There was very little data I could extract. All documents found were legit, no non standard applications (on a windows os) installed or history of install recorded in the registry, no emails, no internet history… etc. This lead me to believe that the user has reinstalled the os prior to him leaving. After spending a stupid amount of time converting the install date value in the registry to the date format oops , I've found it was installed in the last month. (User has been with them for several years)
If the user was savvy enough to have zero'd the hdd before install, then I know thats pretty much it. But Im working on the assumption that he's just done the usual format before install of the os.
Besides keyword searches and data carving…what Im wanting to know is, are there any other avenues I can approach this from? Im limited in budget so I need to let the client know of my preliminary findings…..
All ideas would be appreciated.
Cheers
I would try a r-studio scan with the demo you can download from
Of course, I'm not saying with this that if r-studio doesn't help you it involves the recovery is impossible… it's rather a free and quick way to effective carve the HDD.
Hope it helps.
Use Autopsy and run some string searches on the allocated and unallocated space. You might find something there.
bluepup
did you resolve this, was it possible that a new HDD had been installed
paul
The solution to this issue is trivial…the "hard part" is all the writing that goes into it.
First, I would verify whether the drive had been wiped.
I've not had a lot of success with FTK and data carving in your situation. However, I would recommend that you perform some keyword searches using common file header signatures for windows executeables, windows documents (word,excel,ppt), zip archives, etc. Keyword searches may reveal sufficient indications that some of these files were present on the laptop and a more exhaustive look is necessary. Be sure you understand the context in which the keyword hits were discovered. You do not want to spend a lot of time chasing false positives.