Notifications

Clear all

Ideas Please.....

General (Technical, Procedural, Software, Hardware etc.)

Last Post by az_gcfa 17 years ago

6 Posts

6 Users

0 Likes

219 Views

RSS

BluePup

(@bluepup)

Posts: 10

Active Member

Topic starter

Hi Guys,

I've recently acquired a laptop to look for evidence that its user has been up to no good. Its user has since left the company and become an executive figure for a rival company. This is quite an ambiguous post as the evidence Im looking for could be anything.

Usint FTK, the system seems very clean. There was very little data I could extract. All documents found were legit, no non standard applications (on a windows os) installed or history of install recorded in the registry, no emails, no internet history… etc. This lead me to believe that the user has reinstalled the os prior to him leaving. After spending a stupid amount of time converting the install date value in the registry to the date format oops , I've found it was installed in the last month. (User has been with them for several years)

If the user was savvy enough to have zero'd the hdd before install, then I know thats pretty much it. But Im working on the assumption that he's just done the usual format before install of the os.

Besides keyword searches and data carving…what Im wanting to know is, are there any other avenues I can approach this from? Im limited in budget so I need to let the client know of my preliminary findings…..

All ideas would be appreciated.

Cheers

Posted : 23/11/2006 8:08 pm

iruiper

(@iruiper)

Posts: 145

Estimable Member

I would try a r-studio scan with the demo you can download from here. This fast scan is able to find old partitions, or files that were there before… however it also find quite a lot of trash you won't be able to use at all. However, you will see in a glimpse if there is something "big" which could be recovered.

Of course, I'm not saying with this that if r-studio doesn't help you it involves the recovery is impossible… it's rather a free and quick way to effective carve the HDD.

Hope it helps.

Posted : 23/11/2006 11:08 pm

stevegut78

(@stevegut78)

Posts: 44

Eminent Member

Use Autopsy and run some string searches on the allocated and unallocated space. You might find something there.

Posted : 06/12/2006 8:54 pm

itcentral

(@itcentral)

Posts: 23

Eminent Member

bluepup

did you resolve this, was it possible that a new HDD had been installed

paul

Posted : 06/12/2006 10:08 pm

keydet89

(@keydet89)

Posts: 3568

Famed Member

The solution to this issue is trivial…the "hard part" is all the writing that goes into it.

Posted : 07/12/2006 12:35 am

az_gcfa

(@az_gcfa)

Posts: 116

Estimable Member

First, I would verify whether the drive had been wiped.

I've not had a lot of success with FTK and data carving in your situation. However, I would recommend that you perform some keyword searches using common file header signatures for windows executeables, windows documents (word,excel,ppt), zip archives, etc. Keyword searches may reveal sufficient indications that some of these files were present on the laptop and a more exhaustive look is necessary. Be sure you understand the context in which the keyword hits were discovered. You do not want to spend a lot of time chasing false positives.

Posted : 07/12/2006 2:18 am

8 Forums
15.5 K Topics
92 K Posts
9 Online
40 K Members

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed