We have discovered a 3.5 inch Windows floppy in our organisation with some files on it that someone has bought in from outside.
No-one has owned up to bringing it in, and we don't know how to tie the floppy to a person.
Our only thought is whether there is something on the disk that tells what machine or user name wrote the files onto the floppy? We're not technically savvy enough to know this, but is there a way we can find this out?
Hi Qman
it may be possible to look at user names if any have been saved to it- or hidden documents - possible but no gurantee as with anything in forensics - if you want to you should send it to someone (a specialist) to have a look at - ok, like us. If you do then email me and we'll talk further.
andy@audaxit.co.uk
QMan,
Andy's spot on…see if there is metadata in the files on the floppy.
Another thing is to narrow down which systems actually have a floppy drive. Silly, I know, but I've been to offices where everyone has a laptop and no one seems to be able to find a floppy drive.
Finally, hash the files on the floppy, and then scan all systems for files of the same name, size and hash. This won't narrow down who did it, but might narrow down the machine.
HTH,
Harlan
Qman, something else you might try is downloading the trial version of FTK. It will make looking for deleted files easier. There may be something in a deleted file that will give you a clue so to who brought it in.
Of course, a bigger issue is once you know (or suspect) the individual, what then. Is there a policy, law, or regulation that was violated? Is this just curiosity?
Thanks for the info guys, I think we're gonna be out of luck here.
The floppy has an executable file on it that is prohibited in our workplace, and there don't appear to be any other files on the floppy. We've checked with various tools that would unhide or undelete old files.
Looks like I've got a job here in removing all the floppy drives from various computers.
If you guys think of anything else, then I'd love to hear it!
Just like to say what a brilliant resource this board is, only stumbled across it yesterday, but it's stirred my interest in the whole area of computer forensics - any tips on how I might get started in learning all this stuff?
> If you guys think of anything else, then I'd love to hear it!
What are your goals? What is it that you're trying to do? So the floppy has an EXE on it…are you concerned at all about the EXE and what it does? I'm sure others would be happy to help, if we knew what it is you were trying to accomplish at this point…
agree with Harlan here, not sure what you are trying to achieve - I am not trying to be condascending in terms of your techncial ability but would you re-wire your house yourself, no, you would employ a sparky.
First rule in forensics (or data reovery), never be tempted to dabble yourself and I would say they same to you here. If you are trying to work something out to gain some sort of closure in terms of proving X or Y then I would implore you to have someone look at it who knows how to safely answer the questions you have without compromising your environment. In my professional opinion you are increasing your exposure to getting into problems/difficulties if proof is your end goal.
Each to his own though seems like you have a good heads up and hopefully the advice here will put you in good shape - good luck with your project!
If you guys think of anything else, then I'd love to hear it!
Manners?
Sent Qman a PM which was ignored. If someone offers to help, a four word "thanks, but no thanks" doesn't take too much effort.
If you guys think of anything else, then I'd love to hear it!
Manners?
Sent Qman a PM which was ignored. If someone offers to help, a four word "thanks, but no thanks" doesn't take too much effort.
A little harsh don't you think? People are busy and he's new to the site. Perhaps he's not familiar with the PM functions yet. Why not post your "help" in the open forum?
If you guys think of anything else, then I'd love to hear it!
Manners?
Sent Qman a PM which was ignored. If someone offers to help, a four word "thanks, but no thanks" doesn't take too much effort.
A little harsh don't you think? People are busy and he's new to the site. Perhaps he's not familiar with the PM functions yet. Why not post your "help" in the open forum?
Maybe…maybe not. If so, then apologies.
FYI, my "help" was to offer to do the job for him for free - I gave him my personal phone number (via PM as he lists no email) which I wasn't going to post on the open forum.