I am busy with a case at the moment where it appears as if the suspect ran Eraser on two computers after becoming aware of our investigation of a group of businesses from whom he is suspected of receiving bribes and other gratification to facilitate a multimillion procurement fraud.
I can prove that it was run on both computers on the same date, but it could not have been a whole disk erasure, so I suspect that the suspect may have erased either specific files or folders.
Does anyone know if there is any way to determine what might have been erased?
Thanks in advance for any assistance.
Jason
Hi Jason,
We had something similar and we were able to get backup tapes from a period before we seized the machines. We were able to generate a list of the files on the backup and compared them to the files on the computer after it was seized (and a few hours after the erasing tool was run). We were able to conclude that on the 1st Jan 2007 we had 598 files in a directory, and on 9th Jan 2007 we could only see 243. We compared a directory listing of the two folders and identified that the suspect had systematically deleted all files related to a particular customer.
Ronan
I am not sure if Eraser finds and deletes link files. If you can find the link files for the day before Eraser was run and compare it to the link files on the date or day after eraser was run, you can compare the listings to see if a lot of files were removed. The link files, (.lnk) would have pointers to the erased files.