Remote acquisition

F-response will work with the forensic tool of your choice……… but you need a way to push the f-response (or whatever remote tool) agent when the user logs into your network.

From there I would suggest developing a plan to grab high value data sources and create targeted collection. That way you at least get some intelligence about the user actions.

Once you have that and they are still online you can start a disk collection……… but it will be tough.

F-response will work with the forensic tool of your choice……… but you need a way to push the f-response (or whatever remote tool) agent when the user logs into your network.

From there I would suggest developing a plan to grab high value data sources and create targeted collection. That way you at least get some intelligence about the user actions.

Once you have that and they are still online you can start a disk collection……… but it will be tough.

The prospect of imaging the whole thing remotely via their home connection sounds pretty infeasible for a start due to the home users connection speed. So working on the basis that's basically not going to happen, can you not just call it in for an 'upgrade' or some other fictitious event in the morning, take it away and image the disk directly via hardware in a couple of hours, and give the laptop back to them with its 'upgraded' memory, or some new piece of software, whatever 😉

I would look into the "robocopy" command - its not perfect, but under the circumstances should get what you need done. It supports logging, is stable and works well over a network connection. If you perform the copy for specific file extensions (presumably you are looking for *.doc, *.xls, etc.) it can be relatively quick (hours, rather then days), even over a remote connection, with the ability to restart the copy if your connection is dropped.

Use the right parameters to copy timestamps and attributes and its relatively sound (but document everything you do, both the commands you run and the /LOG option to support your work).

xhttp//technet.microsoft.com/en-us/library/bb491035.aspx

I would look into the "robocopy" command - its not perfect, but under the circumstances should get what you need done. It supports logging, is stable and works well over a network connection. If you perform the copy for specific file extensions (presumably you are looking for *.doc, *.xls, etc.) it can be relatively quick (hours, rather then days), even over a remote connection, with the ability to restart the copy if your connection is dropped.

Use the right parameters to copy timestamps and attributes and its relatively sound (but document everything you do, both the commands you run and the /LOG option to support your work).

xhttp//technet.microsoft.com/en-us/library/bb491035.aspx

I like check boxes instead of command line arguments sometimes and there is also now a GUI for it (RichCopy)
http//technet.microsoft.com/en-us/magazine/2009.04.utilityspotlight.aspx

Thanks for the tips everyone, calling it in's prob not an option as he's handed in his notice (3 months) and would in all likelihood take any action before turning it in. Might even be worth informing him him what we're doing with a clear instruction not to delete/shred any business information; if we got the thing in we'd be able to tell if he'd been up to any nonsense.

Apart from that, targeted copy seems to be the option.

Thanks everyone

Why not just turn up at his address and ask for the machine if you think that he might do some damage to it or to the data? It belongs to the company, they can have it back if they want.