Forums
Main Category
General (Technical,...
Smart Copying
 
Notifications
Clear all

Smart Copying

 
Page 2 / 2
General (Technical, Procedural, Software, Hardware etc.)
Last Post by crosser 16 years ago
20 Posts
10 Users
0 Reactions
1,577 Views
RSS
harryparsonage
 harryparsonage
(@harryparsonage)
Estimable Member
Joined: 20 years ago
Posts: 184
19/08/2009 12:55 am  

As suggested you could use FTK Imager which I have used in such circumstances and you can selectively collect files by extension, you can use * and ? as wild cards. If you look at creating a Custom Content Image in the manual you will see how to do it starting at page 14.

You will see examples of syntax to collect all pst, all index.dat and all .doc files.

http//www.accessdata.com/downloads/media/en_us/print/manuals/ImagerUsersGuide.pdf

H


   
ReplyQuote
 ddewildt
(@ddewildt)
Estimable Member
Joined: 17 years ago
Posts: 123
19/08/2009 3:50 am  

As suggested you could use FTK Imager which I have used in such circumstances and you can selectively collect files by extension, you can use * and ? as wild cards. If you look at creating a Custom Content Image in the manual you will see how to do it starting at page 14.

You will see examples of syntax to collect all pst, all index.dat and all .doc files.

http//www.accessdata.com/downloads/media/en_us/print/manuals/ImagerUsersGuide.pdf

H

Nice one - thanks for that! I thought there must be a way to do this but didn't look too far in to it this afternoon…I guess when all else fails read the manual!


   
ReplyQuote
 ddykes713
(@ddykes713)
New Member
Joined: 16 years ago
Posts: 2
19/08/2009 7:04 am  

I know you dont want to power down but…. how about getting the same size/model drive, and ghost it, then put the ghost copy back in the machine. I have done this many times, this way you get to keep the original to do what you want. Of course this may not fit into your time window depending on how much actual data is there.


   
ReplyQuote
 markl1975
(@markl1975)
Trusted Member
Joined: 16 years ago
Posts: 63
Topic starter 19/08/2009 1:32 pm  

Thanks for the pointer on FTK… I never knew you could do that too.

I guess I should RTFM in future!

Mark


   
ReplyQuote
 markl1975
(@markl1975)
Trusted Member
Joined: 16 years ago
Posts: 63
Topic starter 19/08/2009 3:29 pm  

kovar,

Thanks for the tip about Titan CLI.

This looks very useful from the demo videos on the site. It would be even more useful if you could set it to retrieve files from a specific time window on a set date.

Many thanks,

Mark


   
ReplyQuote
 csericks
(@csericks)
Trusted Member
Joined: 18 years ago
Posts: 99
19/08/2009 7:04 pm  

Mark,

I might be a bit naive in asking this, but are you legally covered to execute the search? Does the user have any expectation of privacy in that the computer is not connected to the company network? Has the employee acknowledged and consented to a company policy that permits search of his devices at any time without notice?

I am not educated on how searches are conducted in the UK and would certainly like to learn more from any authorities on the subject, here.


   
ReplyQuote
 kovar
(@kovar)
Prominent Member
Joined: 18 years ago
Posts: 805
19/08/2009 7:18 pm  

Mark,

I am almost certain that Titan can collect based on time/date as well. It is really powerful. We're still figuring out all the ins and outs of it.

-David


   
ReplyQuote
 markl1975
(@markl1975)
Trusted Member
Joined: 16 years ago
Posts: 63
Topic starter 19/08/2009 7:25 pm  

csericks - We are covered legally. All staff at the company agree to the company policy when they are hired, and sign a document to say they have read/understood company policy. It is quite a long policy, but the right to acquire data from suspicious PC's, with the CEO's authorisation, is definately in the small print!

kovar - Can you let me know if you figure out the time/date settings in Titan. I have emailed Microforensics to ask them as well. It would be good if you could specify something like

'all doc, jpg and xls files between the hours of 1225 and 1455 on 18th August 2009'

I see from the demo video you can certainly set a date, but a time window would be even better, especially in intellectual property cases where the client suspects a user, and they know they were using the PC between x and y times.

I might be able to talk my boss into getting a license, but money is tight at the moment.

Many thanks,


   
ReplyQuote
 kovar
(@kovar)
Prominent Member
Joined: 18 years ago
Posts: 805
19/08/2009 7:32 pm  

Mark,

You might ask MicroForensics, the vendor, for a trial license and about half an hour of coaching over the phone. They seem genuinely interested in connecting with users and were quite responsive. We're fortunate in that they're right down the road from us, literally.

-David


   
ReplyQuote
 crosser
(@crosser)
Trusted Member
Joined: 20 years ago
Posts: 56
19/08/2009 9:38 pm  

If I could make a suggestion, Robocopy can easily collect files of a certain type and it's free from Microsoft. It's a simple command line interface that includes the option to specify what file extensions you want to copy and will also produce a log for your records.

You could run it from a computer on the suspect's/company's network, map the suspect's PC as a drive, and point Robocopy to it as the source.

I'm not certain, but you may also be able to collect files of a certain Mod, Acc, Created times too, but don't quote me.

If you want, I could send you the script along with the command you need to run from the command prompt. Just send me a PM.


   
ReplyQuote
Page 2 / 2
Forum Jump:
  Previous Topic
Next Topic  
Share: