I figured Forensics being the application of science and technology to answer a question for a legal issue, that assuming the legal aspect wasn't at all a stretch.
Spoliation or trespass to chattels are the legal concepts that generally apply when data is intentionally deleted and timing is generally more relevant to a spoliation issue.
Even though OP is a sysadmin, at the large corporation I work for we rely on sysadmins to provide information relevant to legal issues all the time.
Hello ppl. I am a sysadmin at the company I work for (the you-are-the-admin-you-can-do-that-and-even-more type -( )
One of our user seems to have erased/wiped his pc. Dban comes in mind as he have mentioned it at a previous discussion. But I cant tell for sure (and I dont care to find the tool he used)
The hdd is completely wiped. No OS or any other data can be found.
Is there any way to find out exactly when did he erased it ??
Thank you very much for you time.
Just re-read this post and have a few questions
How do you know the system was wiped - how did you look at it to determine that no OS or data could be found?
Why would you NOT care so emphatically about the tool he used? What if there are artifacts left from that tool that are uniform and could lead you to further clues?
Don't exclude any of the who, what, when, where and why as each of these areas typically play off each other in an investigation.
I had a similar question, namely, are you sure that every single sector of the drive has been zeroed out? How did you verify this?
My reason for asking is that I have had cases where the subject has deleted a partition (NTFS), created a new partition of a smaller size, ran a wiping tool on the new partition (not knowing that the MFT was outside the new partition), and by carefully looking at the entire drive, files and MFT records were found in an unpartitioned area.
On the other hand, if drive was completely zeroed out, it would take a series of happy circumstances for you to find out how.
I figured Forensics being the application of science and technology to answer a question for a legal issue, that assuming the legal aspect wasn't at all a stretch.
Like I said, I didn't have a problem at all with your response…I just didn't see the OP asking for legal advice, that's all. I've also seen where the IFs and MAYBEs have taken a thread so far afield that it's hard to connect back to the original question.