Hi All
Im incharge of sound recording studios and the graphics division of the company and I might have fallen prey to a data theft.I was using my usb drive (mass storage device) with confidential data files (images and html files)on a windows xp sp3 system and my seniors suspect that the data might have been seen (opened ) or copied to another usb drive or the machine in someplace.If this is discovered i might loose my job along with my experience certificate unless i catch the person or obtain proof that this has not happened (files have not been seen or copied elsewhere) when i went to grab a cup of coffee .
I believe there is a log file which i can use for investigating this ?
I have no experience when it comes to data forensics and i have to do this i have about a week .Please help me as soon as possible.
Hi All
Im incharge of sound recording studios and the graphics division of the company and I might have fallen prey to a data theft.I was using my usb drive (mass storage device) with confidential data files (images and html files)on a windows xp sp3 system and my seniors suspect that the data might have been seen (opened ) or copied to another usb drive or the machine in someplace.If this is discovered i might loose my job along with my experience certificate unless i catch the person or obtain proof that this has not happened (files have not been seen or copied elsewhere) when i went to grab a cup of coffee .I believe there is a log file which i can use for investigating this ?
I have no experience when it comes to data forensics and i have to do this i have about a week .Please help me as soon as possible.
There is AFAIK NO practical way to "know for sure", expecially because (just a guess) you already re-accessed all the files to verify if they were there.
Are the files on a NTFS drive?
Are you actually still running that PC? (just in case if *anything* happens, the best choice for the casual user is pull the plug off - literally - go to the wall and unplug the PC from mains)
It is very likely that no traces will be left but you need to inspect the PC while OFFLINE, i.e. switch it off NOW.
Then make a forensical sound image of the drive.
Then inspect the image.
Easiest would be to check last time the file(s) were accessed
http//
But you could also find out if a "foreign" USB device has been connected to the system.
And there a few tens other possible "signs" that you could be able to find.
In any case, expecially since there is a rather high stake, it is not something that is suitable for a "DIY" job, but also because whilst proving that something actually happened is relatively simple, proving that something has NOT happened is particularly difficult, and more than an actual evidence it would be needed something like an "expert witness" to somehow support the result of the verification.
I mean, "no traces" can mean BOTH
- *nothing* happened
- *something* happened but left no traces
OR
[/listo]
Really this is something for which some professional is needed.
jaclaz
AFAIK ???
No FAT32 (The USB drive)
But i dont think that there would have been a direct transfer from usb drive to usb drive in case that is true then the hard drive would be the only place where the data would have been copied it is an NTFS drive.
The PC has been shut down.
Im 90% sure the user who would have copied the data is not aware of the logging even i wasent till someone told me that youre computer might have logs you were not even aware existed.My brother is helping me with this though he understands only little more but he wants to get into the security line of work.
Offline as in no internet or how ?
you said you could also find out if a "foreign" USB device has been connected to the system.
so then i could check if there was another usb at the time which was connected probably ?
that would make my work so much easier.
Offline as in the computer is shut off and the hard drive removed. A proper disk image performed and the analysis done with tools on a secondary copy of the disk image. The more you use it while it is not preserved the higher the chance you change and/or overwrite evidence. If you are serious about this issue you should really seek local legal advice and engage a professional forensic investigator. Does the company have any kind of human resource department where you can file a complaint and request that a proper investigation?
Im afraid Not .There is no HR department where i can file such a complaint.
Which program would you suggest to make a copy of the disk image /secondary copy of the disk image.Once ive ejected the hard drive from the cpu i must connect it using a SATA to USB chord to connect it as an external drive am i right.
you said you could also find out if a "foreign" USB device has been connected to the system.
Is there a way of finding out when it was ejected as well ?
Im afraid Not .There is no HR department where i can file such a complaint.
Which program would you suggest to make a copy of the disk image /secondary copy of the disk image.Once ive ejected the hard drive from the cpu i must connect it using a SATA to USB chord to connect it as an external drive am i right.
you said you could also find out if a "foreign" USB device has been connected to the system.
Is there a way of finding out when it was ejected as well ?
Theoretically you need a write blocker to make sure that NO writes are performed to the disk.
Alternatively you can use a Linux forensic distro of some kind or a "Forensic Edition" of a PE, such as WinFE
http//
Remember that anything suggested here are JUST tools, you also need to learn HOW to use them AND to document properly the actions you took.
AGAIN, a DIY job is NOT recommended, in any case a poorman solution may be that of video recording WITHOUT ANY interruption the whole process until you have your "work copy" AND put the hard disk in a sealed bag.
The fact that the seal is signed by you only will however make ANY claim of the drive having being tampered AFTER the work copy has been made VERY credible.
At least you should have a witness assist the whole process AND keep safely the hard disk (and no, the witness is better NOT being a friend of relative).
What you can gather is only when a given USB device was installed (attached) to a system the "first" time
http//
jaclaz
While working on putting together a windows pe cd you have to maunually enter the programs you want .The only thing i can think of to use for this after my googe search is FTK Imager by Access Data.Is that sufficient is it good for my problem or do i need to be doing something else or adding some more programs.Please reply asap.Thank you so much
FTK Imager will work fine for what you need to do (create an image). But what it wont do is the investigating for you. This is where everyone has mentioned that this is not a DIY job…
FTK Imager will create the disk image. You will still need to examine that image, to help prove your side. You may (if you are very lucky) be able to utilize a free/demo version of EnCase or FTK 1.xx. I'd suggest FTK due to simplicity.
Another tool you should look into is USBdeview by nirsoft. This program will allow you to view USB Devices that were plugged into your system. You will need to export the SYSTEM hive to get to the USBStor information. The "Created Date" should (under normal circumstances) be the timestamp the device was first connected to the system.
It's too bad that your company is making you defend your self. It seems like an underhanded way to get rid of you. If you have a friend in the legal profession i'd try to contact them for some real legal advise.
Just for the record a "better" tool IMHO than USBdeview is USBhistoryGUI
http//
or the "real" command line USB history
http//
These two utilities show more info than USBdeview.
Problem is that they cannot be used from a PE or on an "imported Registry", AFAIK.
jaclaz
I wasent able to image the drive over there due to the time constraints and because my SATA to USB adapter dint seem to work .Anyways now Ive got the permission to take the hard drive home and work on it .So I must first Image it and then keep it in a safe place right ?