Security Basics mailing list archives
Re: Hard Drive Forensics Question
From: "Jason Ross" <algorythm () gmail com>
Date: Thu, 2 Oct 2008 23:57:11 -0400
On Thu, Oct 2, 2008 at 3:09 PM, Matt Perry <mattp () pobox com> wrote:
Question: My opinion is that looking at an image of his personal computer's hard drive will not prove conclusively whether or not he saved files from the company's Pleomax to his personal computer. Can someone either validate that or indicate why the image would provide that information?
If the documents in question are present on his system, it proves that he had those documents on his personal computer. If that is a violation of his terms of employment or some other contract with the employer, that may be all that is needed. Regarding conclusively proving whether or not those files came from the Pleomax or from some other location (a shared network drive for example) there's not enough information to know for sure, it is possible however. An example that comes to mind is that the documents may have path information stored in their metadata which could be used to show that the Pleomax was the location they originated from (there are ways to determine what drive letters were mapped to which specific USB devices in Windows for example...not applicable necessarily in Mac Land, but there may be similar types of resources).
He is prepared to allow his personal computer's hard drive to be imaged. I am concerned that doing so will breach his own privacy since he stores personal finance, correspondence, etc. on it.
I certainly agree with your assessment at face value, and think (usual IANAL disclaimer goes here) it would probably be in your client's best interest to consult an attorney on this matter. Being unaware of the circumstances I of course have no idea what laws may cover the situation, but I think it likely that the company would need to seek some type of court sanctioned permission to obtain the image of your client's equipment, whether that's via a request for discovery as the result of a lawsuit or via some other means I couldn't say. In other words, if he chose to, it is possible he could make things difficult for them, perhaps to his advantage; by giving up that process, he may well be making things more difficult for himself, regardless of whether the company discovers what they claim they will or not. Hope that helps. -- Jason
Current thread:
- Re: Hard Drive Forensics Question, (continued)
- Re: Hard Drive Forensics Question Chris Barber (Oct 10)
- Message not available
- Re: Hard Drive Forensics Question Ansgar Wiechers (Oct 08)
- Message not available
- RE: Hard Drive Forensics Question Murda Mcloud (Oct 09)
- Re: Hard Drive Forensics Question Ansgar Wiechers (Oct 07)
- Re: Hard Drive Forensics Question anonymous pimp (Oct 07)
- Re: Hard Drive Forensics Question Ansgar Wiechers (Oct 07)
- Re: Hard Drive Forensics Question Ansgar Wiechers (Oct 06)
- Re: Hard Drive Forensics Question Morgan Reed (Oct 07)
- RE: Hard Drive Forensics Question Murda Mcloud (Oct 06)