Re: Hard Drive Forensics Question

[B 650 <dunc.on.usenet () googlemail com>]

I would also be questioning if there was any written guidance given at  
the time the hard drive was supplied as to what devices it may, or may  
not, be connected to and how files should be handled.

The premise for requesting an image of the laptop sounds very  
speculative indeed.

/0.02p
--
D

On 3 Oct 2008, at 02:01, "Jon Gucinski" <gucinski () gmail com> wrote:

> Could it be definitively proved that he saved files from the external
> drive to the hard drive?  Maybe.  They could search for files on the
> laptop present on the USB drive.  I don't know of any logging in MacOS
> or anything that would retain details of file transfer or direction.
>
> Sounds like they are on a fishing expedition.  IANAL, but i'd
> recommend to him that he NOT grant access to his personal laptop to a
> former employer w/o a subpoena, warrant, or other court mandate.  Why
> give them access when it can really do him no good but a world of
> hurt?  The burden of proof is on the former employer to prove
> wrongdoing and he'd be supplying them with ammunition to do so.
>
> -Jon
>
> On Thu, Oct 2, 2008 at 2:09 PM, Matt Perry <mattp () pobox com> wrote:
> > I'm trying to answer a question for a customer regarding historical  
> > file
> > copying on his personal Mac computer. I'm not sure if this is the  
> > right list
> > to post this to; please redirect me if I should be asking this  
> > elsewhere.
> >
> > Equipment Details:
> > Powerbook G4 with a 75 GB hard drive - purchased 3 or 4 years ago.
> > Samsung Pleomax USB power drive.
> >
> > Background:
> > His former employer believes that documents on this external device  
> > might
> > have been copied to his personal Powerbook. They are demanding that  
> > he allow
> > them to have the drive imaged so that they can determine prove  
> > whether he
> > did or did not copy these files to his home computer.
> >
> > The weekend before he left his former employer he opened several  
> > documents
> > on this external device using MS Office and maneuvered others using  
> > Finder.
> > According to my customer all files opened were on USB drive and  
> > then saved
> > back to it.
> >
> > He left the company six months ago. When he left his former  
> > employer six
> > months ago he returned the Pleomax drive to them.
> >
> > Question:
> > My opinion is that looking at an image of his personal computer's  
> > hard drive
> > will not prove conclusively whether or not he saved files from the  
> > company's
> > Pleomax to his personal computer. Can someone either validate that or
> > indicate why the image would provide that information?
> >
> > He is prepared to allow his personal computer's hard drive to be  
> > imaged. I
> > am concerned that doing so will breach his own privacy since he  
> > stores
> > personal finance, correspondence, etc. on it.
> >
> > Thanks so much.
> >
> > Matt