Security Basics mailing list archives
RE: Hard Drive Forensics Question
From: "Murda Mcloud" <murdamcloud () bigpond com>
Date: Mon, 6 Oct 2008 06:19:32 +1000
The fact that he's been away for six months does not mean that the free space left by any files he had deleted, has been written over. The free space could easily still be sitting there with all the data on it. Unless he deleted them securely. You'd be surprised what shows up when you look at the free space of drives. Especially with the mammoth drives we have these days.
-----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Landriault, Yan Sent: Saturday, October 04, 2008 1:17 AM To: security-basics () securityfocus com Subject: RE: Hard Drive Forensics Question Also, it's been 6 months since he left! There is probably no "residue" left on the HDD... And if something was that important, they would not have wait for 6 months to get it...? Also, does their Company Policy explicitly imply that they cannot copy files out of the USB drive? If not he did not break any "rule"... Last thing... When you copy files between a drive and a Mac, you often end up with some "system" files everywhere, like thumbnails, Mac ID files, etc... I don't know exactly what but I know I often find files on my USB thumbs that were put there by a Mac. You do not see these files in Mac OS but it shows under Windows... 10-4. --------------------------------------------- Yan Landriault, CSSA - Ultramar Canada Administrateur Infrastructure & Sécurité yan_landriault () ultramar ca 514-499-6380 -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Larry Offley Sent: 2 octobre 2008 19:14 To: Matt Perry Cc: security-basics () securityfocus com Subject: Re: Hard Drive Forensics Question You are correct that it can't prove that he didn't copy the files. Truth is if you want to check someones computer to see if they copied files, They know that you want to check it, and They have time/knowledge to erase evidence that They did copy it you will not be able to tell if They did or didn't copy the files. The only thing they could prove would be that he did copy the files, if he did, never deleted the files, and the area of the drive the files were written to had also never been written over in the six months since then. You could also ask of the forensics list. I'm sure the answer is going to be close to the same maybe more technical but the same idea. Larry Offley Matt Perry wrote:I'm trying to answer a question for a customer regarding historical file copying on his personal Mac computer. I'm not sure if this is the right list to post this to; please redirect me if I should be asking this elsewhere. Equipment Details: Powerbook G4 with a 75 GB hard drive - purchased 3 or 4 years ago. Samsung Pleomax USB power drive. Background: His former employer believes that documents on this external device might have been copied to his personal Powerbook. They are demanding that he allow them to have the drive imaged so that they can determine prove whether he did or did not copy these files to his home computer. The weekend before he left his former employer he opened several documents on this external device using MS Office and maneuvered others using Finder. According to my customer all files opened were on USB drive and then saved back to it. He left the company six months ago. When he left his former employer six months ago he returned the Pleomax drive to them. Question: My opinion is that looking at an image of his personal computer's hard drive will not prove conclusively whether or not he saved files from the company's Pleomax to his personal computer. Can someone either validate that or indicate why the image would provide that information? He is prepared to allow his personal computer's hard drive to be imaged. I am concerned that doing so will breach his own privacy since he stores personal finance, correspondence, etc. on it. Thanks so much. Matt ------------------------------------------------------------------------Internal Virus Database is out of date. Checked by AVG - http://www.avg.com Version: 8.0.169 / Virus Database: 270.7.3/1693 - Release Date:9/26/2008 7:35 AM
Current thread:
- Re: Hard Drive Forensics Question, (continued)
- Re: Hard Drive Forensics Question Ansgar Wiechers (Oct 09)
- Re: Hard Drive Forensics Question Chris Barber (Oct 10)
- Message not available
- Re: Hard Drive Forensics Question Ansgar Wiechers (Oct 08)
- Message not available
- RE: Hard Drive Forensics Question Murda Mcloud (Oct 09)
- Re: Hard Drive Forensics Question Ansgar Wiechers (Oct 07)
- Re: Hard Drive Forensics Question anonymous pimp (Oct 07)
- Re: Hard Drive Forensics Question Ansgar Wiechers (Oct 07)
- Re: Hard Drive Forensics Question Ansgar Wiechers (Oct 06)
- Re: Hard Drive Forensics Question Morgan Reed (Oct 07)
- RE: Hard Drive Forensics Question Murda Mcloud (Oct 06)