Re: Forensic Tool

["Shreyas Zare" <shreyas () technitium com>]

Hi,

Clearly, your company has to take strict action against the employee.
The files that were deleted from her laptop can be easily recovered by
any off-the-shelf file recovery software. It would not be possible to
find out if she had copied the data onto any media very easily. Her
laptop must be seized immediately and copies of the hard drive (image)
must be created for further investigation. Use file recovery software
to get deleted documents on her laptop to find clues if she had
deleted some other info regarding this incident. If she had enough
time, it is possible she would have e-mailed the files to someone
else, so just deleting the mails in her yahoo & hotmail a/c wont solve
the matter. Investigate contacts in the email account address book.

Regards,

On Tue, Jun 10, 2008 at 12:11 AM,  <newnewguy () aol com> wrote:
> Hello,
>
> Here is the explanation:
>
> One of the lady has copied the application files (complete application) of
> one of the HR Portal application along with some imp data files. Then this
> person sent these files to his Yahoo & Hotmail IDs. When we observed that in
> the email logs, we asked her for the explanation behind this act.
>
> She gave some answers which don't justify this action. Then we asked her to
> delete all these emails from her laptop (where she downloaded) & her
> personal IDs (Yahoo & Hotmail). We just want to check if she copied these
> files to any other media before deletion. Also if these files are still
> sitting in any part of memory on her machine. That laptop has Windows XP
> Professional with SP2.
>
> I hope this helps in understanding the situation.
>
> Thanks a lot for your help!
>
> New Guy!!
>
> -----Original Message-----
> From: Shreyas Zare <shreyas () technitium com>
> To: newnewguy () aol com
> Cc: security-basics () securityfocus com
> Sent: Mon, 9 Jun 2008 1:42 pm
> Subject: Re: Forensic Tool
>
> Hi,
>
> Firstly, you have not clearly explained what has happened. Secondly,
> after someone does something like copy file into media before
> deletion, it is difficult (or impossible) to find it out. You need to
> have some mechanism in place to log such things before hand. Also
> provide details like what OS is in the scenario.
>
> Regards,
>
> On Mon, Jun 9, 2008 at 10:26 PM, <newnewguy () aol com> wrote:
> > Hi,
> >
> >
> > I of the person in my company has downloaded very imp files (Application &
> Data)from HR portal.
> > He has deleted the files from his machine. We need to ensure that files
> > were
> not copied to any other media before deletion.
> > Request you to please help on How this can be achieved.
> >
> >
> > Thanks!
> >
> >
> > New Guy
>
>
>
> --
> ("There are only 10 kinds of people in this world: those who know
> binary and those who don't.")
>
> Shreyas Zare
> Co-Founder, Technitium
> eMail: shreyas () technitium com
>
> ..::< The Technitium Team >::..
> Visit us at www.technitium.com
> Contact us at theteam () technitium com
>
> Technitium Personal Computers
> We believe in quality.
> Visit http://pc.technitium.com for details.
>
> ________________________________
> Stay informed, get connected and more with AOL on your phone.



-- 
("There are only 10 kinds of people in this world: those who know
binary and those who don't.")

Shreyas Zare
Co-Founder, Technitium
eMail: shreyas () technitium com

..::< The Technitium Team >::..
Visit us at www.technitium.com
Contact us at theteam () technitium com

Technitium Personal Computers
We believe in quality.
Visit http://pc.technitium.com for details.