Re: Forensic Tool

[Adam Pal <pal_adam () gmx net>]

Hello newnewguy,

(nice name *G*)
Well, lets asume
case a)  data has been sent via email to another
location, in this case you can evaluate the logs to get some info.

case b) data has been copyed to another device. In this case, i would
say that you can only see if a device was being attached by reading
windows logs, but i`m not sure how long this information is being kept
by the system.

What you cannot see in case B will be what files have been copyed.
Basicaly, case a could eventualy be an argument in front of the court,
but assumptions as case b or others wont.

The point is, a copy means reading access on original file and writing
access on target file. You can eventualy see in the metadata when the
last reading access ocured, but this doesnt necessarily mean that the
file was copyed to external, there is a multitude of processes which
can cause a reading access.
I hope you can have a better perspective on the problem.
I wish you good luck!

-- 
Best regards,
 Adam Pal   

Monday, June 9, 2008, 6:56:41 PM, you wrote:

<==============Original message text===============
nac> Hi,


nac> I of the person in my company has downloaded very imp files
nac> (Application & Data)from HR portal.


nac> He has deleted the files from his machine. We need to ensure
nac> that files were not copied to any other media before deletion.


nac> Request you to please help on How this can be achieved.


nac> Thanks!


nac> New Guy

<===========End of original message text===========

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature