RE: Forensic Tool

["Robinson, Sonja" <Sonja.Robinson () fticonsulting com>]

Link file analysis.  If you DO NOT know how to do this investigation
forensically, call someone who does.  Especially if you expect to
terminate said employee. 

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Adam Pal
Sent: Tuesday, June 10, 2008 5:06 PM
To: newnewguy () aol com
Cc: security-basics () securityfocus com
Subject: Re: Forensic Tool

Hello newnewguy,

(nice name *G*)
Well, lets asume
case a)  data has been sent via email to another location, in this case
you can evaluate the logs to get some info.

case b) data has been copyed to another device. In this case, i would
say that you can only see if a device was being attached by reading
windows logs, but i`m not sure how long this information is being kept
by the system.

What you cannot see in case B will be what files have been copyed.
Basicaly, case a could eventualy be an argument in front of the court,
but assumptions as case b or others wont.

The point is, a copy means reading access on original file and writing
access on target file. You can eventualy see in the metadata when the
last reading access ocured, but this doesnt necessarily mean that the
file was copyed to external, there is a multitude of processes which can
cause a reading access.
I hope you can have a better perspective on the problem.
I wish you good luck!

--
Best regards,
 Adam Pal   

Monday, June 9, 2008, 6:56:41 PM, you wrote:

<==============Original message text===============
nac> Hi,


nac> I of the person in my company has downloaded very imp files 
nac> (Application & Data)from HR portal.


nac> He has deleted the files from his machine. We need to ensure that 
nac> files were not copied to any other media before deletion.


nac> Request you to please help on How this can be achieved.


nac> Thanks!


nac> New Guy

<===========End of original message text===========