Security Basics mailing list archives
Re: Hard Drive Forensics Question
From: "Marc-André Laverdière" <marcandre.laverdiere () gmail com>
Date: Fri, 3 Oct 2008 09:44:00 -0400
Hello, I just did basic forensic training, so keep that in mind when you read me. You have a tricky job to do. As for your concerns in privacy, that's pretty much a granted. You'll have to be strict on your side to make sure that nothing leaks from your lab. As for your main question, it is possible that you'll find copies of that information on the disk if they were opened from the USB drive, because of virtual memory. If anything was printed, you're likely to have a temp file too. I'm not sure about where temp files would go (For Office, I think they put it on the same directory). One thing that could be interesting is to try to find if any blocks have the filenames of the documents themselves. Essentially a deleted directory. That's as best as I can think of to help you distinguish between the USB scenario and the copy scenario. Good luck. On Thu, Oct 2, 2008 at 3:09 PM, Matt Perry <mattp () pobox com> wrote:
I'm trying to answer a question for a customer regarding historical file copying on his personal Mac computer. I'm not sure if this is the right list to post this to; please redirect me if I should be asking this elsewhere. Equipment Details: Powerbook G4 with a 75 GB hard drive - purchased 3 or 4 years ago. Samsung Pleomax USB power drive. Background: His former employer believes that documents on this external device might have been copied to his personal Powerbook. They are demanding that he allow them to have the drive imaged so that they can determine prove whether he did or did not copy these files to his home computer. The weekend before he left his former employer he opened several documents on this external device using MS Office and maneuvered others using Finder. According to my customer all files opened were on USB drive and then saved back to it. He left the company six months ago. When he left his former employer six months ago he returned the Pleomax drive to them. Question: My opinion is that looking at an image of his personal computer's hard drive will not prove conclusively whether or not he saved files from the company's Pleomax to his personal computer. Can someone either validate that or indicate why the image would provide that information? He is prepared to allow his personal computer's hard drive to be imaged. I am concerned that doing so will breach his own privacy since he stores personal finance, correspondence, etc. on it. Thanks so much. Matt
-- Marc-André LAVERDIÈRE "Perseverance must finish its work so that you may be mature and complete, not lacking anything." -James 1:4 mlaverd.theunixplace.com/blog /"\ \ / ASCII Ribbon Campaign X against HTML e-mail / \
Current thread:
- Re: Hard Drive Forensics Question, (continued)
- Message not available
- Re: Hard Drive Forensics Question Ansgar Wiechers (Oct 08)
- Message not available
- RE: Hard Drive Forensics Question Murda Mcloud (Oct 09)
- Re: Hard Drive Forensics Question Ansgar Wiechers (Oct 07)
- Re: Hard Drive Forensics Question anonymous pimp (Oct 07)
- Re: Hard Drive Forensics Question Ansgar Wiechers (Oct 07)
- Re: Hard Drive Forensics Question Ansgar Wiechers (Oct 06)
- Re: Hard Drive Forensics Question Morgan Reed (Oct 07)
- RE: Hard Drive Forensics Question Murda Mcloud (Oct 06)