Re: Hard Drive Forensics Question

[Adam Pal <pal_adam () gmx net>]

Hello Matt,

What are the terms and conditions of the company concerning usage of
private notebooks and company-own portable media devices?
If none existant why does he care? The company cannot prove that he
violated any agreements since those does not exist.
Certainly, the company can be curious where dataleakage can occur, but
personaly i dont agree that the 2 inflicted parties should have direct
communication, means, the company can use ANY piece of evidence which
it finds or can place an evidence where there is none, this wont work.
I recommend to imply a 3rd person, a consultant who will be in charge
to evaluate the claim and back up the evidence. A consultant is bound
by his contract and cannot simply disclose sensitive private data to
the company, he will do only his job and check for a data leakage.
That would satisfy both parties, but simply hand over an immage to the
company is critical.
Maybe this is not the reply to your question, but take it as a point
of view how things should work.

-- 
Best regards,
 Adam Pal   

Thursday, October 2, 2008, 9:09:45 PM, you wrote:

<==============Original message text===============
MP> I'm trying to answer a question for a customer regarding historical file
MP> copying on his personal Mac computer. I'm not sure if this is the right
MP> list to post this to; please redirect me if I should be asking this 
MP> elsewhere.

MP> Equipment Details:
MP> Powerbook G4 with a 75 GB hard drive - purchased 3 or 4 years ago.
MP> Samsung Pleomax USB power drive.

MP> Background:
MP> His former employer believes that documents on this external device 
MP> might have been copied to his personal Powerbook. They are demanding 
MP> that he allow them to have the drive imaged so that they can determine
MP> prove whether he did or did not copy these files to his home computer.

MP> The weekend before he left his former employer he opened several 
MP> documents on this external device using MS Office and maneuvered others
MP> using Finder.  According to my customer all files opened were on USB 
MP> drive and then saved back to it.

MP> He left the company six months ago. When he left his former employer six
MP> months ago he returned the Pleomax drive to them.

MP> Question:
MP> My opinion is that looking at an image of his personal computer's hard
MP> drive will not prove conclusively whether or not he saved files from the
MP> company's Pleomax to his personal computer. Can someone either validate
MP> that or indicate why the image would provide that information?

MP> He is prepared to allow his personal computer's hard drive to be imaged.
MP> I am concerned that doing so will breach his own privacy since he stores
MP> personal finance, correspondence, etc. on it.

MP> Thanks so much.

MP> Matt


<===========End of original message text===========

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature