- My Forums
- Tiger Rant
- LSU Recruiting
- SEC Rant
- Saints Talk
- Pelicans Talk
- More Sports Board
- Fantasy Sports
- Golf Board
- Soccer Board
- O-T Lounge
- Tech Board
- Home/Garden Board
- Outdoor Board
- Health/Fitness Board
- Movie/TV Board
- Book Board
- Music Board
- Political Talk
- Money Talk
- Fark Board
- Gaming Board
- Travel Board
- Food/Drink Board
- Ticket Exchange
- TD Help Board
Customize My Forums- View All Forums
- Show Left Links
- Topic Sort Options
- Trending Topics
- Recent Topics
- Active Topics
Started By
Message
Any computer forensics gurus out there?
Posted on 11/27/14 at 9:05 am
Posted on 11/27/14 at 9:05 am
I've got a little situation at my place of employment that I'm trying to investigate
The scenario. Myself and another employee who I rotate with on an assignment share some information that we exchange on a hard drive.
A few weeks ago the hard drive was stolen. Didn't think much of it other than someone stealing a hard drive.
He gets another drive that he loads some info on for me. I took a look at the drive and didn't do much with the files my first few days. A couple days ago I insert the drive and someone has wiped it clean.
I was able to find a recovery program to retrieve the files, but I want to know who wiped all the files off the drive. Is there a way to look at the usage history of the drive (i.e. which machine would have wiped the data?)
I've been looking around to see if there is a program out there that is capable of this. I'm sure I could send it off to an expert if I wanted to take the investigation far enough. What are my options here?
The scenario. Myself and another employee who I rotate with on an assignment share some information that we exchange on a hard drive.
A few weeks ago the hard drive was stolen. Didn't think much of it other than someone stealing a hard drive.
He gets another drive that he loads some info on for me. I took a look at the drive and didn't do much with the files my first few days. A couple days ago I insert the drive and someone has wiped it clean.
I was able to find a recovery program to retrieve the files, but I want to know who wiped all the files off the drive. Is there a way to look at the usage history of the drive (i.e. which machine would have wiped the data?)
I've been looking around to see if there is a program out there that is capable of this. I'm sure I could send it off to an expert if I wanted to take the investigation far enough. What are my options here?
Posted on 11/27/14 at 9:18 am to Powerman
quote:
A few weeks ago the hard drive was stolen. Didn't think much of it other than someone stealing a hard drive.
Hope it was using FDE.
quote:
A couple days ago I insert the drive and someone has wiped it clean.
Is there a way to look at the usage history of the drive (i.e. which machine would have wiped the data?)
The point of "wiping a drive clean" is to restore it to brand-new condition, so almost certainly not. Your only hope would be for it not to have been wiped clean, and there are many programs to inspect drives, e.g. WinHex.
Posted on 11/27/14 at 9:18 am to Powerman
If the drive was truly wiped, that is it was overwritten, I am not familiar with being able to determine this information.
Posted on 11/27/14 at 9:28 am to WPBTiger
Well it wasn't completely wiped because I was able to undelete the files.
I suppose what I meant is this guy just deleted the items. He isn't tech savvy enough to know how to really wipe something.
This guy is a dumb arse. He is about to be an unemployed dumb arse if I can figure out how to prove he deliberately deleted the files. I know who did it, I just need to be able to prove it.
I suppose what I meant is this guy just deleted the items. He isn't tech savvy enough to know how to really wipe something.
This guy is a dumb arse. He is about to be an unemployed dumb arse if I can figure out how to prove he deliberately deleted the files. I know who did it, I just need to be able to prove it.
Posted on 11/27/14 at 9:33 am to Powerman
If he was logged in to his account on the computer when the files were deleted, they should have a recycle bin number associated with his account.
Posted on 11/27/14 at 11:25 am to WPBTiger
Would I be able to pull that info without getting into his computer?
Posted on 11/27/14 at 12:31 pm to Powerman
quote:
Would I be able to pull that info without getting into his computer?
Just inspect his computer (or have someone from management/HR present while the IT guy inspects it). It's company property and he has no expectation of privacy when it comes to that computer.
Posted on 11/27/14 at 12:36 pm to Bestbank Tiger
quote:
Would I be able to pull that info without getting into his computer?
quote:
Just inspect his computer (or have someone from management/HR present while the IT guy inspects it). It's company property and he has no expectation of privacy when it comes to that computer.
Outside of this, you would need to make an image of that hard drive and examine the image.
Posted on 11/27/14 at 1:00 pm to WPBTiger
If his computer was on a domain, would there be a log of actions performed like above, and look for the old drive name maybe.
Posted on 11/27/14 at 1:05 pm to Powerman
quote:
Didn't think much of it other than someone stealing a hard drive.
What kind of work do you do that this is a commonplace occurrence? I've been in the workforce for 25 years and this has never happened to me.
Posted on 11/27/14 at 2:05 pm to foshizzle
quote:
What kind of work do you do that this is a commonplace occurrence?
It's not commonplace
It's offshore construction. A lot of different people in and out of the offices. Never had a problem with theft until this one incident. Which didn't really capture my interest until this other incident of someone deleting all of my shite.
Posted on 11/27/14 at 7:18 pm to Powerman
Something doesn't add up here.
Posted on 11/27/14 at 7:43 pm to Powerman
Theft is theft, but do you think the thief of the original HDD wiped your new one? How would that benefit him in any way?
Posted on 11/28/14 at 9:55 am to Powerman
All the same, you need to give us a few more details, just to make black Friday more interesting.
And be sure to update us upon his firing.
And be sure to update us upon his firing.
Posted on 11/28/14 at 12:29 pm to ILikeLSUToo
quote:
Theft is theft, but do you think the thief of the original HDD wiped your new one? How would that benefit him in any way?
Sabatoge
He seems like the type of guy that would like to get a leg up by cutting someone else's throat
I know he wants my job. But he's too much of a dumb arse to do it anyway so I'm not worried about that. I just don't want to work around someone that would engage in such underhanded behavior to get a leg up.
Posted on 11/28/14 at 10:27 pm to Powerman
quote:
and someone has wiped it clean.
A drive is never truly wiped clean after one format. You really gotta do it several times until the binary is FUBAR to the computer so it's much harder to recover.
Posted on 11/29/14 at 6:12 am to blue_morrison
Lol thats wrong. Formatting a driven does not delete data.
The metadata of the files may show the user SID associated with the last modified time. If he just formatted the drive though you would need to analyze the computer it was done from. Should be able to correlate some events...
The metadata of the files may show the user SID associated with the last modified time. If he just formatted the drive though you would need to analyze the computer it was done from. Should be able to correlate some events...
This post was edited on 11/29/14 at 6:15 am
Posted on 11/29/14 at 9:09 am to gmrkr5
Several times with a good program.
That's advice given to me from an FBI guy. Now that I think about it...hmmmmmmm
That's advice given to me from an FBI guy. Now that I think about it...hmmmmmmm
Posted on 11/29/14 at 12:15 pm to blue_morrison
What he was probably referring to was several passes with a legit disk wiping utility such as DBAN. Your not recovering anything from a drive after that.
Posted on 11/29/14 at 12:22 pm to gmrkr5
Yeah that was the name of it. Couldn't remember it.
He also recommended taking a hammer to the platters.
He also recommended taking a hammer to the platters.
Popular
Back to top
Follow TigerDroppings for LSU Football News