Forensic Investigation

SteelCadman · Guest

Ok, I have used a very specific title for the subject of this post, and
rightly so. The company I work for had a tech savy employee leave rather
suddenly. However there was activity on this individuals computer after her
departure. Files were accessed, not remotely as the workstation was
physically disconnected from the network.
Heres the query, what form of access was perfiormed on the files, were they
copied, were they just opened. If they were copied where to? USB, CD-Burner?

Now, if our IT guy was quick, he would have all systems running XP Pro with
Security policies set to Fort Knox Level. However we have XP Home, and now I
have been asked to figure out the answers to the above questions.

My question is, Is it possable after the fact? and if so how?
Ive tried everything I can think of.

Google · Sponsor

Anteaus · Guest

Probably not. This is one argument in favour of a fileserver as central
storage. In that case you should be able to audit who was logged-on, and
when, plus the ownership of files will tell you who put them there (but not
who deleted them!)

HST, the event logs in XP Home may give some clue as to who accessed the
computer, and when. Check out event viewer in Control Panel>Computer
Management. This would only be of value if (confidential) passwords were
in-force, of course. Otherwise anyone may have used the ex-employee's logon.

If there is serious doubt about the ex-employee's trustworthiness then I'd
be inclined to do a thorough scan for Trojans, and if there is any doubt
about the results, to reinstall the OS from scratch.

"SteelCadman" wrote:

SteelCadman · Guest

The complete re-install was going to happen even if the employee left on good
terms, it is standard policy here. All of the documents on the computer get
stored in a central file server (Yes we have one, but it is set up as just a
shared drive from another XP Home box.)

Thanks for the help, but it looks like we are S.O.L. and should probably be
instituting some more policies regarding IT.

"Anteaus" wrote:

VanguardLH · Guest

"SteelCadman" wrote in message
news:9FCBF37B-B2EF-45F3-89CB-D0A5AF699324@microsoft.com...

Vinson · Guest

I would think that you could work with the Event Logs (to see when the
machine was accessed). You can use the Search feature or DIR command to see
a files' creatation, modification and create dates, by range. True forensic
tools can be used to see deleted files. Deleted temp files will show you
clues about opening documents. They might also show you a deleted CD ISO; a
temp file of sorts that is used when a CD is created. USB devices also leave
a "foot print" of sorts when it is plugged into the machine as XP learns
about new hardware. If a web browser was used to view local files, it will
leave clues all over the place, including the history files it keeps and the
Index.dat file. Thumb files will show any photos that were viewed.

There are good forensic tools available for free, unless you have a huge
budget and have already purchased true law enforcement tools. I am sure
there are tiny clues all over the machine if you look deeply into it.

Good luck!

Vinson

"SteelCadman" wrote: