[eonxl]

Hopefully I am posting this in the correct topic. I have been doing technical consulting for a number of years now, primarily doing database development, small business networking and web development.

Recently, one of my clients, for whom I had developed a custom customer contact system, was forced to fire one of their employees. I don't know the details of why this individual was fired, but I gather there are some fairly serious allegations.

I was asked by this client to do an analysis of the fired employee's workstation computer. They would like me to: recover any emails which might have been sent, do an anlaysis of recent web activity, and recover anything else which might potentially be part of a legal case against this employee if such becomes necessary in the future.

I have never been asked to do such an analysis before, and although I'm fairly technically savvy, I'm not sure how to approach this assignment.

I'm hoping to get some advice regarding what I should be looking for, any utilities (best if they are free) which might help me with such an analysis, and what areas of the system might contain the information I'd be looking for.

The computer I'm looking at has Vista Business Edition loaded, and Internet Explorer and MS Office are the primary applications used.

Any advice or suggestions would be greatly appreciated. Thanks in advance for your help!

--e

[1002richards]

Hi,
Not sure what country you are in?
You really look into your country's rules on the 'chain of evidence' - you will need to prove that any data you recover remains in the same state and is secure from the point of discovery to the point of use in Court.

Has anyone else had access to the PCs used by the dismissed employee since his/her departure?

Could anyone else have had access to their passwords?

Does your country's legal system require corroboration of discoveries? Will you need a witness present for this purpose?

Are you acting as what is termed an 'expert witness'? If so, do you have the qualifications/experience required by your country's courts to offer expert opinion?

Does the dismissed employee have legal rights to view the discoveries?

If anything else occurs to me I'll post again.

I hope these considerations are of use to you? Better to research them before it's too late and potential evidence gets ruled inadmissible.

Richard

[Kyna]

If the client needs to get some of that information off their own servers, i.e. internet gateways, email servers, they need to get on it. If they're lucky, they have the logs turned on for those and are set to continuous. The ISP for the client may have kept logs coming out of the client's assigned address block, but the clock is ticking. ISP's generally don't keep that information for long.

As Richard stated in his post, there are a lot of liability and chain of evidence issues. Recovered evidence from hard drives has to be protected so it isn't altered during examination, and you need to be able to prove that it hasn't. This involves encryption hashes.

If the PC was powered off when the employee left, don't turn it on again until you've researched how to recover the data. If it's still on, don't turn it off until the research is done.

[vicks]

I am NOT an attorney, but I think I would remove the harddrive, save it as evidence, and install a new harddrive/and OS. then that would give you time to work on it.
vicks

[valis]

were it up to me, personally, having been through this in a few companies, I would return the pc posthaste and let them hire an outside forensics team to manage this. This would absolve you of any onus of responsibility, which right now you sorta have.

But that's just me.

thanks,

v

[dvk01]

this is a list of forensic tools. Soem free soem pay for
http://www.e-evidence.info/other.html

However, unless you 100% know what you are doing & are approved & qualified for forensic analysis by the courts, any evidence you turn up will be inadmissabkle

if the company has a desire to consider any court action, they must lock away that computer, not let anybody fiddle with it (it is probably too late now) and call in an outside specialist consultant in forensic analysis

an attempt to save a few $$ now by using unqualified persons to do the work could result in a massive $$$ spend or payout later

[JohnWill]

I agree with Derek, he just beat me to it. I'd lock up the computer and get advice from experts if this is important!

[vicks]

Quote:

Originally Posted by valis

were it up to me, personally, having been through this in a few companies, I would return the pc posthaste and let them hire an outside forensics team to manage this. This would absolve you of any onus of responsibility, which right now you sorta have.

But that's just me.

thanks,

v

I also agree, this is the best way, especially to protect yourself.
vicks

[valis]

Quote:

Originally Posted by vicks

I also agree, this is the best way, especially to protect yourself.
vicks

hard to agree with a Nebraskan, as I am a CSU alum, but when you are right, you are indeed right.

[vicks]

I have a granddaughter who will be graduating from CSU next spring. And the step dad is an alum of Tx.A&M. So guess I am surrounded by 'rivals'. We're in Ne only about 6 months a year. Travel in motorhome Oct-Apr,
Have a good rest of the week.
Vicks

[valis]

you too, vicks. Congrats on the granddaughter.

[Frank4d]

Quote:

Originally Posted by eonxl

Any advice or suggestions would be greatly appreciated. Thanks in advance for your help!

--e

First, I hope the computer has not been booted since the employee was fired. The hard drive should be cloned and any forensics work that is done should be using the clone.

[Pookie]

Call a forensics expert and let them deal w/ it. Too much liability for you to work on it unless you really know what the hell your doing. Not doubting your technical savvy, but somethings are best left to specialists.

[eonxl]

Thanks everyone for the thoughts. I am definitely not a forensics expert. I've done some database development, small business networking and general technical consulting for this fairly small company in Southern California. It's part time and "on demand" -- I'm kind of their "go-to" guy for technical matters.

I have a feeling that, based on the comments here, any chain of evidence has already been ruined. I know for a fact that the client has already examined the contents of the computer and didn't get anywhere which is why he's turned it over to me.

I'll speak to him about the risks, but I suspect he'll want to see what I find if for no other reason than just for his information and peace of mind.

The list of utilities could be very helpful. Definitely thanks for that, and the other comments. If the client does want to go ahead with the examination anyway, I'll see what I can do, and may come back with any questions.

Thanks a lot for all your help!

--e

[1002richards]

You're welcome.