Advice Needed: General Computer Forensics Analysis after Employee Firing
Hopefully I am posting this in the correct topic. I have been doing technical consulting for a number of years now, primarily doing database development, small business networking and web development. Recently, one of my clients, for whom I had developed a custom customer contact system, was forced to fire one of their employees. I don't know the details of why this individual was fired, but I gather there are some fairly serious allegations. I was asked by this client to do an analysis of the fired employee's workstation computer. They would like me to: recover any emails which might have been sent, do an anlaysis of recent web activity, and recover anything else which might potentially be part of a legal case against this employee if such becomes necessary in the future. I have never been asked to do such an analysis before, and although I'm fairly technically savvy, I'm not sure how to approach this assignment. I'm hoping to get some advice regarding what I should be looking for, any utilities (best if they are free) which might help me with such an analysis, and what areas of the system might contain the information I'd be looking for. The computer I'm looking at has Vista Business Edition loaded, and Internet Explorer and MS Office are the primary applications used. Any advice or suggestions would be greatly appreciated. Thanks in advance for your help! --e
August 4th, 2009 3:31pm

You can't do this yourself. The fact that the computer wasn't immediately removed to the keeping of a licensed forensic investigator or the local authorities has already tainted the evidence anyway. But you should advise your client to contact the local authorities, their own legal counsel, and/or a local licensed forensic investigator. There are very specific requirements to be met and a regular tech consultant isn't qualified to do this. Although the evidence is already tainted, your client's counsel might still be able to make something of it. If you touch that computer the other side will demolish your client's attorney in court. Computer forensics is a specialized and licensed field. I actually looked into it thinking it would be interesting and the cost of the education for a non-law enforcement person was prohibitive. If I were in your situation, I would probably call up my local law enforcement non-emergency number and ask them for a recommendation since I don't know anyone who is a licensed computer forensic specialist here. I suggest you tell your client to do something similar. MS-MVP - Elephant Boy Computers - Don't Panic!
Free Windows Admin Tool Kit Click here and download it now
August 4th, 2009 5:15pm

Here are a few suggestions off the top of my head. Im sure there are lots of other things that other peoplewill identify: 1. Check the Hosts file for blocked websites and malicious websites. It is normally located at C:\Windows\System32\Drivers\etc\. If its not there, look for its location in registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DataBasePath.If the file is read only, right-click it > Properties and remove the check mark. Now copy it then make its contents look like this:There will be a number of comment lines (beginning with #) followed by this usual line:127.0.0.1 localhost The 127.0.0.1 stops access, so if there are entries like 127.0.0.1 coolwebsearch.com, dont remove them as they help to protect the system from malware sites. However, if you see entries with known names like bbc.co.uk or ibm.com you should remove them, as malware is probably trying to block access to them (127.0.0.1) or redirect them (n.n.n.n) to another website. 2. Have a look at these registry keys for rogue programs:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Explorer.exe only)HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit. This should point to the program C:\WINDOWS\system32\userinit.exe and the entry ends in a comma. Any other program names can be removed. 3. Check which programs are running at startup. Rather than using msconfig, use the free Quick Startup (32-bit only). Click on (highlight) an entry, then in the left pane choose Disable, Delete (or, even, Add). If you are unsure about an entry and want to know more about it before disabling or deleting it, highlight it and then click More information at the bottom. 4. A free program, Index.dat Analyzer, will allow you to analyse the index.dat files (browsing history). To run it, click Search to scan for index.dat files then OK. Select an index.dat file from the Location drop down. Click the relevant heading, e.g. Accessed or Created to sort the entries into date order or you can sort them alphabetically by Name. To examine shared network files, click the green plus sign to navigate. Download Index.dat Analyzer, here http://www.systenance.com/indexdat.phpDownload Quick Startup, here http://www.glarysoft.com/qs.html?tag=download
August 5th, 2009 5:43pm

Hey thanks a lot for your reply and ideas. I'm taking a look at this computer today so I'll definitely keep your thoughts in mind. Thanks again!
Free Windows Admin Tool Kit Click here and download it now
August 7th, 2009 7:48pm

Thanks for the thoughts. I hadn't thought of that side of it. I'll talk to the client about it, but I have a feeling he'll want me to look at it anyway, as I know he's already looked at it himself so probably the whole chain of evidence thing is moot by now anyway. I think he just wants to get an idea of what has been going on at the branch office where the incidentoccurred. I think mainly he's hoping to get an idea of what the employee was spending their time on since it became obvious she wasn't doing her job. But I will definitely bring the idea up to my client as it's an important point. Any other ideas would be welcome though, if anyone has any... Thanks --e
August 7th, 2009 7:54pm

Here are a few more ideas that may help: 1. Run your antimalware programs, just in case there has been a deliberate infection.2. Look for any mail that is still stored on the system, but dont open any mail programs as creatinga new account may overwrite the existing mail boxes/files. Copy the folders/files and look at them on another computer.3. Log files (*.log) can be quite informative and are usually in a text format, which fortunately, can be read by Notepad. However, there are so many of them it is difficult to determine which to interrogate. You could look through those with non-meaningful names, e.g. WindowsUpdate.log shows the downloaded updates from Microsoft and can be ignored.4. A free program, SIW, will tell you everything about the computers hardware and software. To see what software is installed, click Installed Programs in the left pane. Also in the left pane is Secrets, which will show some, but not all, of the passwords stored on the system.SIW, here http://www.gtopala.com/
Free Windows Admin Tool Kit Click here and download it now
August 7th, 2009 8:44pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics