Security Basics mailing list archives
Re: Hard Drive Forensics Question
From: Josh Stone <joshs () illinois edu>
Date: Fri, 3 Oct 2008 09:36:34 -0500
Matt:
My opinion is that looking at an image of his personal computer's hard drive will not prove conclusively whether or not he saved files from the company's Pleomax to his personal computer. Can someone either validate that or indicate why the image would provide that information?
Even if deleted, if the files were copied to his drive they may still exist in unallocated clusters. After six months, though, if he has a mostly-full drive, and does lots of work on it, that's increasingly unlikely. Deleted files are only unlinked, not actually scrubbed from the disk. What is slightly problematic here is if this person used software that may have created a cached or temporary copy of the files on his drive. I would be nervous about handing the drive over because software behaves increasingly evil these days. I.e., there's a difference between an intentional copy, and an unknown software-cached copy.
He is prepared to allow his personal computer's hard drive to be imaged. I am concerned that doing so will breach his own privacy since he stores personal finance, correspondence, etc. on it.
Why? Is there a court order? Was this a clause in his employment contract? That's nuts. They do not have the right to take his personal property. If they were dumb enough to let him use his personal machine, or trusted him enough to let him have them on a USB disk, then it's just tough apples for them. If he does something evil with the data, they can sue. If he breached his agreements with the company or employment contract by using his personal machine, then they can take that to court. Then you'll have a convenient court order, and there will be no question about whether to do it. You should probably talk to a lawyer. If they're out to get him because of some ill will, there may be other things on his computer that may be useful to them. Make sure (from a qualified legal advisor, unlike me) that you only do what you have to. -Josh Stone-
Current thread:
- Re: Hard Drive Forensics Question, (continued)
- Re: Hard Drive Forensics Question Ansgar Wiechers (Oct 07)
- Re: Hard Drive Forensics Question anonymous pimp (Oct 07)
- Re: Hard Drive Forensics Question Ansgar Wiechers (Oct 07)
- Re: Hard Drive Forensics Question Ansgar Wiechers (Oct 06)
- Re: Hard Drive Forensics Question Morgan Reed (Oct 07)
- RE: Hard Drive Forensics Question Landriault, Yan (Oct 03)
- RE: Hard Drive Forensics Question Murda Mcloud (Oct 06)