Questions

History on a Computer\ Computer Forensics

+
0 Votes
Locked

History on a Computer\ Computer Forensics

shhite
I have a user that wipes his computer clean every time it comes into the IT department. By that I mean he gets rid of all his internet history and recently open docs and programs. They aren't even in the registry anymore. I know the information is still in the memory of the hard drive somewhere and I need to see what he has been up too. Does anyone have a good program that is not to expensive that will pull this information?

The OS is Windows XP with sp3. It is a Panasonic CF_51 laptop.

Thanks

Shanon
  • +
    0 Votes
    OH Smeg

    But it's defiantly not cheap. However some other TR Members swear by Gibson Research Spin Rite you can have a look at it here

    http://tinyurl.com/yvrsl

    As I have never used this product I'm not sure if it will do what is required here but other users may be able to help you out with an answer to that.

    Col

    +
    0 Votes
    shhite

    I like on track but I cannot spend that kind of money. Spin rite I have looked at before and not sure it is quite what I am looking for. But as always, thanks for your suggestions!

    +
    0 Votes
    shasca

    Try Undelete it works fast and its fairly simple. Only 50.00.
    The demo will let see you what you can recover before you have to pay

    http://www.winundelete.com/?rid=google&kid=wu0401

    +
    0 Votes
    shhite

    Undelete looks like what i was looking for. Thanks!

    +
    0 Votes
    normhaga

    R-studio's for most applications. Its cost is not to bad.

    Whether you can recover or not depends on how the data is deleted. If he uses a usb install of Evidence Eliminator or another secure delete utility, forget it.

    Rather than recover files to spy on him, why not be more open and install a keylogger or VNC? If you are legitimate, then he can not object. If you are being needlessly nosy, then he has a legitimate complaint and need.

    +
    0 Votes
    shhite

    I like that idea. Do you have any suggestions? We don't usually have to go to this extreme. Most of our drivers are not computer literate enough to hide what they are doing.

    Thanks

    +
    0 Votes
    normhaga

    Depends on what you want to do and how. A keylogger will give the the keystrokes the user performed after the fact. VNC will allow you to revies what he is doing as s/he does it.

    VNC also has the advantage of being able to record what is occurring in the event of collecting evidence.

    I have forgotten the URLs but a quick Google will give that. Search for VNC reader and then look into the enterprise edition.

    +
    0 Votes
    IC-IT

    Simply type in his computer name (Explorer address bar) and peek when he doesn't expect it. You must have admin privliges on his computer.

    \\Computername\c$

    navigate to the local settings - History.

    +
    0 Votes
    shhite

    This would only work if he was actually inside our internal network which he is not. Most of the time the laptop is either at his house or inside his truck connected with a sprint card. But that is a good suggestion.

    +
    0 Votes

    Shanon,

    I would try Helix (you can download the ISO file) or FTK to view this stuff. Helix runs from the CD so it is a bit slow but works. Also, search the redgistry for a "U3" entry. if there is one, you should find a Cleanup.exe entry too. This means that he or she is running a brouser and other app from a U3 enabled flash drive and not the PC directly. this will make it hard to find anything.

    Hope it helps

    Surfgoddess...

  • +
    0 Votes
    OH Smeg

    But it's defiantly not cheap. However some other TR Members swear by Gibson Research Spin Rite you can have a look at it here

    http://tinyurl.com/yvrsl

    As I have never used this product I'm not sure if it will do what is required here but other users may be able to help you out with an answer to that.

    Col

    +
    0 Votes
    shhite

    I like on track but I cannot spend that kind of money. Spin rite I have looked at before and not sure it is quite what I am looking for. But as always, thanks for your suggestions!

    +
    0 Votes
    shasca

    Try Undelete it works fast and its fairly simple. Only 50.00.
    The demo will let see you what you can recover before you have to pay

    http://www.winundelete.com/?rid=google&kid=wu0401

    +
    0 Votes
    shhite

    Undelete looks like what i was looking for. Thanks!

    +
    0 Votes
    normhaga

    R-studio's for most applications. Its cost is not to bad.

    Whether you can recover or not depends on how the data is deleted. If he uses a usb install of Evidence Eliminator or another secure delete utility, forget it.

    Rather than recover files to spy on him, why not be more open and install a keylogger or VNC? If you are legitimate, then he can not object. If you are being needlessly nosy, then he has a legitimate complaint and need.

    +
    0 Votes
    shhite

    I like that idea. Do you have any suggestions? We don't usually have to go to this extreme. Most of our drivers are not computer literate enough to hide what they are doing.

    Thanks

    +
    0 Votes
    normhaga

    Depends on what you want to do and how. A keylogger will give the the keystrokes the user performed after the fact. VNC will allow you to revies what he is doing as s/he does it.

    VNC also has the advantage of being able to record what is occurring in the event of collecting evidence.

    I have forgotten the URLs but a quick Google will give that. Search for VNC reader and then look into the enterprise edition.

    +
    0 Votes
    IC-IT

    Simply type in his computer name (Explorer address bar) and peek when he doesn't expect it. You must have admin privliges on his computer.

    \\Computername\c$

    navigate to the local settings - History.

    +
    0 Votes
    shhite

    This would only work if he was actually inside our internal network which he is not. Most of the time the laptop is either at his house or inside his truck connected with a sprint card. But that is a good suggestion.

    +
    0 Votes

    Shanon,

    I would try Helix (you can download the ISO file) or FTK to view this stuff. Helix runs from the CD so it is a bit slow but works. Also, search the redgistry for a "U3" entry. if there is one, you should find a Cleanup.exe entry too. This means that he or she is running a brouser and other app from a U3 enabled flash drive and not the PC directly. this will make it hard to find anything.

    Hope it helps

    Surfgoddess...