General discussion

Locked

Stolen Laptop Issues

By NebIT ·
I am curious to gain some thoughts from you all about a security issue we had here a few months back. To make a long story short, we had one of our company laptops "disappear" due to bad management and check-in/check-out policies. Then this machine reappears in the same place it should have been a year later.

The system is older, and has no security put in place ..etc it was never apart of a domain ..etc In addition there were no login requirements.

I have a good idea of which employee had this machine during this period now comes the time to proove my suspictions. When going through this machine what can I use to verify that this person had the machine.

There were some documents created/modified which appear to belong to the suspect however how can this be made to stick if anyone could change date ..etc :) other ideas? tips?

Thanks!

This conversation is currently closed to new comments.

2 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Proof

by timwalsh In reply to Stolen Laptop Issues

Its probably too late to have it dusted for fingerprints.

How would you rate the computer skills of the person you suspect? If the person is fairly competant, he may have been able to delete all traces of his useage.

If the person isn't very smart (how smart do you have to be to return a laptop a year after taking it and hope it won't be noticed), I would start with cookies. If the person accessed any websites where he had to register, that information may exist in the cookies somewhere if they haven't been deleted.

I would also look for any lingering email.

Run a data recovery and/or Undelete utility to see if you can recover more incriminating documents that may have been deleted by the thief (in the hopes of covering his tracks).

As far as what you have already discovered:
Yes, anybody could change the date on the document, but it takes some work by a knowledgable individual to change the creation date of the file.

You may not be able to collect the right type of evidence to see the person prosecuted legally because of such things as burden of proof, chain of custody of the evidence, contamination of evidence, etc. But unless this employee was knowledeable enough to cover his tracks well, there is a good chance you can comeup with enough evidence for someone in management to conclude that (absent a conspiracy) your suspect probably had possession of the laptop during the period it was missing.

Good luck.

Collapse -

by NebIT In reply to Proof

Thank you for the reply. You are correct it is much to late to dust it for finger prints. The computer skill of the user are alittle above average "MP3 Music Burning, take things into own hands" type of guy. I will go through the cookies and see what I could come up with.

As for the files which are files that belong to him (reports ..etc) perhaps you or others could explain the "created" "modified" dates on the files. Does the "created" date follow a file? For example, if I created a .doc file on machineA giving it a created date of 10/10/03 then copied said file to disk and transported it to machineB three days later would the file have a 10/10/03 "created" date on machine B or a 10/13/03 ?


Thanks all

Back to IT Employment Forum
2 total posts (Page 1 of 1)  

Related Discussions

Related Forums