Re: Hard Drive Forensics Question

["Mike Hale" <eyeronic.design () gmail com>]

He needs to consult with a lawyer about whether it is legal for his
former employer to demand his hard drive.  I believe he can refuse
their request, and win any lawsuit they may file in return.  HOWEVER.
I am not a lawyer, and my advice should not be given any weight (other
than to go and talk to a lawyer).

"My opinion is that looking at an image of his personal computer's hard drive
 will not prove conclusively whether or not he saved files from the company's
 Pleomax to his personal computer"

You're correct.  As the computer has been out of the control of the
examiner for over 6 months, he or she can not verify that the files
did not exist, at one point or another, on that machine.  They'll say
that the files aren't there now, and that they can't find any trace of
them, but they will not say that those files were never copied to the
computer.

So again.  Tell him to consult a competent attorney and then tell his
former employer to pound sand.

On Thu, Oct 2, 2008 at 12:09 PM, Matt Perry <mattp () pobox com> wrote:
> I'm trying to answer a question for a customer regarding historical file
> copying on his personal Mac computer. I'm not sure if this is the right list
> to post this to; please redirect me if I should be asking this elsewhere.
>
> Equipment Details:
> Powerbook G4 with a 75 GB hard drive - purchased 3 or 4 years ago.
> Samsung Pleomax USB power drive.
>
> Background:
> His former employer believes that documents on this external device might
> have been copied to his personal Powerbook. They are demanding that he allow
> them to have the drive imaged so that they can determine prove whether he
> did or did not copy these files to his home computer.
>
> The weekend before he left his former employer he opened several documents
> on this external device using MS Office and maneuvered others using Finder.
>  According to my customer all files opened were on USB drive and then saved
> back to it.
>
> He left the company six months ago. When he left his former employer six
> months ago he returned the Pleomax drive to them.
>
> Question:
> My opinion is that looking at an image of his personal computer's hard drive
> will not prove conclusively whether or not he saved files from the company's
> Pleomax to his personal computer. Can someone either validate that or
> indicate why the image would provide that information?
>
> He is prepared to allow his personal computer's hard drive to be imaged. I
> am concerned that doing so will breach his own privacy since he stores
> personal finance, correspondence, etc. on it.
>
> Thanks so much.
>
> Matt



-- 
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0