Security Basics mailing list archives
Re: Hard Drive Forensics Question
From: Adam Pal <pal_adam () gmx net>
Date: Fri, 3 Oct 2008 20:40:27 +0200
Hello Matt, What are the terms and conditions of the company concerning usage of private notebooks and company-own portable media devices? If none existant why does he care? The company cannot prove that he violated any agreements since those does not exist. Certainly, the company can be curious where dataleakage can occur, but personaly i dont agree that the 2 inflicted parties should have direct communication, means, the company can use ANY piece of evidence which it finds or can place an evidence where there is none, this wont work. I recommend to imply a 3rd person, a consultant who will be in charge to evaluate the claim and back up the evidence. A consultant is bound by his contract and cannot simply disclose sensitive private data to the company, he will do only his job and check for a data leakage. That would satisfy both parties, but simply hand over an immage to the company is critical. Maybe this is not the reply to your question, but take it as a point of view how things should work. -- Best regards, Adam Pal Thursday, October 2, 2008, 9:09:45 PM, you wrote: <==============Original message text=============== MP> I'm trying to answer a question for a customer regarding historical file MP> copying on his personal Mac computer. I'm not sure if this is the right MP> list to post this to; please redirect me if I should be asking this MP> elsewhere. MP> Equipment Details: MP> Powerbook G4 with a 75 GB hard drive - purchased 3 or 4 years ago. MP> Samsung Pleomax USB power drive. MP> Background: MP> His former employer believes that documents on this external device MP> might have been copied to his personal Powerbook. They are demanding MP> that he allow them to have the drive imaged so that they can determine MP> prove whether he did or did not copy these files to his home computer. MP> The weekend before he left his former employer he opened several MP> documents on this external device using MS Office and maneuvered others MP> using Finder. According to my customer all files opened were on USB MP> drive and then saved back to it. MP> He left the company six months ago. When he left his former employer six MP> months ago he returned the Pleomax drive to them. MP> Question: MP> My opinion is that looking at an image of his personal computer's hard MP> drive will not prove conclusively whether or not he saved files from the MP> company's Pleomax to his personal computer. Can someone either validate MP> that or indicate why the image would provide that information? MP> He is prepared to allow his personal computer's hard drive to be imaged. MP> I am concerned that doing so will breach his own privacy since he stores MP> personal finance, correspondence, etc. on it. MP> Thanks so much. MP> Matt <===========End of original message text===========
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- Re: Hard Drive Forensics Question, (continued)
- Re: Hard Drive Forensics Question anonymous pimp (Oct 07)
- Re: Hard Drive Forensics Question Ansgar Wiechers (Oct 07)
- Re: Hard Drive Forensics Question Ansgar Wiechers (Oct 06)
- Re: Hard Drive Forensics Question Morgan Reed (Oct 07)
- RE: Hard Drive Forensics Question Landriault, Yan (Oct 03)
- RE: Hard Drive Forensics Question Murda Mcloud (Oct 06)
- Re: Hard Drive Forensics Question Jason Ross (Oct 03)
- Re: Hard Drive Forensics Question Marc-André Laverdière (Oct 03)
- Re: Hard Drive Forensics Question Mike Hale (Oct 03)
- Re: Hard Drive Forensics Question Josh Stone (Oct 03)
- Re: Hard Drive Forensics Question Adam Pal (Oct 03)