Daily Blog #35: Sunday Funday 7/28/13 - Finding the Culprit

Finding the Culprit Challenge


Hello Reader,
           It's that time again, Sunday Funday time! For those not familiar every Sunday I throw down the forensic gauntlet by asking a tough question. To the winner go the accolades of their peers and prizes hopefully worth the time they put into their answer. This week we have quite the prize from our friends at the Paraben Forensic Innovations Conference.

The Prize:


. A free Specialist track ticket to PFIC (worth $399)

The Rules:


1. You must post your answer before Midnight PST (GMT -7)
The most complete answer wins.

2. You are allowed to edit your answer after posting.

3. If two answers are too similar for one to win, the one with the earlier posting time wins.

4. Be specific and be thoughtful.

5. Anonymous entries are allowed, please email them to dcowen@g-cpartners.com.

6. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post.

The Challenge:


I'm going to step down the difficulty from last week, I may have been asking for a bit much on a Sunday. So this weeks question is going back to basics:

For a Windows 7 system:


Your client has provided you with a forensic image of a laptop computer that was used by an ex-employee at their new employer, it was obtained legally through discovery in a litigation against them. You previously identified that the employee took data when they left. Where on the system would you look for the following:

1. The same external drive was plugged into both systems.

2. What documents were copied onto the system.

3. What documents were accessed on the system.

As a reminder I'll be speaking at PFIC and the agenda is pretty great this year, I hope to see you there! This should allow everyone a good shot at playing, but this answer can go very, very deep. I'm excited to see your answers, good luck!

Also Read: Daily Blog #34

Post a Comment