This was the statement made to me by my boss. What is interesting is I am a newbie when it comes to forensics, so lets get to this. The chain of evidence has been preserved I have an image of the hard drive and the original is locked in a lawyers safe. So that is not an issue. The system was not properly handled because it was a laptop and the user "turned it in" before he left, so it has been rebooted......Nothing I can do there.
The drive has 2 partitions on it a Win2k and a linux (Red Hat). Now I have gone through the tutorials and I plan on using the tools recommended (awesome info guys thanks) to analyze the Win2k partition, however, I get a sneaking suspicion that if this character was doing anything it was while in Linux. The first step is to get past the password. I am researching that today and hope to have it solved by the time you read this.
My question is are there freeware forensic tools that can give you the same type of information as those tools created for Windows?