Here have a look at this hard drive

[nihil]

I get a sneaking suspicion that if this character was doing anything it was while in Linux. The first step is to get past the password

Three questions:

1. If this is a corporate property box, why don't you have the password anyway?.......which password is it?.......like are these lower level user passwords, encryption hashes or what?

2. What do you suspect the character might have been "doing"?

3. Who obtained this "image" and how did they do it?

Cheers

[thread_killer]

If there is concern there may be something on the hard drive that could result in criminal prosecution, send it to a company that specializes in that type of data recovery. Why further potentially foul the integrety of the evidence by dorking around with it?

If you are just snooping around for a good reason to fire somebody (ie, inappropriate web surfing, violating company email policy, etc.) by all means, play around with the image of the hd all you want.

I think it comes down to a question of "how important is it to prove we didn't alter data after the lap top was turned in"?

As a confessed forensics newbie, a good defense attorney is going to make you and everyone else who touched that thing look either malicious or incompetent and bring the credibility of the data into question. Remember the O.J. Simpson trial? The entire LAPD was a racist institution that was trying to frame Mr. Simpson because he had the gall to marry (and divorce) a pretty white girl. At least, that is what the defense team told the jury, and it worked.

So if there is the possibility of jail time attached to what may be on that disk, I say don't even fool with it. Let someone else get called up on the witness stand to justify his methodology.

[nihil]

If you are just snooping around for a good reason to fire somebody (ie, inappropriate web surfing, violating company email policy, etc.) by all means, play around with the image of the hd all you want.

Hey, were we not told that the machine had been handed in?

Like yourself I get a distinct aroma of rodent here?............how do we know that this is not a stolen box, and someone is trying to get data off it...........

If it is really "in a lawyer's safe" then I would imagine that the employment of a competent forensic analyst would be justified?..........hell, aren't lawyers expensive enough?

Social engineering?

Just my thoughts...........OH and uno digerati means one finger to the non cognoscenti

[uno_digerati]

First let me address Nihil concern........Look for posts from me over the last week and you will discover that I am just a guy trying to do his job. I have been reading information off this board for a while now and know the brain trust that exists here is AWESOME and sometimes paranoid. If you are concerned I am trying to trick you into revealing something that you shouldn't then maybe research some of the other posts the user makes before you make the accusation in their thread.......As a senior member of this site your "opinions " carry weight and you should consider that. Now I feel I have to spend time defending the validity of this thread. Enough said, no hard feelings....Like I said sometimes paranoid.

THE Drive:
The hard drive belonged to the previous security person. The concern is that he was into things that he had no business in and while that will be easy to look at on the NT partition (corporate install) the linux partition will be more of a challenge for me (his install).
The company does not want to pay for a $30k tool or to hire a consultant to do the legwork on the drive. I am it.....It is my job because I am the "network security guy" so I am supposed to know it all........Sound familiar
There is a corporate legal team and so they are holding the original drive which was imaged from Ghost.
The point is if I find something then the company will decide how to proceed and if they want to prosecute they will take my findings and send them to a "expert" with the original drive who will go to court.....not me

Thanks for the information especially from Devprn, TigerShark, and CHSH......Great resources thanks again!!!!

If anyone has anything else I am all ears...........

[Tiger Shark]

Now I feel I have to spend time defending the validity of this thread.

Don't bother..... I'll vouch for you......

I was going to PM you and tell you about Nihil, I got sidetracked.... He's a good guy too and has a pretty good nose for "rats"..... Suspicious barely begins to describe him.....