Need advice on discovering and restoring maliciously deleted files

Employee deleted evidence of their embezzlement crimes from the office computer. Can't get the police involved until we have evidence to show.

I'm guessing there are some standard procedures and tools to use that won't "taint" the evidence and might even help the police.

I hope the computer is currently not being used at all. What you can get back may depend on exactly how and when stuff was deleted and what's happened since. Call around and get some recommendations about people who know what they're doing; maybe law enforcement or the DAs office can make some suggestions. I'd guess it may cost you a few grand, depending

You need to be able to document the recovery process and authenticity of the deleted files, so get it done professionally and keep all the paperwork.

Computer forensics is very complicated and has strict standards. Having been involved in a number of incidents from kiddy porn to corporate espionage, I can tell you that if you haven't already secured the evidence and contacted a forensics specialist, you have tainted the evidence. A smart lawyer would tear it to pieces.

This is the kind of thing you have to have a plan for prior to the fact of needing it done. It needs to be a part of a firm's standard operating procedures.

The computer hasn't been used since the employee left. It's still in the custody of the business owner. And the police won't touch the case until you have some modicum of evidence something has happened. But when you keep your books on computer with no backup or paper records, (not me but a friend who didn't know better), you need a place to start. I think the best we can hope for is that this hard drive analysis will lead to other hard, unimpeachable evidence.

We've been contacted by this friend because we have our own computer/controls business, but have not had need to engage in this kind of forensic work before. How that will affect our credibility in trial would need to be sorted out.

Expensive forensic work is out. My friends have been essentially bankrupted by these actions and cannot afford it.

On the other hand, I know the DA and can probably give his office a call to see what he recommends is the proper way to proceed and what value if any the recovered materials will have in a trial.

That doesn't change the fact that I will probably need to make a basic attempt to at least see what's on the hard drive.

So, we will begin by using an Ubuntu utility to copy the hard drive byte for byte and start work on the copy, leaving the original untouched.

I still need suggestions, depending the the advice of the DA's office, for software and tools to analyze the files on the copied drive and attempt to retrieve the deleted work.

Can you help?

http://www.cftt.nist.gov/

Also the National Computer Forensics Institute sometimes has cheap or free information. However I must say again, this system sounds like it has already violated the minimum data and probably worse. Just turning it off, can be construed in court as causing tainted data.

I wish you luck but once again, I STRONGLY suggest you get professionals. I mean REALLY strongly suggest.

Thanks for posting it.

browsing an oil spill related link from GD. It may be of interest.

The Know-IT-All’s Guide to eDiscovery (ebook)

Overview: eDiscovery refers to any process in which electronic data is sought, located, secured, and searched with the intent of using it as evidence in a civil or criminal legal case. eDiscovery can be carried out offline on a particular computer or it can be done on the network. Recent amendments to the Federal Rules of Civil Procedure (FRCP) highlighted that electronically stored information (ESI) is a discoverable record type and should be treated as any other type of evidence.
http://www.informationweek.com/whitepaper/Internet/E-Business-E-Commerce/the-know-it-all-s-guide-to-ediscovery-ebook-wp1274287152571;jsessionid=2V4IFW0F4BK13QE1GHPCKHWATMY32JVN?articleID=143800006&cid=well1_wp_govt

I'll look into it.

That's the only way you're going to adequately protect the chain of custody (which may already be tainted).

Embezzlement doesn't happen in a bubble - there are other ways to find evidence of the crime. Financial transactions at the business's bank is a good starting point. Anything suspicious can be used as probable cause by law enforcement or a prosecutor to get a subpoena for the suspect's personal and financial information. These crimes are actually fairly easy to put together since everything is tracked now. Unless you're in a business that keeps huge amounts of cash laying around, there's a trail somewhere.