Recovery of Information/Disgruntled Employee

X

XorSystem

Weaksauce
Joined
Feb 5, 2004
Messages
72
Not completely sure that this is in the right place but I'll throw it up here anyway.

We have a very...... eccentric employee who has had a laptop assigned to him years before I even came on-board and started cracking down on security and inventory. As politics go in the workplace, I've never been able to touch this laptop, or even see it most of the time.

He has been doing our front-end web designing for approx. 4 years more or less, and is in possession of a lot of purchased images and photographs.

Yesterday, he was fired for many, many, many unmentionable reasons and we requested that he give us the laptop. To my supervisor, he stated that he didn't have it, yet it has come to light that many people saw him with it earlier in the day.

My big question is essentially, what are my options for data recovery if he was to erase a lot of the images.

The laptop is a Macintosh, iBook as far as I know. I don't know the OSX version because, like I said, I haven't been able to touch it.

I'm just curious if there are some decent recovery tools. It was a horrible mistake to let him take it home last night, regardless of if he lied about it, and I'm afraid that we are going to lose a lot of money on this.

Recommendations?
 
Probably should have got the laptop before he was fired. Recovery tools arent going to help if he DODs the hard drive.

Also, I am getting from your tone that this was the only place that the data was stored. Shame Shame. I dont want to say its your fault this happened but if proper backups were in place along with a policy requiring him to bring the data in to be backed up this probably wouldnt have happened...
 
Yeah, you should have taken the laptop before it's ceased. I would look to the legal team for further advice.
 
I sure hope the company has proof of the purchases and some record of him being issued the laptop. Your company may need to pursue legal means for reimbursement of the lost hardware and purchased images.
 
If he does wipe the drive you could send it to OnTrack to see if they can recover any of the data. We've used them a few times to recover data from dead drives, one of which was in a fire.
 
If you want to do the work yourself, Black Bag is the specialist in Mac Forensics and makes a number of h/w and s/w products for that. For Mac forensics, EnCase will work, but is expensive. Sleuthkit/Autopsy is a set of free, OSS forensic tools that could help recover the stuff, and they're what I prefer to use.

It all depends on what he does with it. If he just deletes the files, you can recover most. If he formats, you're still good. If he wipes the drive, you're probably screwed.
 
encase, helix , fdk come to mind. most of the time you will be able to get some data from it.
 
In a lot of states you can get in serious legal trouble for deleting/keeping/screwing up corporate data. Perhaps a quick strongly worded letter form the corporate lawyer will do the trick.
 
A letter of demand from corporate lawyers should clear the issue up. In the end remember,

(assuming the laptop was/is company property)

The use of company property by employees is needed for them to do thier jobs but that does not indemnify them of any monitoring or even asking of work done back.
 
Data Rescue has always gotten data back for me on employees machines that have tried similar things. One employee even deleted a bunch of images off our XServe (he found out he was being let go before access was pulled). We still were able to recover all of them.
 
I am surprised that people continue to delete data on company drives when criminal charges can be filed against such actions. It's just stupid.
 
You must log in or register to reply here.
Back
Top