Re: Hard Drive Reformat Date
From: x y (jamescagney90210@excite.com)
Date: 07/05/02
- Next message: Rob: "Re: Please help!"
- Previous message: x y: "Re: IIS configured for Local Host only behind NAT router - how risky?"
- In reply to: Michael Hamilton: "Re: Hard Drive Reformat Date"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "x y" <jamescagney90210@excite.com> Date: Fri, 5 Jul 2002 15:38:47 -0400
Law enforcement does have access to some forensics tools [to recover deleted
files, formatted files, files from slack space, etc.] that are not available
to the general public, or if they are, it is not cheap. I do think it is
possible to unformat drives with the right utility, but it might not be
free. Once you unformat the drive, you may have clues as to what was done
to the drive and when, but I think you will only see what was done within
windows. If the format was done within DOS, I would be surprised if anyone,
including law enforcement, could tell when the drive was formatted and by
whom. Since there is no login ID required to boot up a system to a dos boot
disk, the format command would have no idea who was running the format....
and I bet there is also no timestamp on the system as to when the drive was
formatted.
"Michael Hamilton" <mthtlh@charter.net> wrote in message
news:3D25956A.7030105@charter.net...
> I have heard that some of the law enforcement agencies have the
> capability to do what I am looking for. I thought someone else might
> know how to do this also.
> --------------
> x y wrote:
>
> > I could be wrong, but I don't think you're likely to learn the date,
time
> > and user. I think Norton Utilities is one way to unformat drives. I
don't
> > think the archive bit is a reliable way to determine whether a file has
been
> > copied or not. Only a log file such as the log file for the backup
software
> > used or Windows auditing of file access success [which is probably not
> > turned on] would tell you that, and that would be a large and messy log
> > file.
> >
> > If you get any information regarding what was done on this PC, I would
think
> > it would only be by unformatting the disk and looking at the files and
the
> > logs on the PC, and that's probably only if the operations in question
were
> > done within windows.
> >
> >
> > "Michael Hamilton" <mthtlh@charter.net> wrote in message
> > news:3D2465CC.1030007@charter.net...
> >
> >>We had a group of employees that left the company and when we checked,
> >>their hard drives, they had been reformatted. Is there a way to
> >>determine the date, time, user, etc. that they were reformatted? What
> >>are some recommended tools to unformat them so we can recover the data
> >>they erased? We are a small company so our IS staff consists of the
> >>local PC geeks and we are not experienced in these types of issues.
> >>
> >>Is there also a way to determine if they made backup copies of their
> >>data files and when the copies were created? The Archive bit is
> >>normally affected by backup programs but does not appear to be affected
> >>by just doing copies or by using a CD program such as Easy CD Creator.
> >>
> >>Please reply to the group and to my e-mail: mthtlh@charter.net
> >>
> >>Thanks,
> >>Michael Hamilton
> >>
> >>
> >
> >
>
- Next message: Rob: "Re: Please help!"
- Previous message: x y: "Re: IIS configured for Local Host only behind NAT router - how risky?"
- In reply to: Michael Hamilton: "Re: Hard Drive Reformat Date"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
