3
I have a situation in which a person has been accessing confidential information from another PC which they shouldn't have accessed and stored the acquired information on their own PC.
Since all of the computers are within my jurisdiction, I am the one responsible for any information leaks and, since I don't know whether that person is going to misuse the information, I could copy/clone/seize their hard drive to serve as a proof that they stole and had that info on their PC should they try to e.g. sell that info to competition.
What I'm interested in: if the information ends up in competition's hands, I will know for certain they did it but can I prove it by showing that the original drive was inside their PC? Are there traces that could link that hard drive to his PC e.g. motherboard/CPU configuration, user name etc. or would that be dismissed under argument that I could've written that info to the disk?
I presume you want to confirm the HDD was installed in a computer assigned to you, and both are assets, inventoried by you? You should have record that they were assigned the computer, simply taking note of the serial of the HDD inside that computer currently, should do the trick. Most programs like Speccy will provide you the serial number of the HDD, they will also indicate the license for Windows, both should be something that is part of your inventory information. When an employee is assigned a computer, you make them sign a document that they received the computer, which includes the HDD – Ramhound – 2016-03-16T18:04:10.753
You are on the point but I want it to be undisputable whether I have tampered with the disk. They could for example say that I put the disk in another PC and written to it. Could I seize the PC and have undeniable proof that the HDD was written to only by their PC? – None – 2016-03-16T18:44:50.197
You inventory the hardware in the PC. You then have the employee sign the inventory slip. You do this for every employee, or just them, they can't argue at that point. Once signed, seize the hardware, and make a byte-to-byte copy of the HDD. What other things you can do, seek the advice of a lawyer, I am hesitant to go into deeper detail for that reason. – Ramhound – 2016-03-16T18:47:58.460
Yes but we're a small team and have operated without that up until now. If I ask of them to sign a new document, they may be aware of the way I am going and refuse that, leaving me without the preemptive action I am trying to do now: have a proof before they try to do something with the data.
Is there a way to read from the disk what other components were in that PC or something like that? – None – 2016-03-16T18:49:55.230
1You should seek the advice of a lawyer. – Ramhound – 2016-03-16T19:00:27.597
To cut to the chase though: if there is a way to find (read) such traces, there is a way to falsify (write) them as well. – Yorik – 2016-03-16T19:22:32.763
not sure the legality, but have you considered deleting the info from their pc? – barlop – 2016-03-16T20:56:29.407
maybe this should be in http://security.stackexchange.com/
– Hermann Ingjaldsson – 2016-03-16T23:09:29.387I can't re-iterate @Ramhounds advise strongly enough - Chain of custody issues and what qualifies as evidence are not something people can advise you on here - even less so without knowing your jurisdiction. I would imagine you could sometimes prove this to a "preponderance of the evidence" standard, but not to a "beyond reasonable doubt" standard - in some cases. Also, would you not be better off watermarking images or using phrases or particular words to create "signatures" ON DOCUMENTS which you register with a lawyer or similar officer of the court, to enable later verification. – davidgo – 2016-03-16T23:26:45.703
1"I will know for certain they did it" - you dont know anything other than the competition has the files. Saying someone stole data without real evidence is slander. – Keltari – 2016-03-17T00:21:34.950