Can i check if someone copied my HDD contents ?

[DeusEx]

basically my dad is running a firm and he has quite a lot of important information on the hard drive / network... some VALUABLE information. We suspect one of our employees has used an external hard drive to copy all of our files...

is there any way we can trace who has done it OR if it was done ? Is it possible to find out if they used an external usb hard drive to copy our stuff from the computers in the office or the network ?

thanks guys.

[stev]

It's difficult to trace a USB port connection other than the typical user who logs in and seeing the copy going to the USB drive.
Do your systems trace user login activity per session?

It's always best to keep data locked down per user other than the admin and to use shared drives. XP is actually the best out of the box setup for this.

[leexgx]

the event log would of loged hardware inserted more so if its an USB harddisk

[DeusEx]

the event log would of loged hardware inserted more so if its an USB harddisk

can you explain more about this ?

[Kougar]

Not sure about the event log, it does not log anything of that nature for me. Just tested with a USB flash drive.

It's old fashioned, but the one trick I know about is looking at the "last accessed" stamp for the files. If all of the sensitive files were accessed at the same timestamp or newer (And you know they have not been touched by anything or anyone since the date you suspect this occured) then that is pretty clear that they were all copied over at the same time. You likely need to enable this view by right-clicking the columns where it says date modified, etc.

If you need concrete proof or may need to prove this in a future court you need to be aware that the more the suspected computer or data is used the more evidence of the crime may be lost. You should consult with a computer forensics firm on this promptly if it is that serious an issue. The more time passes, the harder it will be to conclusively prove or track down anything. Especially if anything was "deleted", since it may be overwritten by new data and then lost for good.

[Merlin]

Another problem would be whether or not you "knowing" they did it would give you the ability to do anything about it. IF they copied your client list you would have to prove it in order to take any legal action against them but then you probably already knew that. I would simply assume that your data has been compromised and take steps based on that assumption..( change any and ALL passwords notify anyone that could have had their info compromised as well etc. ) and then take the needed steps to make SURE it cannot happen again.