HaQue wrote:
Whats the aim? prosecution? or just getting the files back because they are needed? If prosecution, a proper forensic analyst should do it otherwise evidence won't hold up.
As far as I can tell, it's not illegal to wipe files from the machine you have access to after you got fired - at least in Germany. So prosecution is not a deal. But I think the company may sue the employee for the damage he did and for this task my word as a DR specialist or expert witness will be enough. But I think the main reason is just to get the files back.
HaQue wrote:
If you need files, you could install windows 10 on a VM, patch it to the build the system was, do a file list or hash list, then you have a database.
I don't think that is going to work, because then I need to install all the apps, that have ever been installed on this machine. And so on. And to be honest, I don't really want to waste my time on this. It's one thing to run a program that is going to do all the work for me. But it's another thing to do worthless labour.
HaQue wrote:
was it an SSD?
Yes, and the computer was about half an hour powered on after the files were deleted and after that the Company powered the Notebook on and after they realised that the employee deleted his / their files, they left the notebook running for about 20 minutes.
My result was, that about 1% of the files are OK, and 5% of the files are damaged. Everything else is gone.
HaQue wrote:
Looks like the company had poor IT practices though, which will probably hinder your task. R-Studio probably got back all that exists. Especially if the user doesn't appear to be savvy.
I have no idea why here in Germany the IT departments have so bad backup practices. Few days ago, I had from another company a Raid System with 24 Drives, configured in a Raid-5 combination and NO FUCKING BACKUPS! Me as a little DR Company have a Raid-6 on the Servers, a ML6000 Tape library for on site backups and a Cloud Solution for offsite backups. And Tapes in a safe deposit box.
At least I washed the head of the company with the deleted files. This time the employee deleted the files. Next time the notebook get stolen. There is no way, they can survive with that kind of practice.