We were then asked to establish whether or not there was sufficient evidence to show that activity was performed during a seven day window and whether the evidence of this activity had been forensically wiped (in addition to physical destruction of the hard disk drives in the RAID). Our data recovery engineers then imaged all the repaired hard drives in the RAID array, taking care to maintain the integrity of the evidence and adhering to Association of Police Chief Officers (ACPO) guidelines at all times.
Thankfully there was no media damage to the platters and we were able to image the drives without error. The acquired images were verified using hash functions and the data parameters calculated in order to rebuild the data on the server.
The main tools used were AccessData Forensic Toolkit FTK and FTK Imager. The data recovered clearly identified signatures for forensic wiping programs, namely CCleaner and DiskWipe, which are used to clean hard drives and to destroy data permanently. Using powerful forensic data recovery tools, we were able to recover all the data and then search for specific activity by keyword and text string. Needless to say, there was a wealth of inappropriate activity that had been cloaked by the perpetrators. Our subsequent forensic report was presented to an employment tribunal which resulted in an successful outcome for our client.