Data Recovery: How to recover a deleted document?

Download Data Recovery: How to recover a deleted document?

Post on 23-Oct-2015

200 views

Category:

Documents

0 download

DESCRIPTION

The project entails recovering crucial documents that an unsatisfied employee, Jonathan deleted before leaving the company. Jonathans crime was evaluated and analyzed to determine how he committed the crime in order to craft proficient ways of recovering the lost file. Proper planning was done before conducting the investigation in order to ensure strict adherence to investigation procedure.Finally the investigation evidence proved that Jonathan did delete the important documents which the investigation team managed to recover.

TRANSCRIPT

  • 2011

    YUSUPH KILEO

    DATA RECOVERY

    10/4/2011

    DATA RECOVERY: TO RECOVER DELETED DATA FROM A COMPUTER

  • DATA RECOVERY

    YUSUPH KILEO Page 1

    Contents ABSTRACT ...................................................................................................................................................... 2

    CHAPTER ONE: INTRODUCTION TO THE PROJECT ........................................................................................ 3

    1.1 PROJECT OVERVIEW ...................................................................................................................... 3

    1.2 PROJECT AIMS AND OBJECTIVES ................................................................................................... 3

    1.3 ASSUMPTIONS .............................................................................................................................. 4

    1.4 EVALUATION OF JONATHANS COMPUTER CRIME ....................................................................... 5

    CHAPTER TWO: THE INVESTIGATION PROCESS ............................................................................................ 6

    2.1 OVERVIEW OF THE FORENSIC INVESTIGATION PROCESS ................................................................... 6

    2.2 AUTHORIZATION AND PREPARATION ................................................................................................. 7

    2.2.1 AUTHORIZATION .......................................................................................................................... 7

    2.2.2 PREPARATION .............................................................................................................................. 8

    2.3 IDENTIFICATION .................................................................................................................................. 9

    2.4 COLLECTION AND PRESERVATION .................................................................................................... 10

    2.5 EXAMINATION AND ANALYSIS .......................................................................................................... 18

    2.5.1 RECOVERING ANY DELETED MATERIALS .................................................................................... 19

    2.5.2 RECOVERED MATERIALS ............................................................................................................ 21

    2.5.3 EXTRACTION OF THE MATERIAL FOUND .................................................................................... 21

    2.6 RECONSTRACT ................................................................................................................................... 22

    2.7 REPORT .............................................................................................................................................. 24

    FORENSICS REPORT ............................................................................................................................. 24

    INVESTIGATION FINDINGS .................................................................................................................. 24

    EXAMINATION SUMMARY .................................................................................................................. 24

    CONCLUSION ....................................................................................................................................... 25

    3.0 EXECUTIVE SUMMARY .......................................................................................................................... 25

    4.0 Appendix. .............................................................................................................................................. 26

    5.0 REFERENCES .......................................................................................................................................... 28

  • DATA RECOVERY

    YUSUPH KILEO Page 2

    ABSTRACT

    The project entails recovering crucial documents that an unsatisfied employee, Jonathan deleted

    before leaving the company. Jonathans crime was evaluated and analyzed to determine how he

    committed the crime in order to craft proficient ways of recovering the lost file. Proper planning

    was done before conducting the investigation in order to ensure strict adherence to investigation

    procedure.

    Finally the investigation evidence proved that Jonathan did delete the important documents

    which the investigation team managed to recover.

  • DATA RECOVERY

    YUSUPH KILEO Page 3

    CHAPTER ONE: INTRODUCTION TO THE PROJECT

    1.1 PROJECT OVERVIEW

    This project is segregated into three main chapters which are the introduction, Investigation

    process and conclusion. The introduction highlights the main aspects of the thesis; the

    investigation process describes in detail the steps that the investigation team would take in

    investigating the above highlighted case and the forensic tools used. It must be noted that

    different tools would be used at different phases of the investigation process; therefore for clarity

    usable tools for specific phases would be explained when describing activities of that particular

    phase.

    The conclusion as the name suggests would summarize the main contents of the project as well

    as briefly outline the deducted lessons from the project and the challenges faced and how they

    were mitigated.

    1.2 PROJECT AIMS AND OBJECTIVES

    AIMS

    This project is aimed at evaluating, analyzing Jonathans crime and procedurally recovering all

    the lost crucial files to save Bukit Enterprises from immense loss.

    OBJECTIVES

    In order to achieve the set aim the investigator has formulated the following objectives:

    Strictly adhere to the procedures of forensic investigation.

    Prepare a time management schedule and strictly abide to it so as to timely recover the

    crucial files.

    Encourage team work amongst case investigators.

    Be flexible such that any emerging technologies that may be useful to the investigation

    would be tried in order to acquire accurate evidence.

    Ensure the authenticity and accuracy of all tools to be used in the investigation.

  • DATA RECOVERY

    YUSUPH KILEO Page 4

    1.3 ASSUMPTIONS

    Bukit Enterprises is a company located in the United Kingdom.

    Investigators found Jonathans computer on.

    Jonathan was using win XP as an operating system.

    Jonathan has installed WinRAR software to his computer (Encryption tool).

    Jonathan has no personal data left in the computer.

    Jonathan saved the research documents using word pad.

    Jonathan encrypted the documents before deleted them.

    Jonathan protected the documents with password using his name.

    Jonathan did not first enquire about reasons for management escalating Steven over him.

  • DATA RECOVERY

    YUSUPH KILEO Page 5

    1.4 EVALUATION OF JONATHANS COMPUTER CRIME

    Jonathan was actively involved in the research for years, but that doesnt allow him to delete the

    research documents when he left the job. The research documents he deleted were not his

    property but rather Bukit Enterprises property. It is apparent that Jonathan did not enquire with

    the management reasons as to why Steven was promoted over him. Jonathan rather decided to

    take the law into his hands and delete the Companys documents which as stated if not recovered

    would endure the company a massive loss.

    The question remains, does Jonathans involvement in the research give him the right to delete

    the documents. According to the company regulations and rules the companys document should

    be returned when employee resigned, Like wise on (Akerman, 2011), it highlights a case where

    an employee deleted company files. The court ruling was that an employee should return all

    company documents before resignation.

    Furthermore on (McCullagh.D, 2007) highlights that Jonathan would be found guilty in a court

    of law for as long as the evidence obtained is authentic and accurate. This is due to the fact that

    with the obtained evidence, Jonathan would be prosecuted for violating the Computer Fraud and

    Abuse Act which finds guilty whoever knowingly acquires information from q computer without

    obtain authorization or whoever who exceeds their authorization level to illegally access data and

    causes damage or loss to it. Jonathan had authorized access to the documents, but he exceeded

    his authority scope by deleting the documents.

    Conclusively, (Radcliffe, 2010) further proves that Jonathan would be proven guilty, according

    to the United Kingdom copyright laws, any research or discovery that an employee makes or

    achieves within their scope of employment belongs to the employer. Therefore Jonathan illegally

    deleted Bukit Enterprises crucial documents and hence would be accordingly prosecuted.

  • DATA RECOVERY

    YUSUPH KILEO Page 6

    CHAPTER TWO: THE INVESTIGATION PROCESS

    2.1 OVERVIEW OF THE FORENSIC INVESTIGATION PROCESS

    Forensic investigation is to collect evidence that would prove a crime in a court of law. Same as

    all other projects it has steps to be followed while undergoing the forensic investigations. This is

    to ensure that the gathered evidence is authentic and accurate. Moreover some practices are

    expected of forensic investigators by courts of law.

    In that respect, the steps of forensic investigation would be properly followed and adherence to

    the laws of forensic investigation would be ensured at every phase before proceeding to another.

    The aforementioned phases of investigation are namely:

    1. Authorization and preparation

    2. Identification

    3. Collection and Preservation

    4. Examination

    5. Analysis

    6. Reconstruct

    7. Reporting

  • DATA RECOVERY

    YUSUPH KILEO Page 7

    2.2 AUTHORIZATION AND PREPARATION

    2.2.1 AUTHORIZATION

    The focus of forensic investigation is to acquire evidence that would be used in a legal

    proceeding, forensic investigators must have authorization to carry out the investigation

    otherwise the evidence would as aforementioned not be admissible (Kleiman et al, 2007 P.8 of

    939).

    The forensic investigator has been appointed by the Companys IT department as the head of the

    investigation team to search and recover deleted materials from the computer that Jonathan used

    while still working for Bukit Enterprises. For formalization, the investigator should request from

    the company a written permission thats allow the investigator to search Jonathans computer

    which would outline reasons as to why Jonathans previously used computer is searched and

    investigated.

    It is also common knowledge that before any forensic investigation, investigators must foremost

    obtain a judicial permission, search warrant that gives them a go ahead with the investigation.

    For example if forensic investigators are investigating a case where someone is suspected of

    selling drugs, a search warrant must be obtained from the authority concerned to allow the

    investigator to procedure with the searching and investigating the case.

    Since Jonathan was no longer a part of the company there was no reasons for search warrantee

    and instead the investigator would request for a formal written authorization from the Company

    management to carry out the investigation. The letter must entail that the investigator is hired to

    search Jonathans computer and justification as to why the search must be conducted must also

    be provided. To further validate the investigation procedure, the investigator should have a third

    party present for example an attorney to certify that the investigators have been hired by Bukit

    Enterprises to conduct a search on Jonathans former computer while still with the Company.

  • DATA RECOVERY

    YUSUPH KILEO Page 8

    2.2.2 PREPARATION

    The preparation phase is where the investigator finalizes on the formation of the investigation

    team. The team would be divided into the phases of investigation so as to have an investigator

    responsible for a specific phase of investigation. Though the appointed investigators would be

    working with the team, they would be in charge of those phases to ensure that proper procedures

    are followed throughout the investigation process.

    A chain of custody would also be created at this stage, not all investigation team members will

    be in the chain custody, this is because the fewer people to handle the investigations crucial

    documents the better; it increases accountability. The chain of custody would be documented

    outlining all handlers of important investigation documents including the evidence.

    ELECTRONIC EVIDENCE CHAIN OF CUSTODY FORM

    COLLECTED EVIDENCE CATEGORY NAME TRACKING

    NUMBER

    COLLECTED FROM

    CHAIN OF CUSTODY TRACKING

    NUMBER

    FROM(Location) DATE AND

    TIME

    REASON TO(Location)

    Case No: Page: Of:

    Fig. 01 shows the chain of custody for the case.

  • DATA RECOVERY

    YUSUPH KILEO Page 9

    The preparation phase also entails highlighting the investigation team on the case and what is

    expected to them during the investigation, this is to enable the investigation team to

    psychologically prepare for the case as well as to be familiar with the laws of the United

    Kingdom where the forensic investigation is taken place.

    The investigation team would also prepare any materials that may be useful in the case, hardware

    and software. Even though, the investigation team have not assessed Jonathans computer, due to

    their experiences in the field, the investigation team would prepare materials that are likely to be

    required in the investigation such as necessary software application and hardware that might be

    helpful during the investigation process.

    2.3 IDENTIFICATION

    The identification phase is the phase that will allow investigators to spot any materials that may

    be suspicious and may contain evidence. This materials may be hardware such as compact discs,

    floppy disks hard disks etc. or it may be fragile data in digital form such as emails, log files,

    images etc.

    The investigation team would check the log files of the computer which was used by Jonathan

    where they would recognize that he has deleted some files just a few hours before he left the

    Company. They would also find digital images in his computer and due to their experience in the

    field; the team would suspect them of being steganography images.

    The last phase of the identification team is whereby the investigation team identifies the

    investigation requirements. This pertains to tools or software that would be useful in the

    investigation process. This is because having identified this items the team would have an idea of

    what Jonathan actually did and hence would know what forensic tools to prepare which will

    allow the investigation process to be carried out smoothly.

  • DATA RECOVERY

    YUSUPH KILEO Page 10

    2.4 COLLECTION AND PRESERVATION

    COLLECTION

    Having identified items that may contain the evidence of Jonathans crime, the investigation

    team would proceed to collecting the evidence. Conducting forensic investigations procedurally

    is aimed at acquiring accurate evidence. Therefore, investigators would ensure that the collected

    evidence is not tampered with. Digital data is very fragile, it can be easily altered therefore the

    following principles would be employed to insure that the collected evidence is rather accurate:

    Investigators should wear the gloves during the entire collection process to avoid

    biometric tempering of the evidence.

    Jonathans computer should not be switched off. This will allow the investigators to

    carry out investigation without tempering with the state that the computer was found at.

    There would be no installation of forensic software on the machine. (Vacca, 2005 P. 18

    of 832) mentions that care must be taken that no malicious software is launched into the

    subject machine. Installing any software may introduce some malicious software hence

    tampering with the evidence.

    TOOL THAT WOULD BE USED TO COLLECT THE EVIDENCE

    Investigator has to select an appropriate tool that would assist to collect the evidence. In this case

    the selected tool happens to be The Forensic Toolkit (FTK). FTK is the perfect tool for complete

    and thorough forensic examinations. It has full text indexing, advanced searching, deleted file

    recovery, data-carving, and email and graphics analysis. Full text indexing powered by

    dtSearch yields instant text search results. FTK also has advance searches for JPEG images and

    Internet text. It locates binary patterns using Live Search and it can automatically recover deleted

    files and partitions.

    The FTK that the investigators would use is the which as opposed to other forensic tools, the

    Imager lite does not require installation and hence would help the investigators achieve one of

    the aims outlined above which is to collect evidence accurately, avoiding tampering with the

    subject machine or rather tampering with the evidence itself. The FTK Imager lite can capture

    images of both logical and physical drives.

  • DATA RECOVERY

    YUSUPH KILEO Page 11

    The investigator has to take the image of the PC that was used by Jonathan this is due to the

    reasons the investigator should not temper with the evidence as shown on the (Vacca, 2005 P. 18

    of 832) it is very crucial for forensic investigators to preserve the original evidence, they could

    easily perform all the operations in Jonathans computer but it is best practice for investigators to

    preserve the original evidence and an image is created as a copy of the original evidence and

    hence would be the one investigated.

    CREATING THE IMAGE OF JONATHANS COMPUTER

    The above figure shows how Jonathan Computer was seen before the investigation process began.

    From Jonathan Computer the image will be takes to allow the forensic investigation process to

    take place.

  • DATA RECOVERY

    YUSUPH KILEO Page 12

    The above screen would appear after launching the FTK Imager lite. It must be noted that the aforementioned forensic tool runs from an external hard drive rather than from the subject machine. Rom The File Create the image will be pressed ready to create Jonathan Computers Image with FTK.

    Here is where the forensic investigator would chose the drive that image is to be created.

  • DATA RECOVERY

    YUSUPH KILEO Page 13

    The above figure is where the image is added to the required drive that will be stored ready for

    the investigation. And the below figure is where an appropriate selection of the image time

    would be selected.

  • DATA RECOVERY

    YUSUPH KILEO Page 14

  • DATA RECOVERY

    YUSUPH KILEO Page 15

    The Image Is started to be created to the destination. This process takes some time, it depends with the speed that data is transferred.

    The above screen shows the MD5 and SHA1 files of the image.

  • DATA RECOVERY

    YUSUPH KILEO Page 16

  • DATA RECOVERY

    YUSUPH KILEO Page 17

    The above screen shot shows the systems unallocated space.

  • DATA RECOVERY

    YUSUPH KILEO Page 18

    The image files would then be exported to an external media, where all the investigation would

    be carried out.

    2.5 EXAMINATION AND ANALYSIS

    After collecting the evidence it has to be examined. This is where the subject computer would be

    examined; the prior identified evidence would be examined for any hidden data or any clues.

    This is because it would not have been logical for Jonathan to delete the files as simple as that,

    he must have hid those using technological help.

    These two stages entails filtering and breaking down any collected items, filter the evidence

    which means that the forensic investigators would remove any materials collected that are not

    useful to the case.

    The evidence would be classified into categories for easy reference, for example in a legal

    proceeding the evidence would be required and it would be easier if the investigation team

    categorized it.

  • DATA RECOVERY

    YUSUPH KILEO Page 19

    2.5.1 RECOVERING ANY DELETED MATERIALS

    For analysis and examination the forensic team would use the Active@ Undelete program which

    checks the system for any deleted materials and then recovers them. In this case, it is already

    known that Jonathan already deleted the materials which make it easier for the forensics team.

    The selection of Active@ Undelete program is based due to the reason that Active@

    UNDELETE is powerful data recovery software that helps you to recover deleted files and

    restore deleted partitions. The software can support windows XP, Windows Vista, Windows 7

    and Windows 2003 server Operating systems. With the software these can be done:-

    Recover deleted files and folders

    Restore deleted partitions

    Create a Disk Image for safe data restoration

    Perform an Advanced Scan and organize the result using Document View and Recovery

    Toolkit

    Write recovered data directly to a CD/DVD avoiding dangerous hard drive activity

    Perform batch file recovery

    Virtually reconstruct broken or disassembled RAID arrays

    Restore data from damaged RAID arrays

    Edit disk content with Hex Editor

    Preview deleted files before restoring

  • DATA RECOVERY

    YUSUPH KILEO Page 20

  • DATA RECOVERY

    YUSUPH KILEO Page 21

    2.5.2 RECOVERED MATERIALS

    The recovered materials would be filtered and the RAR file will be extracted as the file founded

    was encrypted with RAR software which an investigator suspected the file would be the one with

    the required materials that Bukit Enterprises claimed to be deleted by Jonathan Before quitting

    the company. In addition to that the file found to be protected with password which an

    investigator would need to crack the password so that the material inside could be seen.

    2.5.3 EXTRACTION OF THE MATERIAL FOUND

    Since the material found happen to be encrypted with password using the WinRAR software the

    extraction of the material would be required the Win RAR software which has ability to decrypt

    the encrypted files. At the same time the file required the password which an investigator would

    use Jonathan (name of the person who deleted the documents) to open the documents.

    Then after the password has been entered to allow the encrypted documents to be seen, the

    reconstruction is to be done as the documents has to be examined who committed and how and

    why the crime was committed.

  • DATA RECOVERY

    YUSUPH KILEO Page 22

    2.6 RECONSTRACT The investigative reconstruction leads to a more complete picture of a crime this is the phase

    where by the determination of what happened to the crime who committed the crime how and

    why the crime was committed is founded. It normally involves three things namely functional

    analysis, Relational analysis and temporal analysis which will eventual provide a clear picture of

    the crime.

    For this particular case what happened is that the sensitive files of Bukit enterprises where

    deleted from Jonathans computer before he left the company due to the reasons that he was not

    promoted as he was expecting. It is also crystal clear that Jonathan was the one deleted the files

    as the files were under his supervision before quitting the company.

    The deleted the files were founded to be encrypted and password protected which brings a clear

    picture that Jonathan used RAR archive to encrypt and hide before deleting the files. He did this

    with an aim of ensuring that the files would not be recovered easily as he believed the decryption

    might be difficult if there could be any chance to recover them.

  • DATA RECOVERY

    YUSUPH KILEO Page 23

    Functional Analysis: Jonathans computer found to be installed software like RAR archive that

    can perform encryption. This lead to the suspect of the deleted file to be hidden before deleted.

    Relational Analysis: The Computer which founded the deleted file was used by Jonathan. He

    quite the company without handing over the files that was required and it was clearly seen that

    Jonathan was unsatisfied with the decision of not being promoted. All these together made an

    easy conclusion that he would be the one whom deleted the files before he quit the job.

    Temporal Analysis: Most operating systems keep track of the creation, last modification and

    access times of files and folders.Below is the time line to show the sequence of events.

    Date Event

    21 02 - 2006 Jonathan started to work with Bukit Enterprises.(Base on ussumption)

    He worked with other deffernt projects which were delivered succecifully.

    17 01 - 2010 He started working with the project which he didnt deliver as he was

    expected to.

    19 01 - 2011 He resiged from the company. And he deleted the project that he was

    working on from the computer that he was using.

    20 01 - 2011 IT manager wrote an authorization letter to an investigator to investigates

    the computer for the deleted files and recover them.

    21 01 - 2011 An Investigator started to work on investigating the crime and recovering

    the deleted files as required.

    29 01 - 2011 The deleted files was succesifuly recovered from Jonathans Computer

    from the image that was taken from it.

    30 01 - 2011 The report was generated for futher forensic action towards Jonathan and

    submited to the IT maneger.

  • DATA RECOVERY

    YUSUPH KILEO Page 24

    2.7 REPORT

    FORENSICS REPORT

    CASE: BUKIT ENTERPRISES VS JONATHAN

    CASE NUMBER: C0001

    INTRODUCTION

    This report was requested by the IT department of Bukit Enterprises to confirm the alleged claim

    against Jonathan that he intentionally deleted crucial company document just before his

    volunteered resignation.

    INVESTIGATION FINDINGS

    From the investigation process, the investigation team recovered encrypted files. The files was

    encrypted with RAR file which requested for a password to open the contained document as the

    RAR file was protected with password before deleted.

    The evidence was found on the 30th

    January 2011 from the image of Mr. Jonathans computer

    which was acquired on the 28 January 2011. The evidence is in good condition and there are no

    signs of it being tampered with.

    EXAMINATION SUMMARY

    The tools that have been used during the entire investigation proses were Forensic Toolkit

    IMAGER Lite (The software that does not need installation when used) this was due to the

    investigation process which does not allow tempering to the evidence. The software was

    involved on collection of image from Jonathans computer.

    Active Undelete and Win RAR were the other tools used to during the investigation process

    which was effectively used to provide the recovery of the files and decrypt them as they were

    encrypted before deletion.

    All these tools were very helpful in collecting accurate and precise evidence as shown in the

    preservation stage.

  • DATA RECOVERY

    YUSUPH KILEO Page 25

    CONCLUSION

    From the evidence it is evident that Jonathan is guilty of the alleged offence.

    3.0 EXECUTIVE SUMMARY Jonathans crime was analyzed and lastly, the deleted materials were recovered.

    At several stages of my assignment I faced some serious problems due to the unawareness

    of some forensic tools. But with the help of different resources we gradually understood the

    concepts. Among them was data recovery concept. The second important part which we learnt

    from this assignment is to be able to perform the creation of a virtual machine and imaging of the

    computer for forensic investigation.

    In conclusion, this assignment was easy to work it and has given me a clearer view and

    understanding for present and future purposes. In addition to that the assignment was very

    helpful in increasing Data recovery tracing and evidence gathering in computer system skills and

    knowledge.

  • DATA RECOVERY

    YUSUPH KILEO Page 26

    4.0 Appendix. Chain of Custody Form

    ELECTRONIC EVIDENCE CHAIN OF CUSTODY FORM

    COLLECTED EVIDENCE CATEGORY NAME TRACKING

    NUMBER

    COLLECTED FROM

    Forensic

    investigation.

    Computer

    Image

    001 Jonathans Computer

    CHAIN OF CUSTODY TRACKING

    NUMBER

    FROM(Location) DATE AND

    TIME

    REASON TO(Location)

    001 Bukit Jalil

    Enterprises

    Company LTD

    28 January

    2011 [At

    13: 25 HRS]

    To Investigate and

    recover suspected

    deleted documents

    from the Computer

    users Documents.

    Investigation

    Department.

    Case No: 01 Page: 01 Of:01

  • DATA RECOVERY

    YUSUPH KILEO Page 27

    Letter of authorization

    Bukit Enterprises LTD,

    Kingston Block 3,

    London.

    U.K

    Date: 20 -01 - 2011

    Yusuph A. Kileo ,

    Kingston Block 3,

    London.

    U.K

    Dear Sir,

    I hereby authorize you to lead the investigation team to investigate and recover suspected deleted files

    from Mr Jonathans Computer on behalf of Bukit enterprises, in order to enable father Forensic procedure

    to be taken over him.

    I kindly Allow you to work on the matter as soon as you can so that to allow the job to be done as it will

    be required to be completed as soon as possible.

    Petro Peres,

    Head of IT department.

    Thank you.

  • DATA RECOVERY

    YUSUPH KILEO Page 28

    5.0 REFERENCES

    1. Kleiman .D.Cardwell. K., Clinton T.,Cross M., Gregg M.,Versalone J., Wright

    C.,(2007) The Official CHFI Exam 312-49 Syngress Punlishing, Burlington

    2. Varcca.J.,(2005) Computer Forensics Computer Crime Scene Investigation, Syngress

    Punlishing, Charles River Media

    3. Standard Guide for the Recovery of Trace Evidence, Technical Working Group for

    Materials, Quantico, VA, 1998

    4. Walker.C., (ND) Computer Forensics: Bringing The Evidence to Court [online]

    Accessed 28th

    January 2011 02:29 Available from

    http://www.infosecwriters.com/text_resources/pdf/Computer_Forensics_to_Court.pdf

    5. Radclife.M., (2010) Ownership of copyrights Court [online] Accessed 29th January

    2011 07:34 Available from http://library.findlaw.com/1999/Jan/1/241478.html

    6. McCullagh.D., (2007) Police Blotter [online] Accessed 30th January 2011 02:39

    Available from http://news.cnet.com/Police-blotter-Ex-employee-sued-for-deleting-

    files/2100-7348_3-6171274.html