ABSTRACT
Not all the data required for an investigation will reside on a
user’s PC; therefore, you will need to gain access to the same
files and directories that the user has access to. The first thing
to do is to disable the user’s ID. Be sure that the administrator
verifies how the user’s profile and accountsmight be affected
if the user’s ID is disabled. Only after verifying that no data
will be lost, altered, or destroyed by disabling the ID should
the administrator proceed to disable the user’s ID. Security
personnel or someone with administrative authority should
disable the users’ ID. Operations personnel or a systems/data
security office can do this. The easiest way to disable the
user’s ID is to change the password, but this is not the best
approach, as the user could regain access if he or she is able
to guess the new password. Be sure that the administrator
disables the ID but does not delete it. In some security setups,
deleting a user ID will cause data and files to be deleted as
well. Because this is not what you want to happen, only
disable the ID. When the ID is disabled, the next and most
important step is to copy all the files to which the user had
access. This provides a backup for your investigation, as the
data cannot be quarantined. The confiscated data, however,
cannot be used by the business for as long as it takes to
conduct your investigation.
