Need to catch a thief... Please help!

seems this is a firebird setup, from what I can see its opensource. but im battling a bit to find a GUI based reader for this DB file.

Found one of two command line tools, but Im not that proficient.

It's more likely FoxPro. It was quite popular in its day and was purchased by Microsoft too.
 
So I used the db details that I could find, in the program that I downloaded above.

uploadfromtaptalk1406486617090.jpg

It connected first time and has presented me with the following screen, which looks like the actual content of the db.

uploadfromtaptalk1406486717733.jpg

Correct?

edit : apologies for rotated pic
 
So I used the db details that I could find, in the program that I downloaded above.

View attachment 135712

It connected first time and has presented me with the following screen, which looks like the actual content of the db.

View attachment 135714

Correct?

edit : apologies for rotated pic

Yep, go to tables, and check what you can find there. You should be able to right click and view the content.
 
Yep, go to tables, and check what you can find there. You should be able to right click and view the content.

this is where Im a bit out of my depth...

It would appear one can export data from the tables, but quite honestly not sure where to be looking now... AS there is a massive list of tables here.

Some guys earlier in the thread said that there might be some logs in here somewhere that would have connection details, but yeah, I would need to rely heavily on some guidance with this.

Will start googling so long...
 
this is where Im a bit out of my depth...

It would appear one can export data from the tables, but quite honestly not sure where to be looking now... AS there is a massive list of tables here.

Some guys earlier in the thread said that there might be some logs in here somewhere that would have connection details, but yeah, I would need to rely heavily on some guidance with this.

Will start googling so long...

For the actual logs, you will need to check another parent folder, as it wont be in tables. However, in the data, you can check for a table that might say something along the lines of "activity", or "history", as these might(with alot of luck) show you logins, as well as the IP the login came from. All business software should have this, but they don't always.
 
For the actual logs, you will need to check another parent folder, as it wont be in tables. However, in the data, you can check for a table that might say something along the lines of "activity", or "history", as these might(with alot of luck) show you logins, as well as the IP the login came from. All business software should have this, but they don't always.

busy digging now... Found this so far

Database\Tables\Logs and it looks like this...
 
OP

So once you interrogate all these tables and determine if it's bob or Mary, what are you going to do?

Unless you have sealed back ups, then IMO, The evidence has been tampered and could possibly be in admissible.
 
For the actual logs, you will need to check another parent folder, as it wont be in tables. However, in the data, you can check for a table that might say something along the lines of "activity", or "history", as these might(with alot of luck) show you logins, as well as the IP the login came from. All business software should have this, but they don't always.

ok battling to find this 'Data' that you are referring to. Im limited to the following,

Tables
Views
System Tables
Procedures
Functions
Triggers
Indexes
Sequences
Users

I will keep googling and digging but hoping that someone here might know exactly where to look
 

Thanks Ponder, this is exactly what Im using to browse the DB. Just a case of finding this mysterious activity log. I did find a LOG table under TABLES(which looks just like an activity log to me) but Lord Nikon6 was quite clear that it wont be under there, but rather under 'data' ?

edit : while doing some reading I did find that various 3rd party tools can tap into a few tables grouped under the SYSTEM TABLES section, which can provide realtime information on activity and connection of the DB. Byt obviously, now that its sitting idle, those tables are all empty.
 
Last edited:
OP

So once you interrogate all these tables and determine if it's bob or Mary, what are you going to do?

Unless you have sealed back ups, then IMO, The evidence has been tampered and could possibly be in admissible.

This. You did the right thing by confiscating his computer (should maybe have confiscated Mary's too), but now you haven't preserved the evidence and it could be inadmissible.
 
This. You did the right thing by confiscating his computer (should maybe have confiscated Mary's too), but now you haven't preserved the evidence and it could be inadmissible.

A entire backup was taken of the computer in question and is sealed in a hard drive I believe. I dont have that drive

Windows logs have shown diddly squat. There is more info in these log files in the DB. Just need to find out how to link certain records that were done to the activity log in the DB. Im in contact with the Dev of this system to try get some more answers. In the activity Log that I can see (so far) it lists the Computer name of the record that was ammended, not the USER(windows) or USER(software). Im sure this is an older way of recording an IP, except they just went with the PC-NAME.

One thing I do know, is that if he kept up to date with Firebird then I would have had full auditting to work with
 
Last edited:
A entire backup was taken of the computer in question and is sealed in a hard drive I believe. I dont have that drive

Depending on the amount in question, why not hire a forensics team? It should take them a day or two to find the culprit and they know about preserving evidence, chain of custody, etc.
 
Apologize to bob and say you were wrong. Leave bob to do his thing after you install a keylogger and / or RAT.
Problem solved.
 
A entire backup was taken of the computer in question and is sealed in a hard drive I believe. I dont have that drive

Windows logs have shown diddly squat. There is more info in these log files in the DB. Just need to find out how to link certain records that were done to the activity log in the DB. Im in contact with the Dev of this system to try get some more answers. In the activity Log that I can see (so far) it lists the Computer name of the record that was ammended, not the USER(windows) or USER(software). Im sure this is an older way of recording an IP, except they just went with the PC-NAME.

One thing I do know, is that if he kept up to date with Firebird then I would have had full auditting to work with

there not a single chance in hell that the digital evidence will be admissible i court.
specific protocols need to be observed in order to preserve forensic the integrity of any evidence.

that chain was broken from the very outset when the computer was removed.
the 1st thing to have been done, would have been the capture of "volatile data" contained within ram.
following that, the cloning of the hard drive - prior to the machine even being shut down.

the fact that the machine was moved prior to any of the above being done, and then a 3rd party having full access to any data contained on the drive, will have any half baked attorney having any digital evidence obtained in this manner ruled as inadmissible.
and then of course, the attorney will ask if the person who obtained the evidence being presented if they are qualified & accredited in the field of digital forensics - the answer in this case would be an obvious no.
 
Top
Sign up to the MyBroadband newsletter
X