IT Group Locate Tens of Thousands of Documents Stored in Client-side Cache During e-Disclosure Exercise

When searching for material in an e-Disclosure exercise, we are often asked to look at corporate file servers. Last week, when instructed by a firm of liquidators, we needed to broaden our horizons. We discovered that someone had removed the hard drives from the file server in question – perhaps in an attempt to scupper the investigation.

After discovering the file server was without its hard disks, we forensically examined the PCs and laptops which had been connected to the server in order to identify whether there was anything of interest.

A little-known area of a Windows operating system is the client-side cache. The client-side cache contains a local copy of files in any shared directory on the server that has been mounted by the PC.

Offline copies of directories are usually retained by mobile users that may be out of the office and spend extended periods of time off the corporate network. The purpose of these directories is that they allow the user to access and modify key documents that would be normally stored on the server when they are away from the office. Once the user reconnects to the network, the documents will synchronise and the server copy will be updated.

One of the interesting issues with client-side cache is that if multiple users have access to the same PC or laptop then these users could have copies of documents that the other users of the laptop may not be authorised to have access to. e-Disclosure professionals and forensic investigators need to be wary of this when concluding why a user has specific documents on their laptop.

As part of our forensic investigation last week, we successfully located over 17,000 documents in the client-side cache that were almost certainly copied off what was on the server hard drive before it was removed.