first things first, have you made am image of the drive?  If you're primary concern is to recover the file then you need to get the drive imaged ASAP if that system is still in use.  Otherwise you'll just write over parts of it at some point.  Do you have access to some UNIX/Linux/BSD system that will let you do a simple dd?  As long as nobody has played with the drive too much then you should be able to pull the file right back off.

Hack_80, can you provide any additional information about the platforms involved and the access method used?  Did the user have access to that file via: remote desktop, shared drives, remote shell, citrix, etc, etc, etc...?  Were these windows/UNIX/etc boxes?  Your answers to those questions are going to dictate where you'd go to get the relevant data. 

For the forensics/malware/bit level geeks hanging out in the forum, SAN just gave you a late xmas present. 

Happy Holidays!! SANS SIFT Workstation Version 1.2 Released
SANS SIFT Workstation Overview

    * VMware Appliance
    * Ready to tackle forensics
    * Cross compatibility between Linux and Windows
    * Forensic tools preconfigured
    * A portable lab workstation you can now use for your investigations

The SANS SIFT Workstation is a VMware Appliance that is preconfigured with all the necessary tools to perform a forensic examination. It is compatible with Expert Witness Format (E01), Advanced Forensic Format (AFF), and raw (dd) evidence formats. The appliance is utilized in the Computer Forensic, Investigation, and Response course offered by SANS. We teach analysts to examine core file system data and metadata structures to increase their understanding of the FAT/NTFS/UNIX/LINUX file systems. As a result, their capabilities as a forensic analyst increase immensely. The popular appliance that is part of the SIFTkit is now offered as a free download via the SANS Forensic Website.  The SIFT Workstation give you the ability to securely examine a raw disks, multiple file systems, evidence formats.  It also places strict guidelines on how evidence is examined (read-only) verifying that the evidence has not changed

Latest version of SANS Investigative Forensic Toolkit Workstation (Version 1.1) downloaded from http://forensics.sans.org under the downloads section.  (Use Cheat Sheet for proper command line usage)

http://sansforensics.wordpress.com/2008/12/24/happy-holidays-sans-sift-workstation-version-12-released/

For those who haven’t seen it:

The new OWASP Testing Guide v3: published!
http://seclists.org/webappsec/2008/q4/0042.html

The only thing better is remembering to bring your new uber-hack-o-dealie-3000-with-extra-l33t-sauce, throwing it out on the conference table in front of the client, watch the sheer awesomeness wash over them in a wave, then realizing that you forgot to pack the power cord.  Yup.  Twice in the last year. 

I got pulled into a small, last minute wireless pen test while I was traveling, which meant I was stuck without our normal gear.  I ran over to best buy and grabbed the netgear wpn511 for something like $30.  It actually worked with BT3 right out of the box.  It's small so I just keep it in my bag at all times now.  The only drawback is that there are two versions of it, one that has an external antenna port, one that doesn't.  I accidentally grabbed the one that didn't.

Just on a side note, there are cases where you'll want to "storm the gates" like this.  Sometimes we get asked to do pen tests as part of an audit, and we know that the corporate security team is not aware that we've been brought in.  Part of the assessment is to determine if they are monitoring the network correctly.  We'll start doing attacks on the scale of "quiet" to "loud" and try to see where they actually start to catch us.  You'd be surprised how many times you'll get all the way to brute forcing passwords before someone actually figures out what's going on.

RR, what's funny about that statement is that almost all forensics analysts tend to fall back to "I know what I'm doing and I am saying that I did it correctly."  The defense lawyers will always attempt to attack your abilities and knowledge first because it is the most common area of weakness.  If you can't demonstrate that you know what you're doing then you'll probably get exposed.  If you can demonstrate it on the stand, then they'll attack your tools.  This is harder to do because most of them have been vetted already, but there is always a chance that they can convince the court that something went wrong.  Hardware write blockers have a known failure rate, there can always be something in the tool/platform settings that could screw up the evidence, a cosmic gamma burst could have randomly scrambled those bits on the hard drive so that they magically turned into a picture of a little boy in a sprinkler, etc.  This is more of an exercise in confusing/scaring the jury.  If they can't get you on your knowledge or your tools, then they'll try to attack your integrity.  At the end of the day, everyone who testifies is basically saying "I did what I said I did."

We always used the ones from digital intelligence, but I wouldn't call them cheap.  In fact, I'd say they were pretty damn expensive if you couldn't expense them back to your company or a client.

Depending on how stable your internet connection is out in the suck, you could try to pull down Helix or Knoppix live CDs.  Boot off from the CD and run the external malware scanning tools.  You'll get a much more complete and trustworthy report. 

I read through all of these articles as they've been showing up over the last few months, and as a response I started using knockd.  Check it out if you haven't seen it.  Basically you can set up a "secret knock" for your system before it will open the port in a listening mode.  It adds an extra layer of complexity on any bruteforce attack.

This ties in nicely to a previous thread about how forensics groups will basically expel you if you are ever caught working for the "dark side".  (ie. the defense)  This is the perfect example of where someone needed to stand up and tell the prosecution that their case was fatally flawed at all levels, especially their technical analysis.  The lead detective in this case also made one of the classic mistakes in law enforcement.  He stated that he did his work to "help the victims."  That is nice to say, but it isn't actually his job.  His job is to perform a neutral investigation which produces factual evidence.  If that evidence indicates that the "victim" might not be a "victim", then so be it.  As soon as you get into the mindset of being there to seek justice for victims, then you start sliding down that slippery slope of manipulating the facts to fit your theory rather than making a theory that fits the facts.  If you can't gather the necessary evidence to convict someone, well that sucks but it is what it is.  At some point you have to admit that the reason the evidence might not exist is because the person you are going after isn't the person that committed the crime.  In rare cases you might also find out that your victim isn't a victim.  In even more rare cases, like this one, the person you're trying to convict might actually be the victim.  The only feasible way to go is gather the facts and present them honestly.  Oh, but that doesn't work very well when you're a poorly trained, out of your league hack posing as an investigator who is supported by a prosecutor looking for headlines.  In that case maybe you should just do the honorable thing and drink yourself into a coma.

Sounds like you've already demonstrated the business impact.  "I'll work for you on one condition, you give me the $$ to fix this mess.  Otherwise, I leave and you pay a contractor market rates for them to maintain your system."  And just to echo everyone else here, I wouldn't even consider the "live demonstration" tactic.  It'd be just your luck that the first dollar they spend in regards to security is an investigator to track down who broke into their systems.

I think I need to clarify my response because I agree with RR's comment.  You still need to know the basics, I'm just suggesting that you keep your head up and looking down the road in order to figure out a better way to utilize what you know.  If you go out of your way to be the best security specialist in any one area, you are going to start boxing yourself in from a career perspective.  Guru's are always going to be in need and well employed, but if you make the trade off between learning that extra 1% of hard core tech knowledge in favor of picking up a bit more business knowledge, you'll probably reap significant rewards from the decision.  From a corporate perspective, in the rare occasion that they really a "l337 hax0r", they'll likely reach out a pull in a temporary resource to fill that role.  That's good news if you're a consultant or such and you just bounce from engagement to engagement.  However, if you work for a organization that's purpose is something other than just security (ie. you are in the security department of a normal business), then they will get more value out a of a person that is really good in multiple areas (security, business needs, regulatory/audit, DR, etc) rather than great in one specific area.  There are obvious exceptions, but this is just my observation from working with various clients.  Just sticking with the cloud computing example, your company would rely on you a lot more to provide insight into the pros/cons of moving in that direction, putting together the contracts/SLAs with the providers, and providing long term oversight/audit, etc, rather than hardcore pen testing of the resulting environment.  You still need to know all the concepts, but if you build your career around being the company "hacker guy", then you run a significant risk of having your position go to contractors or consultants.  If you can contribute to the business side, then you have value.  On that note, I'm going to eat leftover turkey.

If you're starting from scratch, why not look down the road a bit and figure out where the industry is going rather than trying to build your skills for where it came from?  There is nothing wrong with focusing on the network or coding sides of the house, but if you still have years to go before your going to be really active in "real world" security, then try to leap from over the whole mess and aim to develop skills that will be in demand in a few years.  Just as an example, start reading up on cloud computing.  Companies are moving over to these environments in a big way, but there are serious security concerns about the whole setup.  Just as there has been a natural progression in security from local systems to networked systems to applications to web apps, the next "big thing" will be massive shared resources.  (Where do you think Google, Amazon, Rackspace, etc are making the highest profit margins right now?) If I was in your position I'd avoid the temptation to be just another hacker, and see if I could be first into the box on these newer concepts.  Just my 2 cents.