Al,

My wife just finished with a computer related audit... can't cover details, but it was quite intense... The first thing, is the original content of the drive. If you login, open documents, etc, you can actually update date/time stamps and thus open yourself and the company to falsifying documents.

One of the things she had to deal with was computer forensics to prepare her baseline. Basically it involved notebooks (and would apply to desktops too). She had to have a company to a bit-copy of the entire hard-drive -- VERBATIM... Exact same type/size drive was required to do this. Never touch this drive again, as it could be evidence to support original documentation values in case brought into court. Then, you could approach cracking the password, and opening documents. You might even want to do a DOUBLE copy. Leave the original alone, make a copy for legal purposes, and a third copy for you to hack and research with.

Although there are other issues involved with computer forensics such as who had access to the computer after the employee left, the less you touch it up-front the better. Get a bit-copy of the hard drive and work off the 3rd copy. You might even check with some Canadian authorities specializing in computer forensics.

HTH.