I do internal investigations and my boss asked me to find out what other organizations are doing to investigate Facebook abuse. We are on a budget freeze at the moment and are hoping someday to purchase current copies of Internet Evidence Finder and CacheBack. Right now I am using a very old copy of IEF that doesn't help much with Facebook. We figure that someday we will have to buy a network monitoring package that will catch them in the act but we don't know quite what to do until then short of installing keyloggers on all our computers. I can show them going to the login page from the history but nothing beyond that of course. What are other people doing for this or perhaps it is not much of an issue elsewhere.
_________________
"Ah, Watson, it's a wicked world. And when a clever man turns his brain to crime, it's the worst of all." The Adventures of Sherlock Holmes: The Speckled Band. 

What is your position with the company?
_________________
Why order a taco when you can ask it politely?

Alan B. "A man can live a good life, be honorable, give to charity, but in the end, the number of people who come to his funeral is generally dependent on the weather. " 

I am a forensic examiner for a state government agency. I do not do criminal investigations I do internal HR investigations on employees. We have been increasingly frustrated trying to show excessive Facebook activity and understand that ultimately the way to see it is with real time monitoring but it will be a long time before we have the money for something like NetWitness.
_________________
"Ah, Watson, it's a wicked world. And when a clever man turns his brain to crime, it's the worst of all." The Adventures of Sherlock Holmes: The Speckled Band. 

Last edited by paul206 on Tue Jun 19, 2012 2:32 pm; edited 1 time in total

why not just block the url in question?  

Because it is allowed and we don't have a proxy server and if we did we wouldn't block it anyway because we have our own Facebook page. Here is part of our internet use policy:

11. Personal Use. Moderate personal use of the Internet will be tolerated but excessive personal use is prohibited. Our policy does not allow for unrestricted personal use of the Internet. Users must adhere to other departmental and state acceptable use polices which prohibits employees from visiting certain web sites at any time.

50% of my investigations involve excessive personal use and 25% are for porn. The other 25% are real investigations for misuse, harassment, etc.
_________________
"Ah, Watson, it's a wicked world. And when a clever man turns his brain to crime, it's the worst of all." The Adventures of Sherlock Holmes: The Speckled Band. 

Last edited by paul206 on Wed Jun 20, 2012 5:58 am; edited 1 time in total

- paul206

We have been increasingly frustrated trying to show excessive Facebook activity and understand that ultimately the way to see it is with real time monitoring but it will be a long time before we have the money for something like NetWitness.

You don't really need NetWitness if all you need to monitor is Facebook usage. Just extract the relevant lines from your gateway logs, dump them into a database and slice and dice as you see fit. Microsoft Log Parser works well for logs from ISA, and there are plenty of free or cheap tools that can handle most other log formats.  

Thanks very much. I will talk to my boss about it. Only problem is that our routers and gateway don't belong to us. We have to request the logs when we want to see them from the state agency that supplies and administers them.
_________________
"Ah, Watson, it's a wicked world. And when a clever man turns his brain to crime, it's the worst of all." The Adventures of Sherlock Holmes: The Speckled Band.