±Partners and Sponsors

±Your Account


Nickname
Password


Forgotten password/username?


Membership:
New Today: 0
New Yesterday: 1
Overall: 27139
Visitors: 51

±Follow Forensic Focus

Join our LinkedIn group

Subscribe to news

Subscribe to forums

Subscribe to blog

Subscribe to tweets

Employee Exit - Top 5 or 10 things to examine system for

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page 1, 2  Next 
  

Employee Exit - Top 5 or 10 things to examine system for

Post Posted: Sun Jan 20, 2013 2:51 pm

Hi,
I am working on a presentation oriented towards non-technical folks, specifically in the HR department (so, REALLY non-technical).

The intent of the presentation is to raise their awareness regarding IP theft that can occur when employees leave the company. So, things like:

- Exporting or forwarding the sales leads / contacts / emails from Outlook
- Copying files off the user's local file system
- Copying files accessed off of network shares
- Etc.

I'm reaching out to the community to see what particular approaches you might take if you were to examine a system of an outgoing employee. Not necessarily the most comprehensive, but if you were time and budget constrained, what might be the 5 or 10 things you'd definitely want to check for. Examples might be:

- Log of USB activity
- Browser history / recent searches (e.g. "how to copy files" might be a recent search)
- Mail event history
- Etc.

Very open minded to what people see as possible forms of IP theft I haven't listed, as well as the Top 5 / 10 things to check for (short of a full soup to nuts examination of a machine) as well as the tools you might recommend to conduct the examination (Commercial suggestions like Encase w/ certain scripts is fine, but open source would be interesting as well to present a spectrum of cost options).

Thanks so much in advance!  

rudyr
Newbie
 
 
  

Re: Employee Exit - Top 5 or 10 things to examine system for

Post Posted: Sun Jan 20, 2013 5:05 pm

* Log of USB activity.

If you have access to it, sure. However, having access to logs that says when a USB stick with serial number so-and-so were attached to the system - and not which files were copied to/from it - is rather useless.

* Browser history / recent searches (e.g. "how to copy files" might be a recent search)

That works well if the person is a complete idiot. Fortunately, there are some idiots who think that the organisations network is their private one. Depending on your mandate within the organisation, budget and legislation, you can set up TLS interception and dump network trafik. Its not an easy step to take. Well, technically it is easy, but you may experience resistance when you explain it to your boss.

You should also start e-tagging documents so it is possible to autodetect if they leave the network (IDS rules). While it is possible to copy/paste information from document A to document B and resaving it, you can make the tagging part of the text.

* Mail event history

Can be a good source. The best info would be the emails themselves.

* Access to files/documents

A good thing do have would be a document management solution that log access to files, sharing, reading and writing. This will not stop anyone from copying files manually outside the system, but it will show who had access to what information and during what timeperiod, also it can show searches for things that are outside the normal area of a persons line of work. There are some data loss prevention products out as well, but i have not tried any of them and cannot vouch for their effectiveness.

But, the best thing to do would be to mitigate the problem in the first place.

Do everyone really need USB connectivity? If not, turn it off.
Do they need to be able to burn data to DVD? Disable the DVD drive.
Do they even need internet at all?

Someone who sits and develops code for the company, i would call that person an asset, and assets can be given separate laptops to do their surfing on. Laptops are cheap, corporate data is expensive. I know a corporation that had a separate developer network out in the R&D. Entrance to it was strict, no internet, no nothing. (Though you could tell the receptionist that you came from company so and so, and she would gladly hand you the keys to the serverroom Rolling Eyes )

So basically - remove the problem before it hits the fan.

I know this is a forensics forum and all, and forensics is fun - but all it does in this case is to discover that information has been stolen and given away to compeditors, it cannot repair the damage.  

MDCR
Senior Member
 
 
  

Re: Employee Exit - Top 5 or 10 things to examine system for

Post Posted: Sun Jan 20, 2013 7:22 pm

No doubt that pro-active prevention would be ideal. However, this is specifically for HR to discover ex-post violations by employees who have left the company. Actually, a couple of the things you mentioned have been very useful in work I've done (last USB attached serial #, and users search history for obviously unwise / incriminating queries).

What I'm looking for specifically is what, given JUST the exiting user's laptop, would be the 5 or so things that would be good to search for. So, assume no examination of corporate firewall logs, document management systems, etc. Simply the laptop and what are some worthwhile things to look for (e.g. a USB is plugged in, files are copied, maybe a file that is copied is opened....what remnants are typically left behind from this activity and what allows you to examine it. OR, user exports a PST or exports contacts, what history of that would remain and again, suggestions how to examine it).  

rudyr
Newbie
 
 
  

Re: Employee Exit - Top 5 or 10 things to examine system for

Post Posted: Sun Jan 20, 2013 9:11 pm

We did extensive field testing of a USB monitoring process during an announced layoff period - and it was for naught.

Unless USB usage was forbidden, then there is no way to differentiate between naughty versus nice USB copying. Copying a whole bunch of files? Sure, perhaps it's for business continuity. Copying one file? Sure, could be for malicious intent to steal but falls way beneath our threshold.

Even with active desktop monitoring (e.g. spector cne), it requires a team of individuals to step through the screenshots, attributing context to the employee's actions.

In the end Legal said, we trusted them before we announced them layoffs, we have to trust them afterwards.
_________________
Blog: secureartisan.wordpress.com 

pbobby
Senior Member
 
 
  

Re: Employee Exit - Top 5 or 10 things to examine system for

Post Posted: Mon Jan 21, 2013 2:44 am

- rudyr
However, this is specifically for HR to discover ex-post violations by employees who have left the company.


If HR (or CISO or ...) has a concept of violation, then there's no point in listing random things: make a list of *their* violations, prioritize them, and then use that. That's at least a search with a specific target.

If saving classified documents is an issue, then search for those. If unlicensed software is an issue, then search for that. If use of non-approved USB devices is an issue, look for that.

But looking for, say, indications that cleaner software has been used ... is kind of useless. An IT-savvy person would probably use one in order to protect any personal stuff that may be left -- I know I do.

Much better to save the hard drive on the off chance that there may be future developments.

Still ... if anything like such search-for-unknown-and-unsuspected-infractions is performed, make sure the cost of it is kept track of closely, and evaluated at least once every three months. That allows for economic sanity to interfer with the program.  

athulin
Senior Member
 
 
  

Re: Employee Exit - Top 5 or 10 things to examine system for

Post Posted: Thu Jan 24, 2013 10:29 am

One of the standard reports that gets sent to HR when they think data may be walking out the door are Network Print Logs. The logs won't give you the actual document but we do get Time of print jobs, document name and path of where document resides.

Yes, it didn't stop the data from going out but now our legal department can start doing what they do to lessen the damage.  

Rong
Member
 
 
  

Re: Employee Exit - Top 5 or 10 things to examine system for

Post Posted: Mon Jan 28, 2013 2:18 pm

- rudyr

I'm reaching out to the community to see what particular approaches you might take if you were to examine a system of an outgoing employee. Not necessarily the most comprehensive, but if you were time and budget constrained, what might be the 5 or 10 things you'd definitely want to check for. Examples might be:


As has already been mentioned, I would think that the best place to start is to go to HR (or just your target audience in general) and determine what they feel is a "violation". For some organizations, "surfing pr0n" might be a violation of acceptable use policies, but they might not have thought of "IP theft" as an issue.

You mention USB devices...there are a number of freeware tools that are available to assist you with this, but most use the publicly-accepted process for determining USB thumb drives and external drive enclosures connected to systems, and as such, miss other rather ubiquitous devices.

- rudyr

Very open minded to what people see as possible forms of IP theft I haven't listed, as well as the Top 5 / 10 things to check for (short of a full soup to nuts examination of a machine) as well as the tools you might recommend to conduct the examination (Commercial suggestions like Encase w/ certain scripts is fine, but open source would be interesting as well to present a spectrum of cost options).


I'm creating the Forensic Scanner application for examinations just like what you've described. I'm doing so, in part, to make it easier to do these sorts of exams quickly, but also because while the tools are out there, most of them do not work together.

If you want to discuss your original topic offline, you can reach me at keydet89 at yahoo dot com.  

keydet89
Senior Member
 
 
Reply to topicReply to topic

Share this forum topic to encourage more replies



Page 1 of 2
Go to page 1, 2  Next