±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36595
New Yesterday: 4 Visitors: 165

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Corporate investigations

Discussion of legislation relating to computer forensics.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2  Next 
  

psu89
Senior Member
 

Corporate investigations

Post Posted: Jul 18, 06 20:29

I have been asked by my employer to draft a "Corporate Forensic Statement" that should include such things as what systems will be 'spot checked'. It was told to me that the company may not be able to perform random spot checks that they must do all or nothing.

This doesn't seem right, if you can do random drug testing of employees then why can't you do random computer previews. The company wants to look for things such as violations of AUP (porn, gambling, etc) as well as CP and other illegal activity.

Can anyone shed some light on this topic? I have been reading a lot of articles about Forensic Readiness Planning, but want to get more specifics on what systems are checked, for what and how often.

Thanks,
Brian  
 
  

keydet89
Senior Member
 

Re: Corporate investigations

Post Posted: Jul 18, 06 22:23

> ...then why can't you do random computer previews[sic]

There could be a lot of reasons. Perhaps the best person to ask would be whomever assigned this to you, rather than the list.

However, to throw some thoughts out there, there could be issues of compliance, legal issues, cost, etc.

> want to get more specifics on what systems are checked,

From your post, it sounds like that's already been answered. Didn't you say that it was all or nothing?

> ...for what...

Again, it sounds like this has already been answered (porn, gambling, CP, other illegal activity).

> ...and how often.

Uh..."random"? I'm sure the exact frequency is going to depend heavily on staffing levels, etc.

Harlan  
 
  

psu89
Senior Member
 

Re: Corporate investigations

Post Posted: Jul 18, 06 23:07

One recommendation I received was to set a % goal. The company attempts to image and investigate 1-2% of the total # of systems each month so each tear the have 12-24% of the systems analysed giving them a pretty good picture of what is going on with relatively low investment.

The CIO who assigned this to me knows nothing of forensics and has not been able to provide me any more information. I still think random checks are not illegal, so all or nothing can't be right, I am looking for documentation to prove this.

What i want to know is of the systems analyzed, what is looked for and where? Or is a full investigation performed? In my situation it would be 1-2 systems per month to analyze so a full investigation is not out of the question but my time might be better spent previewing first.

My guess would be to preview the image made and look at Internet history, cookies, graphic files, etc. and then escalate to a higher level if suspicious activity is discovered.

I don't want to reinvent the wheel, if someone has a corporate forensic policy (or outline of one) they would like to share, I would appreciate it.  
 
  

keydet89
Senior Member
 

Re: Corporate investigations

Post Posted: Jul 19, 06 04:28

I guess I'm still not clear why you feel you need to run a complete forensic acquisition of the systems you're examining...wouldn't a preview suffice?

> ...what is looked for and where?

I'm still confused by this one, too...you seem to be pretty clear on where this stuff is (cookies, history, etc.). Is there something specific you're looking for? Or are you looking for recommendations in general?

Harlan  
 
  

schlecht
Member
 

Re: Corporate investigations

Post Posted: Jul 19, 06 04:45

If there is an existing AUP, then how is it enforced now? If there are such things as Internet Proxying/filtering (eg Websense, Guardian or the like), IM proxing (IMlogic, Akonix, etc), IDS/IPS nodes, logging in general or filesystem auditing - then you may already have your answer as to how to pick your sample.

If this is something to be done regularly - I wouldn't put time into an actual investigation but try to automate as much as you can. Even with freeware like FSP (Harlan you can pay me later) or the like, you could push a load of information that can then be grep'd or run through an "analysis" script to pull for keywords that you can tailor.
_________________
schlecht 
 
  

psu89
Senior Member
 

Re: Corporate investigations

Post Posted: Jul 19, 06 07:53

- keydet89
I guess I'm still not clear why you feel you need to run a complete forensic acquisition of the systems you're examining...wouldn't a preview suffice?

> ...what is looked for and where?

I'm still confused by this one, too...you seem to be pretty clear on where this stuff is (cookies, history, etc.). Is there something specific you're looking for? Or are you looking for recommendations in general?

Harlan


Right, like I said- "My guess would be to preview the image made..."

I am still trying to get an opinion on how many systems to look at, if it is legal/acceptable to do random checks, and how conduct such investigations in the most efficient way.
What I have so far is a policy from a large company that says they examine 1-2% of sytems per month which includes acquisition of an image and a preview investigation which may be escalated depending upon what is found.

Does that sound resonable? What are others doing at their company? Is previewing internet history/cookies give the examiner a good 'profile' of the user? During a preview what other areas/what other file types are looked at?  
 
  

psu89
Senior Member
 

Re: Corporate investigations

Post Posted: Jul 19, 06 08:02

- schlecht
If there is an existing AUP, then how is it enforced now? If there are such things as Internet Proxying/filtering (eg Websense, Guardian or the like), IM proxing (IMlogic, Akonix, etc), IDS/IPS nodes, logging in general or filesystem auditing - then you may already have your answer as to how to pick your sample.

If this is something to be done regularly - I wouldn't put time into an actual investigation but try to automate as much as you can. Even with freeware like FSP (Harlan you can pay me later) or the like, you could push a load of information that can then be grep'd or run through an "analysis" script to pull for keywords that you can tailor.


The AUP is the standard "don't waste time on the internet" statement that is not enforced. Currently no proxying, filtering or IDS is done. After the one and only random investigation that was done (by me as a school project) the company is concerned that it may have a problem with the internet habits of it employees. Based on my investigation, the FBI was called and they took over.

The company is looking to revise its policies including creation of a forensic readiness/forensic investigation policy. This is the reason for all my questions and am looking for advise on how best to handle internal investigations with little or no 'probable cause'. Meaning it is not in response to an incident, they are meant to get a picture of employee habits and serve as a deterent as well.  
 

Page 1 of 2
Page 1, 2  Next