Interception

Seen from my point of view, you are not familiar with Digital Forensics. Please consider a face-to-face meeting with a Digital Forensics expert in Italy before buying expensive software. And you should not forget about the EU standardsfor Data Privacy, i recommend you double-check the legal situation before spying on your own employees.

best regards,
Robin

Related to hard- and software you find this in the hebrew speaking country. If you PM me I can recommend you three companies best of class as advertising in this forum is forbidden.

I think you are mistaken on the rules. You can recommend any provider/business you want. The forum has tried to stay away from people starting posts saying HEY LOOK AT ME, use my company.

Related to hard- and software you find this in the hebrew speaking country. If you PM me I can recommend you three companies best of class as advertising in this forum is forbidden.

we need to intercept few people to discover who send out info about the firm.

Do you know in what ways the information has been leaked Pastebin? Email? Instant messaging? USB sticks? Printed paper? That can really help to narrow down the scope.

If not, you can set up a honeytoken (look at thinkst Canary, Cost=$0). After that you can look into what the nature of protocols exists on the network, is it one of the ones listed above?

Keyloggers is also an option (which can be controversial and highly intrusive - unless you really know that you legally can). Capturing PCAPs of everything is the same and can be rather expensive (A NAS with a couple of TB can be a big expense for a small organisation), but you can limit the scope if you've already determined a few suspects, or a specific part of the organisation. A 2TB drive can store a long time of user network activity if you can focus on a few users, filtering ingoing youtube and big bulk data like that will extend if further.

Doing TLS decryption is also possible, but this is rather expensive (both moneywise and processorwise), and an observant person can identify that TLS decryption is going on by looking at site certificates which are obviously wrong. The pricetag of such a thing is a bit high, so it's more of a long term investment that also takes time to set up properly.

You may want to dump conversations from say an email server and look at who is talking to who, you can use Gephi (free) or a similar commercial tool (Maltego to Palantir, expensive) to investigate this - or you can pay someone who can do that.

If you have them, look at physical entry logs (whos card was used at what gate/door at what time) and correlate that to login events and then who has access to the information.

Marking documents with unique entropy or specific words (Cost=$0) is another idea to determine who is sending something out, you can also include an internet link in a document and see where it is opened (works like those iframes that track page visitors on the web). Disseminate and distribute these documents to potential leakers and stand back and watch - if you've done it right, you can see the leaker and the recipient IP's popping up with a unique reference.

Record serial numbers of anything connected to the computers USB sticks, iPhones. If you can, get the content of any media connected and diff for changes. There are several products that can store the content of such media and track changes (Look at DeviceLock and similar DLP products).

Good luck.

(P.S I know that the following isn't going to help but If you have sensitive information in your organisation, be it commercial or government, its worth spending time preparing for such an event and setting up this kind of functionality, practising and clearing everything with the legal and HR departments. Having contact with law enforcement during this time also helps.)

Excellent post! Absolutely helpful explanations.

About P.S. - we call this here Forensic Readyness

Thanks all for answers. I do forensic but I never did an interception. As said can be USB stick or other ways. Actually I don't know anyhting about the job I was taking in advance.
thanks again