Hello All-
I would appreciate your thoughts/suggestions for handling investigations where IT may be involved. I understand I'm not being very specific, but perhaps we can keep this a generalized conversation on the topic.
As you know, for corporate investigations, IT usually plays a helpful role in our investigation process. They have the inside knowledge of the IT infrastructure, users, and systems in place. They often assist us with our identification, preservation and collection efforts. They can be used for those situations where we want to grab a custodian's machine without their knowledge - i.e. "We need to apply security patches to your machine."
With that said…What do you do when the key custodian in your investigation is the (active) IT guy?
For purposes of discussion, let's assume the IT is an active employee and that management does not have all the facts of the investigation. They have asked us to assist with the investigation of the IT guy.
How do you go about investigating the IT guy when you lack the inside knowledge of the infrastructure, users, and systems?
How do perform an investigation in such a way that the IT guy does not feel like the center of the investigation?
We obviously need to tread lightly with these types of investigations, as the IT guy could cause severe damage to the IT environment. I have reserves with only walking in and removing the person's physical access. As you know, we have to consider that this person may (probably) has remote access capabilities. Removing physical access is easy, but ensuring the individual is cut off remotely may be difficult. This person probably has all the passwords and account information for all their systems too.
Without his assistance, we may not be able to access an asset management system - to check what items he has issued to him. He may not even track his assets in the system, since he is working from an IT capacity. Without his assistance, we may not be able to identify data sitting outside the internal network - in the cloud.
I appreciate your thoughts on the subject.
What do you do when the key custodian in your investigation is the (active) IT guy?
Me, I'd ask 'management' for a risk and consequence assessment what 'unwanted actions' can be the result of the investigation, what is the likelihood, and how do they propose to mitigate, and within what timeframe. (I'm assuming I'm an outsider, rather than some kind of middle management inside the company.)
If the investigation must go ahead, there nothing to do but get acceptance for the risks associated with the planned actions. (That cannot be done until the risks have been identified, and estimated, clearly.)
If there's time, begin a key-personnel risk mitigation program, to get at least some of the information access under control.
This isn't a computer forensic problem – it's an information security problem. You may consider asking in those forums as well.
With that said…What do you do when the key custodian in your investigation is the (active) IT guy?
Custodian, or object of your investigation?
How do you go about investigating the IT guy when you lack the inside knowledge of the infrastructure, users, and systems?
How do perform an investigation in such a way that the IT guy does not feel like the center of the investigation?
We obviously need to tread lightly with these types of investigations, as the IT guy could cause severe damage to the IT environment. I have reserves with only walking in and removing the person's physical access. As you know, we have to consider that this person may (probably) has remote access capabilities. Removing physical access is easy, but ensuring the individual is cut off remotely may be difficult. This person probably has all the passwords and account information for all their systems too.
Without his assistance, we may not be able to access an asset management system - to check what items he has issued to him. He may not even track his assets in the system, since he is working from an IT capacity. Without his assistance, we may not be able to identify data sitting outside the internal network - in the cloud.
I appreciate your thoughts on the subject.
It sounds like there's a lot more going on here that may be immediately obvious…the biggest issue being, why does any single person have the keys to the kingdom in the first place?
Throughout the post, you keep saying "the" IT guy, not "an" IT guy. My first inclination would be to bring another IT guy in, have him sit with HR and have them explain what's going on, why his help is needed, and why he needs to be discreet.
But it sounds like you can't do that…like the IT infrastructure is a Jenga tower that could topple down at any moment.
What happens if the IT guy gets hit by a bus or goes on a holiday?
Surely there is someone else who knows how the system is run?
So get someone else involved as a backup IT guy. This is just common sense regardless of any investigation. Get procedures and documents prepared for stuff like,
- Backups
- Restore from backup
- Adding user accounts
- Doing audits of system resource usage, user groups, etc..
- Network diagrams
- List of service providers and account numbers, etc.. , hosting, ISP
Once this is all done having someone else take over, for whatever reason, should be easier.
Investigating the IT weenies who think they know best is always my favorite type of investigation.
Be as stealthy as possible; assume that they can detect all of your actions; which includes conversations with HR/Ethics/People and not just technical stuff.