Notifications
Clear all

Name a user

pgd1983
(@pgd1983)
New Member

I have a case in a company and I am actually not sure what is the best way to write the report.

I found some artefacts in multiple places that point to a specific user account but I am not sure how I should write that in the report. Basically it is clear which useraccount dit it but there is no evidence to proofe the accountholder was in front of the PC.

I checked and there where no RDP-connections in the Eventlogs and there was no other remote controll software installed not actually and not in the past. At least to the extend I am able to check it.

But we have company where everyone theoretically could walk to the computer and most people relay on the screensaver to lock the screen when they are AFK. So there will be 100% sure the argument that that person leave the PC 

  • 5x per day to smoke
  • 3x per day to grab a coffee
  • 2x per day to go to toilet
  • 2x per day for a break
  • multiple times to talk to co-workers or grap some papers from them
  • etc.

Long story short I know what happend and when it happend and which account did it but there is no proof which person would use the PC and 10 people which have basically unhindered access in multiple moments over the day.

So I am not really sure how to write that in my report - I would write:

When I speak in the following about the "user" I mean basically the useraccount because I could not proof who was in front of the PC when the actions take place. The amount of that actions and the times when they took place make it highly unlikely that a co-worker would be responsible for the actions as that person would have to wait for the right moment to "slip in" for multiple weeks and did that successfully and undiscovered by anyone so many times.

What do you think?

Quote
Topic starter Posted : 12/07/2021 11:56 am
watcher
(@watcher)
Active Member

Simply say yadda yadda .. account ... yadda yadda ... account ...

Make no direct judgement as to whether the account relates to a person in the seat.

ReplyQuote
Posted : 12/07/2021 3:41 pm
Amcanblues
(@amcanblues)
New Member

I think you just wrote your report but include screenshots and make it look good

ReplyQuote
Posted : 12/07/2021 9:25 pm
athulin
(@athulin)
Community Legend

Talk to the recipient of the report for advice, and perhaps also the HR department. There may already be established conventions in the company for handling reports in a way so as not to appear to point a finger, even indirectly, when pointing is not intended. (This is usually one of the things discussed on a start-up meeting.) 

I've usually done a general report using pseudonyms (you know, like "unindicted co-conspirator no. 1" 🙂 for 'general use'  (usually for IT security people, and anyone directly affected by the incident), as well as a special addendum, intended for much more limited circle (HR department, managers with personnel responsibilities, etc. with a real need-to-know) in which individualization/identification was discussed together with confidence estimates.  Security classification should be left to the customer, and usually decided before you make any kind of document  delivery, final or preliminary.

(And just in case, the person to whom you deliver the report should be one of the need-to-know people, or at least you must be able to takes his/her word for it ... You don't send out the reports yourself -- been there, done that.  But you probably have that under control already.)

ReplyQuote
Posted : 13/07/2021 7:10 am
pgd1983
(@pgd1983)
New Member

Hi. Thanks for your feedback.

It's a small company with just 5 employees so there is no ruleset or something like that in place. 

I know that the owner wants to hear "Person A did it and he can fire him". On the other hand I know that there is also theft of intelectual property involved and that will likely end up in court.

The data show 30+ events over 2 working weeks and that would be 30+ events in 10 days and that mean someone had to wait all day for an opportunity to slip into the office of a coworker do his stuff and slip out unseen for so many times.

It is highly unlikely that someone else then Person A did it but there is absolute no evidence showing Person A was in front of the PC when the events took place and it is common in that company that people just walk away from the PC for a cigarette or something else without logging out.

As that is my first case in that way and my 3rd case ever I am also curious to find a good way to handle things like that.

Would you go that far that you write in the summery that it is possible but highly unlikely that a coworker missused the PC of Person A? Or would that go to far? Based on the evidence it would be my prof. opinion on the case and I would add that as well as suggestions for the changes of company policies.

And just in case I would add in my summery or my glossary that "user", "useraccount", "account" are used as synonymes for each other. As saveguard in case I would write once user instead of useraccount.

ReplyQuote
Topic starter Posted : 13/07/2021 9:46 am
jaclaz
(@jaclaz)
Community Legend

If I may, you should take the "user" completely out of the equation.

I mean, what "makes things" is an "account", the account has some credentials (password or other means of authorizing access) and is generally "assigned" to an user.

So. IMHO everything should be linked to the account.

Then you can say that that account (and its credentials) were assigned to a given user AND that - due to the company policies (or lack thereof) - that particular account was easily accessible - besides by the user to which it was assigned - by everyone else physically able to access the machine.

As a side note - and from experience in not-so-high-security-oriented small firms workplaces - the user name is something as simple as the assigned user's first name (let's say Johnny) and the password something as simple as the name+a number (i.e. Johnny1).

If there is some policy about changing periodically the access password, I wouldn't be too surprised if Johnny2, Johnny3, etc. were used.

In low-security contexts it is not at all uncommon that co-workers know the login/passwords of other people, both because patterns similar to the one I just described are easily spotted or because of that day last year that the boss needed to print a document the only copy of was on that user computer and he/she was sick at home and you phoned and was told the login and password.

What I personally would do, would be to add *somehow* a graphical representation of the days/times when the 30+ events happened, this can be used by the owner to judge him/herself whether if at those times the "assigned user" could have been there and/or if it would be possible for a co-worker to use the machine (unnoticed by the "assigned user" and by the other three people in the office), compare them with each employer presence in the office, with set office (and pause) times, etc..

Also, the "duration" of each single event would be telling something, I mean 30+ events during one minute or less may go unnoticed, but even a few > 5 minutes would probably not.

jaclaz

 

ReplyQuote
Posted : 27/07/2021 1:11 pm
watcher
(@watcher)
Active Member

I note that you say:

I found some artefacts {sic} in multiple places

Everyone theoretically could walk to the computer

there where no RDP-connections in the Eventlogs

no proof which person would use the PC

Just to be clear, these artifacts are only on the one and only computer and nothing refers to network devices and there are no other networked computers in the mix? Computer logons are all local and there is no network logon?

In short, there is no capability to logon to a different computer with the suspect account credentials and create your artifacts on networked devices, no RDP required?

 

 

ReplyQuote
Posted : 27/07/2021 5:19 pm
Share: