Join Us!

Corporate investiga...
 
Notifications
Clear all

Corporate investigations  

  RSS
psu89
(@psu89)
Active Member

I have been asked by my employer to draft a "Corporate Forensic Statement" that should include such things as what systems will be 'spot checked'. It was told to me that the company may not be able to perform random spot checks that they must do all or nothing.

This doesn't seem right, if you can do random drug testing of employees then why can't you do random computer previews. The company wants to look for things such as violations of AUP (porn, gambling, etc) as well as CP and other illegal activity.

Can anyone shed some light on this topic? I have been reading a lot of articles about Forensic Readiness Planning, but want to get more specifics on what systems are checked, for what and how often.

Thanks,
Brian

Quote
Posted : 18/07/2006 9:29 pm
keydet89
(@keydet89)
Community Legend

> …then why can't you do random computer previews[sic]

There could be a lot of reasons. Perhaps the best person to ask would be whomever assigned this to you, rather than the list.

However, to throw some thoughts out there, there could be issues of compliance, legal issues, cost, etc.

> want to get more specifics on what systems are checked,

From your post, it sounds like that's already been answered. Didn't you say that it was all or nothing?

> …for what…

Again, it sounds like this has already been answered (porn, gambling, CP, other illegal activity).

> …and how often.

Uh…"random"? I'm sure the exact frequency is going to depend heavily on staffing levels, etc.

Harlan

ReplyQuote
Posted : 18/07/2006 11:23 pm
psu89
(@psu89)
Active Member

One recommendation I received was to set a % goal. The company attempts to image and investigate 1-2% of the total # of systems each month so each tear the have 12-24% of the systems analysed giving them a pretty good picture of what is going on with relatively low investment.

The CIO who assigned this to me knows nothing of forensics and has not been able to provide me any more information. I still think random checks are not illegal, so all or nothing can't be right, I am looking for documentation to prove this.

What i want to know is of the systems analyzed, what is looked for and where? Or is a full investigation performed? In my situation it would be 1-2 systems per month to analyze so a full investigation is not out of the question but my time might be better spent previewing first.

My guess would be to preview the image made and look at Internet history, cookies, graphic files, etc. and then escalate to a higher level if suspicious activity is discovered.

I don't want to reinvent the wheel, if someone has a corporate forensic policy (or outline of one) they would like to share, I would appreciate it.

ReplyQuote
Posted : 19/07/2006 12:07 am
keydet89
(@keydet89)
Community Legend

I guess I'm still not clear why you feel you need to run a complete forensic acquisition of the systems you're examining…wouldn't a preview suffice?

> …what is looked for and where?

I'm still confused by this one, too…you seem to be pretty clear on where this stuff is (cookies, history, etc.). Is there something specific you're looking for? Or are you looking for recommendations in general?

Harlan

ReplyQuote
Posted : 19/07/2006 5:28 am
schlecht
(@schlecht)
Junior Member

If there is an existing AUP, then how is it enforced now? If there are such things as Internet Proxying/filtering (eg Websense, Guardian or the like), IM proxing (IMlogic, Akonix, etc), IDS/IPS nodes, logging in general or filesystem auditing - then you may already have your answer as to how to pick your sample.

If this is something to be done regularly - I wouldn't put time into an actual investigation but try to automate as much as you can. Even with freeware like FSP (Harlan you can pay me later) or the like, you could push a load of information that can then be grep'd or run through an "analysis" script to pull for keywords that you can tailor.

ReplyQuote
Posted : 19/07/2006 5:45 am
psu89
(@psu89)
Active Member

I guess I'm still not clear why you feel you need to run a complete forensic acquisition of the systems you're examining…wouldn't a preview suffice?

> …what is looked for and where?

I'm still confused by this one, too…you seem to be pretty clear on where this stuff is (cookies, history, etc.). Is there something specific you're looking for? Or are you looking for recommendations in general?

Harlan

Right, like I said- "My guess would be to preview the image made…"

I am still trying to get an opinion on how many systems to look at, if it is legal/acceptable to do random checks, and how conduct such investigations in the most efficient way.
What I have so far is a policy from a large company that says they examine 1-2% of sytems per month which includes acquisition of an image and a preview investigation which may be escalated depending upon what is found.

Does that sound resonable? What are others doing at their company? Is previewing internet history/cookies give the examiner a good 'profile' of the user? During a preview what other areas/what other file types are looked at?

ReplyQuote
Posted : 19/07/2006 8:53 am
psu89
(@psu89)
Active Member

If there is an existing AUP, then how is it enforced now? If there are such things as Internet Proxying/filtering (eg Websense, Guardian or the like), IM proxing (IMlogic, Akonix, etc), IDS/IPS nodes, logging in general or filesystem auditing - then you may already have your answer as to how to pick your sample.

If this is something to be done regularly - I wouldn't put time into an actual investigation but try to automate as much as you can. Even with freeware like FSP (Harlan you can pay me later) or the like, you could push a load of information that can then be grep'd or run through an "analysis" script to pull for keywords that you can tailor.

The AUP is the standard "don't waste time on the internet" statement that is not enforced. Currently no proxying, filtering or IDS is done. After the one and only random investigation that was done (by me as a school project) the company is concerned that it may have a problem with the internet habits of it employees. Based on my investigation, the FBI was called and they took over.

The company is looking to revise its policies including creation of a forensic readiness/forensic investigation policy. This is the reason for all my questions and am looking for advise on how best to handle internal investigations with little or no 'probable cause'. Meaning it is not in response to an incident, they are meant to get a picture of employee habits and serve as a deterent as well.

ReplyQuote
Posted : 19/07/2006 9:02 am
keydet89
(@keydet89)
Community Legend

> …how best to handle internal investigations with little or no 'probable cause'

Ugh. Talk about a powder keg. I've been in the corporate environment long enough to know that something like this is just going to backfire in their faces. "Getting a picture of employee habits" sounds a bit Machivellian, and could cause a backlash.

Also, keep in mind that you're in a corporate environment, not legal. There doesn't need to be any "probable cause". Of course, without updating their policies and getting them out to all employees, the organization could easily face legal issues if they start these investigations and end up firing someone for untoward activity that isn't necessarily a crime.

Given what you've said so far, I'm still not clear on why you need to image any systems during your "random" sweep. Previewing the system itself should be enough, and as schlecht said, you can easily automate this.

When I was in a corporate environment, I did monthly sweeps of the entire domain. I had a small app that would reach out to the systems and grab the contents of the Run key from the Registry, and put the entries in a file on my system. Over time, I was able to develop a "known good" list, and I had my app ignore those entries…the value name as well as the path in the data had to be correct. Anyway, with only a little work, I ended up with something I could let run, and then quickly see and respond to any issues. I usually ran the app at about 930am, after pretty much everyone showed up and logged in.

For what you're looking for, a simple preview of the Registry will cover a lot of ground for you. There are user's keys that will tell you a lot about what the user is (or has been) up to.

I'd look for an applet solution that can be centrally managed. As the AUP is being developed, I'd push this applet out to all of the user systems, keeping a record of when it was done. That way, you can do much more than 1-2% on your random sweeps.

Harlan

ReplyQuote
Posted : 19/07/2006 4:41 pm
psu89
(@psu89)
Active Member

I am going to continue noodling this through. I am getting completely opposite opinions on this. I was expecting differing points of view, but not this different.

I'll try to organize my thoughts better and repost where I am at in a few days.

Thanks,

Brian

ReplyQuote
Posted : 20/07/2006 1:33 am
m7esec
(@m7esec)
Junior Member

OK, your company is interested in understanding what its user's internet activity is, but has no active Proxy log review tools, or even Proxy server? The method that they have chosen is to "investigate" each machine to determine the internet activity through a tool such as Encase. Humm, sounds like you are using a Sledge hammer to break an egg.

I would rethink they companies security architecture and implement tools specific for what they are looking to get metrics for.

If they insist on using Encase (or similar), preview the cookies and cache of the users browser to determine mischief on the Internet.

ReplyQuote
Posted : 20/07/2006 3:17 am
psu89
(@psu89)
Active Member

One thing I did not mention is that 95% of the computers are laptops. So we have in house network connections as well as home and hot spot connections.

In the investigation I conducted, the employee was stationed at a customer site with no internet access and I uncovered felony activity that involved the internet. He was never worked out of our office so our our our proxy logs would have been of no use.

ReplyQuote
Posted : 20/07/2006 4:15 am
 Anonymous

In the investigation I conducted, the employee was stationed at a customer site with no internet access and I uncovered felony activity that involved the internet.

LOL. So the rogue employee somehow committed felonious activity
involving the internet at a customer site that had no internet access?

Please do explain…

ReplyQuote
Posted : 20/07/2006 11:54 am
neddy
(@neddy)
Active Member

Laptop, took it home etc?

ReplyQuote
Posted : 20/07/2006 2:33 pm
psu89
(@psu89)
Active Member

In the investigation I conducted, the employee was stationed at a customer site with no internet access and I uncovered felony activity that involved the internet.

LOL. So the rogue employee somehow committed felonious activity
involving the internet at a customer site that had no internet access?

Please do explain…

Yes, It was a laptop.

ReplyQuote
Posted : 20/07/2006 4:39 pm
Share: