activity monitoring software that is court permissible


One of my client is suspicious that one of her coworkers is visiting inappropriate websites and clearning the evidence from his computer.  She does not have the money to purchase monitoring tools on the network level so I want to see if anyone has come across this and installed software on the desktop level.  Ideally, we want something we can install w/o this user knowing (ie, not having to physically login), something that is light weight and won't raise suspicion, and that will produce evidence that is permissible in court.


Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

GDavis193Author Commented:
and to clarify, i don;'t need keylogging.  Just something that takes simply desktop snapshots every 5-10 mins or so.  Thanks!
Brian PiercePhotographerCommented:
You'd better take qualified legal advice on what you are intending to do BEFORE you do it.
Gary DewrellSenior Network AdministratorCommented:
IT Pros Agree: AI and Machine Learning Key

We’d all like to think our company’s data is well protected, but when you ask IT professionals they admit the data probably is not as safe as it could be.

Can I recommend that you remove the "General Business & Productivity Software" Zone from this question and add the "Digital Forensics" Zone in its place.  I'm sure you are only allowed 3 zones in a question, and the experts who frequent the Digital Forensics Zone are probably the ones best equipped to keep you straight regarding what may or may not be admissible in court.

If you have already ensured that all employees have signed a "Responsible Computer User" policy, and if you specifically mentioned in it that "activities may be monitored", then you already have a pretty strong case for warnings or dismissals regardless of what software is used.

Obviously it is the accuracy of the findings that would need to be verified as fact should the evidence ever be required in a court case or employee appeal tribunal, and I am pretty sure that there would be few software vendors in the "child safety monitoring software" category who would be willing to stand up in court and attest to the accuracy of their software to evidential level.

Strength comes in numbers as far as any form of evidence is concerned.  The more "witnesses" to a single event, or the more singular events of a very similar nature that are "perpetrated", the stronger the evidence.  I live in Scotland where the law differs somewhat even from the rest of the British Isles, and also from many other countries.  2 eyewitnesses to a crime or offence are required to prove a criminal case in court.  In the absence of a 2nd eyewitness, it is permissible to lead "circumstantial evidence" of sufficient quality and quantity that leads to the overwhelming conclusion that the missing witness would have otherwise provided.

An example would be notes made at the planning stage by an individual, telephone calls made, or some evidence recovered from the suspect's computer, or perhaps even suspicious activities after the commission.

That, of course, is for a criminal case.  Breaches of corporate "Responsible Computer User" policies are not criminal but civil, and the levels of evidence may not be quite as stringent to justify a dismissal or warning.  However, if called upon to justify the actions at an appeal, the required evidence could easily be as stringent to hold on to the case or the company could lose a lot of money and look stupid.

What I'm suggesting here is that a series of screenshot images gathered by monitoring software in ONE session may not stand that required test of validity if the software company was unwilling to back its claims with a legal statement, whereas there would be far less seeds of doubt if the same "unverified" software were to capture screenshots over several sessions.  In some ways it's like getting substantial "circumstantial evidence" vs two pairs of eyes.

Monitoring software is actually very easy to create using even the simplest of tools, for example a "timer" script an easily be made to call something like the free IrfanView image editor at nominated intervals, capture a screenshot and save it as an image file bearing the time and date stamp and even the logged on user's name within the file name, and there are loads of command line emailing programs around to transmit the file.  You have command line zipping programs that could even roll up a day's worth of screenshots and email the file.

Hiding all that activity completely from a (perhaps) already suspicious (and possibly very IT-literate) user is the hard part, and it's that "stealth" aspect that could catch your company out unless there was a specific clause in a responsible computer user policy signed by the user that stated activities could be monitored.  That in itself is a minefield of legal jargon and "stated cases" of human rights, etc.

Introducing a new policy, or adding such a missing paragraph into an existing one, at this stage would certainly alert users contravening instructions and unless they were totally stupid I would guess that they would lie low for a while.

Perhaps the experts across in the Digital Forensics zone may already have helped a company gather information and have it exhaustively tested in court, but otherwise I would go with the advice given by KTCS above - seek legal advice BEFORE setting this up.

I know this doesn't directly answer your question, but hopefully helps you to consider the requirements in choosing a software solution.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
I suppose the burning question really is how far your client intends to pursue this if it can be established at any level that a user has been browsing porn sites.

Users will come up with all kinds of excuses for having Internet Caches full of porn images, cookies, etc relating to porn sites, and I would imagine that a common excuse would be something like: "Oh, sometimes I get popups with filthy porn, but I just close the window".

Clearing the cache may or may not be deemed to be a suspicious act in such circumstances if they were true, however if this was proved to be a regular occurrence then it could be construed to be suspicious.  That said, however, many browsers are set to clear the cache on exit and this may be a system administrators enforced policy.

To that end, have you considered making regular backups (file copies - not proprietory compressed archives) of the user's Internet Cache at reasonably close intervals throughout the day and then examining the files?

That would give you a good basis to begin with, but it would be important to preserve what digital forensics people refer to as a "chain of custody" to demonstrate that the data was not tampered with or modified, deliberately or inadvertantly.

If the client is looking for free tools, then you might want to check out a few really good programs by Nir Sofer, many of which can be called by a simple batch file to create a formatted report.

For example, MyLastSearch lets you see the exact search terms typed into the address bar of the various browsers.  Quite hard to explain having innocently searched google images for "Naked Teens" or whatever whilst in a work environment, isn't it.

There are free Network Monitoring applications like WireShark, and some of the Network tools by Nir Sofer may also help to see the data actively being downloaded and uploaded, but the client would have to know how to use these applications.

Good Luck.
David Johnson, CD, MVPOwnerCommented:
You need to have an acceptable usage policy in place, if you do not have one then see a lawyer and get one made up.  have every employee receive a copy and get a signature of their acceptance.
Then you can set up your routers to use opendns as their dns server ( and you can proactively as administrator block inappropriate sites through your management console. With a VIP account /$20/year you can see what sites were browsed.. or go full bore with the business or enterprise versions.

In your router just add and as the dns server or add it to your DNS server's forwarder.
David Johnson, CD, MVPOwnerCommented:
Since it is a CO-worker all she can do is approach managment and have them generate the AUP and dns filtering like opendns.  Either way get legal advice usually the first 30 minutes is free.
sparabCommented: - They have a few products to choose from.  I have personally used the Spector CNE and it has performed flawlessly.  Silent install, configurable monitoring tools.  Very good product.  Support seems to be pretty good as well.

I have used SurfControl before and found this to be very good. You can put it inline so no need to change users IE settings. Also Websense and Webmarshal are both good products. 

Some solution include
a) BlueCoat Suite - It can be expensive though as it has an appliance (Bluecoat SG) as the proxy or gateway server. Client end will have Proxyclient installed to enforce the setting. For remote client there is also "free" K9 web protection at client end (free for home use). They have specific Web Filter solution but this may be beyond your needs. The pricing will be high

b) GFI WebMonitor - It enforce an Internet Usage Policy and reduce cyberslacking – time wasted by employees online. Check out the sample policy - minimally there should be such in paper (and as much as possible enforce in s/w instead of manual audit). The user's Internet browser must be configured to use the GFI WebMonitor server as the proxy to enforce web filtering. GFI WebMonitor counts either users or IP addresses for licensing purposes. This would depend if the traffic being processed by GFI WebMonitor has been authenticated or not.  GFI WebMonitor is also available as a dedicated plug-in for Microsoft’s Internet Security and Acceleration (ISA) Server and Threat Management Gateway Server (TMG).


C) WebSense Web Filter - Similar approach as above just that it can be flexible to scale (remove the security bulk unless needed) for small business needs. It is also a on-premise software but for pricing will need to check out, I believe it is license based


Overall, there are many means as you can see in this old (but still valid) summarised strategy below for a more holistic controls to keep in pace with the organisation exposure to threats due to non compliance by user. Note the use of keylogger and related for the stealthy part. To achieve stealthiest is rather hard - in the sense that user should accept the User acceptance policy before using of organization asset, so let them know instead and that would serve as greater reminder (and probably deterence to majority)


#1: Use auditing to monitor access to files
#2: Examine cached Web files
#3: Monitor Web access at the firewall
#4: Filter Web access by URL
#5: Filter Web access by keywords
#6: Monitor incoming and outgoing e-mail messages
#7: Monitor instant messages (IMs)
#8: Use keyloggers to capture typed data
#9: Use screen capture tools to find out what users are doing
#10: Control what software employees can install or run

also you can check

Block web sites in more than 70 categories, including pornography, gambling, drugs, violence/hate/racism, malware/spyware, phishing
Force SafeSearch on all major search engines
Set time restrictions to block web access during designated times
Configure custom lists for "always allow" and "always block"
Override a web page block with password
Trust the enhanced anti-tampering, even children can't break
View easy reports to monitor and control web activity
Real-time categorization of new adult and malicious sites
Best free parental controls software/internet filter available
Untangle provides a powerful suite of Internet management applications for small-to-medium businesses and education institutions.
IamBigBrother is the leading internet monitoring software available for both homes and business. And when using IamBigBrother, you'll know exactly who your kids chatted with last night and be able to read the full conversation!
REFOG Employee Monitor is the ultimate surveillance suite offered by our company. Having all features of our less advanced products, REFOG Employee Monitor is designed to boost productivity of your employees. The product can watch multiple PCs and workstations at once without leaving your chair. Instant alerts are handy to prevent information leaks the moment they are about to happen
eBlaster spy software is the ONLY software in the world that will capture their incoming and outgoing email, chats and instant messages - then IMMEDIATELY forward you an EXACT COPY.
David Johnson, CD, MVPOwnerCommented:
One of my client is suspicious that one of her coworkers is visiting inappropriate websites and clearning the evidence from his computer.  She does not have the money to purchase monitoring tools on the network level so I want to see if anyone has come across this and installed software on the desktop level.  Ideally, we want something we can install w/o this user knowing (ie, not having to physically login), something that is light weight and won't raise suspicion, and that will produce evidence that is permissible in court.

Please note that since this is a co-worker not management that is wanting to implement this. Legally she does not have any say in the matter.  Suspicion is just that, suspicion.   There is an old saying, there is what you know and what you can prove in a court of law. She must bring her suspicions to the attention of management and after that the ball is in their court.  If they do nothing then she could bring action against the company if the co-workers actions violate the workplace regulations.  Note: there is a huge gap between ones perception of what is appropriate and what is not and what is purely illegal.

The company does have every right as it is their hardware/software/network and their rules that must be enforced i.e. the Acceptable Usage Policy.  If she feels that it is a legal matter then she must bring management into the equation. Management may implement any of the monitoring tools to keep usage within the 'acceptable usage policy'. To spy on a co-worker and to try and bring evidence into court, would cause the spy to be charged and the perp to be released as the evidence 'is fruit from the forbidden tree' and not admissible.  The definition of inappropriate websites is not a personal decision it is one that is one that violates the acceptable usage policy as defined by management
I've requested that this question be deleted for the following reason:

This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
Lee, it would be a pity if this question was deleted.  There are some really good links and suggestions here by ve3ofa and sparab that would serve well as a PAQ for others searching for solutions.  My comments were more like general advice, but nevertheless may also help another to decide a course of action if faced with a similar situation.
Thanks for the correction veemod.

Agree with your justice in my zone.
Brian PiercePhotographerCommented:
This is very dangerous ground - a co-worder wanting to 'spy' on a fellow worker - no agreement of management to impliment this - i hope you have a good lawyer !
I have a feeling the question was just badly phrased, but without clarification from the asker it's impossible to know.  I think it was probably supposed to read that a female worker has reported her male co-worker to the asker's client who is a female manager and running on a tight budget.  If it does mean as asked, then yes this is dangerous ground.
as an Experts we can only recommend solutions.

Implementations of solutions must be to install  a software which blocks inappropriate websites as per company policies. e.g. competitior, games etc rather than creating evidence by installing hidden cam kind of concept.

GDavis193Author Commented:
My client wound up simply talking to the offending user and the situation has been resolved.  Sorry for the time off from this site.  Excellent responses.  I will bookmark this for future reference!
Thank you GDavis193
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Analysis

From novice to tech pro — start learning today.