[Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 435
  • Last Modified:

private business review

Have any of you ever been involved in a review where by an internal employee may be running or working for an external company in works time, using works IT kit (PC, mail, storage on file servers etc). If so have you any steer on areas of evidence you looked for to try and identify evidence of this.

We have a seized PC, exchange mailbox and a couple of old PST archives, and a networked home drive. What kind of analysis would you run to try and prove this; it needs to be targeted searches and not a look through everything/privacy violation as it could turn out to be untrue. What kind of files or evidence would you typically look for such reviews. How would you approach such a case.
0
pma111
Asked:
pma111
  • 4
  • 2
  • 2
  • +2
4 Solutions
 
pony10usCommented:
The easiest first steps are to do searchs for key words.
0
 
pma111Author Commented:
Any more above beyond keyword search? I agree they are the obvious....
0
 
pony10usCommented:
First of all I am not in the legal profession so I advise that you seek legal counsel first. There are some issues regarding having and enforcing policies.
0
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

 
BianaryBarbarianCommented:
I would do a search on the machine for all .doc, .docx, xls, etc.. or any other types of files suspect to being the files being worked on during company hours.  After you have compiled the list sort by date and time, if you find any files that do not contain or apply to your business then note the date and time it was last modified and now you have proof that the file was being accessed during company time.

Internet history is key, as they person was not using your email system to communicate with the other employer (unless they are ignorant).  Find the entries that show what email service/provider they were using and sniff the SMTP record from those entries, this should leave you with xxxx@theotherplace.com.  Once you have the other address you can simply search all internet records for that instance and have a trail of usage during what hours.  

Now you should have files and external email address, now all you really need depending on the place you live would be a confession, simply ask the user if the email address is theirs or if the files are theirs.  Once they say yes, it has been confirmed and proven they were doing work for another company during business hours.
0
 
pony10usCommented:
On more thing.  Yes I did recently have to do some research on pretty much the same thing.  Our attourney was involved.
0
 
SirtenKenCommented:
Have you already requested their phone records?
0
 
pma111Author Commented:
The voip system doesn't log them for any substantial period of time according to the voip admins
0
 
btanExec ConsultantCommented:
the anti-forensic s/w installed would bring out more guilt and question further their original intent. Simple eraser and encryption s/w can be some hints. If possible, I see most of stuff in attachment and external storage - meaning to ask them to surrender as well if not found in premises or machine hdd. If we can correlate online activities (ex browsing, IM, online store, email using specific accounts etc, outlook email should have many business account nonetheless) to certain regular pattern and timing, document created or timeline can be concentrated around that period...just some long shot thoughts...it is tough if no survelliance is ever existing to fully record down actions and online "habits".
0
 
SirtenKenCommented:
Are there any specific time-related events that you're aware of? Searches could be conducted based on specific times of the day you suspect activity may have been going on. Certainly a date range of interest could be used to narrow down the number of documents you're reviewing.
One method of searching while preserving the subject's privacy is to start by only looking at metadata (dates, times and other file details independent of the content). For example, instead of reading emails, look only at sender and recipient addresses along with message counts. You can spot patterns of activity without necessarily needing to determine the content.
0
 
pony10usCommented:
While I still stand by my comment about seeking legal counsel I have question. Are you looking for information that this person is involved with a specific situation? If you suspect that they are using the company resources for non-company use then it is not considered invading their privacy if you review everything. The invasion of privacy would come if you were to disclose what you find to others. Company resources belong to the company and as such anything on them belongs to the company.

Not looking at everything actually limits your discovery capabilities.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 4
  • 2
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now