The first hint of trouble came with a phone call on the weekend from my boss. He told me to stick near the phone in case one of the company executives needed help accessing some files on the server. Nothing came, but on Monday, something was definitely going on with upper management. At noon, one of the other IT guys got a very unusual request: The CEO and domestic president wanted the ability to look at everybody’s e-mail. Although this was certainly doable, it was going to be a long, involved process.

We met with our boss to say that we thought that this was a pretty silly way to do things, and that if the CEO told us what was going on, we could help him narrow things down much more quickly. At that time, we guessed that they were onto somebody who was either running a porn ring or divulging confidential information to an outside party. In fact, it turned out to be something far worse.

The scoop
A few minutes later, we were seated in the CEO’s office telling him what we could do to help him find what he needed. He was hesitant to tell us what was going on, but he realized that we could help considerably, so he filled us in. What he revealed just about floored us. Two of the other owners and a large energy firm that had invested money in the company years ago were trying to oust him and take over. He asked whether we could help or whether he should bring in a forensics firm to find the information he wanted.

It was here that we made our first big mistake. Realizing time was of the essence for him, and feeling stuck between a rock and a hard place, we said we could do it. We had no idea how much this would consume both of our lives in the coming months. My first word of advice to anybody in a similar situation: Get somebody from the outside to do the dirty work if at all possible. Trying to be helpful can get you in a mess, and you are probably busy enough anyway without the additional work.

In search of a smoking gun
The first thing we did was make copies of the other two owners’ Home drives in a secure hidden folder on the server. We also copied their personal folders from their local drives to the same spot. We then gave the CEO the ability to read their current e-mail. The next morning, we were told to lock out their accounts and deny them any remote access. Later that day, the CEO fired both men. It was unbelievably hard to walk down the hall and see them sitting in the lobby contemplating their fate.

We now showed the CEO how to recover deleted e-mail (we keep deleted messages on the e-mail server for 21 days before it is actually purged) and how to do keyword searches. We even used a previously made registry hack to allow items that were deleted while holding down the [Shift] key (thus bypassing the Deleted Items folder) to be pulled back.

And so the hunt was on. We in the IT department sat back at the end of the day and wondered just what the heck we had done. We were fortunate that we had a computer usage policy in place. In fact we had written it just a couple of months before, and all the managers supposedly signed off on it. A section in the policy clearly stated that all information on the servers and workstations belonged to the company and that there was no implied electronic privacy. This policy probably saved us when things turned really ugly later.

Nevertheless, at the time I still did a lot of soul searching. I wondered if I was doing anything unethical or illegal. It did not appear so. It just appeared to be highly distasteful.

The CEO seemed pretty pleased with the information he was finding, but he wanted more. He told us to recover e-mail from our tape backups. We purchased a low-end server and re-created a detached, shadow domain with a domain controller and e-mail server and started to recover mail late into the night. We were now pressed into the forensics business, digging through e-mail in search of evidence.

In addition to checking e-mail, home drives, and what was visible on local hard drives, we sent the hard drives out to be forensically examined to see what was visible in slack, pagefile, and unallocated space. The volume of data that came out of this was incredible. We spent days of mind-numbing boredom going through thousands of files and file fragments. The chore was made less burdensome by using Ontrack’s Power Desk Utilities with its powerful search and file viewing capabilities. Unfortunately for the CEO, there was no smoking gun.

Reversal of fortune
Then, an incident happened that was to haunt the IT staff, and a number of other employees, for months. While digging through JPEGs on the servers, one of the employees came across a rather risqué photo of one of the fired owners. The word of this came to us through HR. We immediately moved the offending photo with everything else in the folder to the head of HR’s home drive.

However, the CEO found out about it and figured it would have some sort of bearing on the coming court case and that it might somehow sway the judge’s ruling in his favor. By this time, his case seemed to be going downhill, and he was after anything he could find. He had hired an expensive law firm to help with the case, and it was difficult to work with. The firm demanded files, e-mail, and a host of other documents. It drove us crazy restoring mailboxes and other data and burning all this to CDs. We figured it was grasping at straws. There was still no smoking gun. And that was the ruling that eventually came from the court.

The two fired owners were reinstated, and within short order, they reconstituted the board of directors, fired the CEO, and set themselves up as the top officers in the company. Now it was our turn to be under the microscope. A number of people who were loyal to the old CEO quit; however, the IT department was not doing any of its work out of loyalty. We considered it part of our job.

One of the new officers later told us that that was the same defense used at Nuremberg at the trial of the Nazis. This was a pretty cold comment, and it made us uncomfortable, since there was no comparison in our minds. Then came the hunt for the people who uncovered the risqué photo. The IT department was squarely in the crosshairs.

It was obvious to the new CEO that someone in IT had gone into one of his personal folders and moved his photos out to a public folder. He grilled us on our stories of how we came across the photo and then hired a private investigator to get all the details. Fortunately, we had a quarterly backup tape that gave the date that the photos appeared on the server, and it was way outside the timeframe of the incident. It appeared that the new CEO had been moving his photo folder around to various locations and accidentally dropped it in the public folder.

At this point, the incident seems to have been dropped. I was able to meet with both new officers and explain to them the role I played in the whole situation. My actions were allowed by the company policy that they had approved and signed. I said that I had done nothing unethical or illegal, but I felt that what I was asked to do was incredibly distasteful. They accepted that explanation, and up to this point there have been no repercussions. But the overall morale in the company has suffered tremendously because of this volatile situation.

Final word
This incident took us squarely into the murky legal world of electronic privacy. We were saved by documenting all that we did during this time and by the computer use policy we had put into place a few months before. Among other things, it clearly stated that there was no electronic privacy and that all data on the servers and workstations belonged to the company. It did not mention who “the company” was, but the implication was that the CEO and owners had complete access to everything any time they wanted. Of course, we believe that even though these details were spelled out in the policy, nobody in the company actually read it; they just signed off on it.

To make our actions even more bulletproof, we should also have had a logon/legal notice, such as the ones you see in government offices (Figure A).

Figure A

Without these instruments, your company may not have a legal right to go after employees who misuse their workstations—or even external hackers. If you do not currently have these in place, you should begin to work on them as soon as possible.

Here is a link to a site that shows you how to install a logon/legal notice in Windows. In addition to this notice and a computer use policy, you will need to come up with a policy on backups and e-mail retention, which must be reviewed and agreed upon by management. An e-mail retention policy is particularly important. You need to define what messages you want to save and how long you want to save them.