I have someone that is perfoming well as this person should not be acting at the work space and I have been tasked with doing some forensic testing on his machine. Any ideas out there as to what I can use to track his history?
This conversation is currently closed to new comments.
If this is not your area of expertise, push back on the assignment. If you are not familiar with the law(s) for what you are doing, then you could put yourself into serious risk. Speak to your manager and see if this needs to be done, look at outsourcing. Do not be scared to mention that this is not your area of expertise.
Otherwise, there are plenty of books regarding this tpe of thing. If you have the will, start there.
First is the idea of preserving the evidence. How do you prove that YOU didn't put the trail on the PC?
This is a very specialized area as the scummy one has pointed out. I would not do it myself, because I am not trained on the laws, nor do I have training with the proper tools.
If you HAVE to do this, have someone from HR sitting with you the whole time so there is a witness.
flat out refuse the assignment. I have done it once before, and would do it again. Too much personal risk and possibly years in court. I agree though, have someone in HR if it truly needs to be done, but still be prepared to hire an attorney later.
If he is I would recommend that you speak to your superiors first, then I may look at temp files and make some sort of judgement.
You may find that this person is not the only person on the network who is wasting time! Unless the activities are illegal I'd say nothing.
The best approach then would be to review the company policies and recommend to management that more restictive network access is required to improve network speed, reduce bandwith, maintenance and/or costs.
You may come out of this exercise feeling good and with the belief that you have achieved something good.
I don't doubt your ability, but once you start installing 'spyware' on your network you may find that your own security will not work or it will not allow it to run.
This may then require the purchase of different security software that can be configured and or the employment of consultants.
The more I think about the more the more I'm inclined to suggest that you should look at the process as a review of computer usage practices.
Collapse -
Mark, this is a minefield, but also my area of expertise
First, unless this is part of your job, you need to bring in expert help. There are numerous reasons for this, not the least of which are any digital evidence collection laws applicable in your country.
You MUST be aware of the rules regarding evidence collection, and the contraints and conditions under which you must STRICTLY adhere.
I could give you more help and points to look at if you were in the UK, but I have no idea on current legal statute in your area.
Under no circumstances take this on unless you are au fait with the legal side; despite following orders from your managers, if this goes to tribunal, you personally in certain circumstances, can be taken to court too (under slander and/or libel laws)
Please, explain to your managers that this is not to be taken on lightly; you will need to prove to both HR and possibly a court of law, that there was "sufficient justification" in a legal sense, to monitor/track/evaluate this persons access.
As I said, I specialise in UK and EU law, but if you think I can help further, feel free to send me a pm.
Whatever you do, whether dicussing with a manager, or actually taking some steps in testing, get everything - and I mean EVERYTHING - in writing, before, during and after - it's the only way to cover your own back.
If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.
Computer forensics
I have someone that is perfoming well as this person should not be acting at the work space and I have been tasked with doing some forensic testing on his machine. Any ideas out there as to what I can use to track his history?