Computer forensics

By mark.delport ·

I have someone that is perfoming well as this person should not be acting at the work space and I have been tasked with doing some forensic testing on his machine. Any ideas out there as to what I can use to track his history?

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

Hello Mark

by The Scummy One In reply to Computer forensics

If this is not your area of expertise, push back on the assignment. If you are not familiar with the law(s) for what you are doing, then you could put yourself into serious risk.
Speak to your manager and see if this needs to be done, look at outsourcing. Do not be scared to mention that this is not your area of expertise.

Otherwise, there are plenty of books regarding this tpe of thing. If you have the will, start there.

Collapse -

If not done correctly, could lead to lawsuits

by jdclyde In reply to Hello Mark

First is the idea of preserving the evidence. How do you prove that YOU didn't put the trail on the PC?

This is a very specialized area as the scummy one has pointed out. I would not do it myself, because I am not trained on the laws, nor do I have training with the proper tools.

If you HAVE to do this, have someone from HR sitting with you the whole time so there is a witness.

Collapse -

Personally, I would

by The Scummy One In reply to If not done correctly, co ...

flat out refuse the assignment. I have done it once before, and would do it again. Too much personal risk and possibly years in court.
I agree though, have someone in HR if it truly needs to be done, but still be prepared to hire an attorney later.

Collapse -

If it was me I'd be reluctant to do it, however

by ComputerCookie In reply to Personally, I would

is he in your department?

If he is I would recommend that you speak to your superiors first, then I may look at temp files and make some sort of judgement.

You may find that this person is not the only person on the network who is wasting time! Unless the activities are illegal I'd say nothing.

The best approach then would be to review the company policies and recommend to management that more restictive network access is required to improve network speed, reduce bandwith, maintenance and/or costs.

You may come out of this exercise feeling good and with the belief that you have achieved something good.

I don't doubt your ability, but once you start installing 'spyware' on your network you may find that your own security will not work or it will not allow it to run.

This may then require the purchase of different security software that can be configured and or the employment of consultants.

The more I think about the more the more I'm inclined to suggest that you should look at the process as a review of computer usage practices.

Collapse -

Mark, this is a minefield, but also my area of expertise

by gadgetgirl In reply to Computer forensics

First, unless this is part of your job, you need to bring in expert help. There are numerous reasons for this, not the least of which are any digital evidence collection laws applicable in your country.

You MUST be aware of the rules regarding evidence collection, and the contraints and conditions under which you must STRICTLY adhere.

I could give you more help and points to look at if you were in the UK, but I have no idea on current legal statute in your area.

Under no circumstances take this on unless you are au fait with the legal side; despite following orders from your managers, if this goes to tribunal, you personally in certain circumstances, can be taken to court too (under slander and/or libel laws)

Please, explain to your managers that this is not to be taken on lightly; you will need to prove to both HR and possibly a court of law, that there was "sufficient justification" in a legal sense, to monitor/track/evaluate this persons access.

As I said, I specialise in UK and EU law, but if you think I can help further, feel free to send me a pm.

Whatever you do, whether dicussing with a manager, or actually taking some steps in testing, get everything - and I mean EVERYTHING - in writing, before, during and after - it's the only way to cover your own back.

Good luck - you need it.


Collapse -

Potential minefield

by mark.delport In reply to Mark, this is a minefield ...

Hi GG,

Thank you for the advice and will take what ever assistance I can get. I have been directed by the CEO of the organisation that I work for to do this.

I have an appointment with a solicitor to help guide the process. I will ensure before I go any further to ensure that I have everything in writing.

The outcome of this could be that a new internet usage and policy will need to be implemented.



Related Discussions

Related Forums