Catching a problem user

Suggestions on how to prove a user is violating acceptable use policy

A complaint reached my desk in which several students complained that another student in their building was e-mailing/sharing pictures that, to put it nicely, were in poor taste - lack of clothing - you get the picture. Since we have to have proof before confronting the student, I am trying to figure out the best way to get it. Any suggestions?

- Via the Internet

This is a very touchy situation. The first thing I would recommend is consulting the acceptable computer use policy your students have to abide by - and hopefully sign - when coming to your institution. The next step is to consult your institution's legal counsel to advise them of the situation so they can do any research they need to provide you with guidance on what you can and can't do. Anything you do on this needs to be written down so if there is a problem afterwards, you can go to your notes and not have to go from memory.

As a preliminary step, you can fire up a protocol analyzer such as Ethereal or Network General's Sniffer Portable to watch traffic on the network. I would suggest using a capture filter so you're watching only the traffic coming into and out of the workstation in question. Do this from a workstation that has a big hard drive or move the capture files off to CD-ROM on a periodic basis. I suggest CD-ROM because once the file is on there, it can't be changed; lawyers seem to like that option. This option will take a while since you will have to wait for the student to do something, and you'll have to periodically review the logs. This may require you do some type of port mirroring so the computer running the network protocol analyzer software can be hopefully in your server room or other controlled access area so as to not alert the student that someone is watching.

The next step may be a little problematic depending on your state laws and/or computer policy on campus. What I'm starting talking about Computer Forensics. This is where you will either gain access to the machine and look at the drive in detail or access the machine and "clone" the drive to another hard drive so you can examine it later without having to deal with the student coming back in while this is going on. There are several ways this can be done by using a hardware device that temporarily connects to either the computer or directly to the hard drive and makes a sector-level copy. There are software products such as EnCase that offer the ability to remotely access the drive without physically having to touch the computer.

Hopefully the network protocol analyzer will get the information you need. If not, going the forensic analysis route may be necessary. Proceed carefully and make sure your attorney knows what is going on so you can avoid potential legal pitfalls.

Copyright © 2005 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022