Analyzing an employee’s PC use without his knowledge

I was contacted by a department supervisor at my company about a potential problem with an employee’s use of the computer assigned to that individual. The supervisor isn’t sure whether it is Internet access, files stored locally or some combination of both. We haven’t had this kind of request before and I want to proceed carefully. How is the best way to proceed? — Via the Internet

I was contacted by a department supervisor at my company about a potential problem with an employee’s use of the computer assigned to that individual. The supervisor isn’t sure whether it is Internet access, files stored locally or some combination of both. We haven’t had this kind of request before and I want to proceed carefully. How is the best way to proceed?

— Via the Internet

The short answer is: Very carefully. I would immediately get your boss, the employees supervisor, the head HR person and your company attorney in a meeting. HR and legal counsel need to know of the situation immediately. HR will need to review the employee policy to see what the employee has been told in writing as to what kind of privacy they do or dont have. Your lawyer will need to look for any potential liability from the employee. Within your department, you and your boss should be the only ones who have knowledge of the situation. The fewer people that know about this, the better.

In terms of watching the employee’s Internet activity, you can take a PC with Ethereal installed to do that. Use a capture filter to collect information on activity to and from the workstation in question. You can put this in tandem with your Internet connection by either spanning the Internet traffic to a spare port on your switch in the room where your connection terminates or by using a hub if you aren’t able to set up port mirroring. Set Ethereal to create files of 10 to 20 megabytes in size, then close the file currently being used for capture and start with a new file, repeating the capture process. Copy these files to a CD as soon as possible so that you can preserve the information you have gathered.

Getting information from the PC’s hard drive will require a little more care. First, clone the employess hard drive after hours – taking care to disturb as little as possible in the employee’s work area. You can use Ghost if you don’t have a hardware-based drive-cloning tool available. I can’t stress enough the importance of leaving no trace that you have done anything to the computer – you don’t want to tip off the employee that you have been there. I would suggest making more than one copy of the drive with one of the drives not being touched so that you can show what the drive looked like before you did anything versus the drive you actually did the examination on.

There are several books that I would suggest reading to help you get an idea of how to get information from the drive you have cloned which could contain deleted files. Hacking Exposed – Computer Forensics and Hacker’s Challenge 2 from Osborne McGraw-Hill and Real Digital Forensics: Computer Security and Computer Forensics: Incident Response Essentials from Addison-Wesley Professional.

Also see: Employee e-mail is not private, in which Linda Musthaler recounts a similar issue at her company.