Security Basics mailing list archives
RE: Computer forensics to uncover illegal internet use - Revisted
From: "dave kleiman" <dave () isecureu com>
Date: Wed, 31 Aug 2005 11:57:17 -0400
Speaking of not following the advice of people offering advice, as you are, what if we used your advice in a scenario. You were alerted that people saw pornographic pictures on an employees system; we will call him Mr. Acme. Through normal procedures, you do a check of this system and when you see the pictures you note they are child pornography. This of course, is not official as you are not a doctor that can verify the age of the persons in the pictures. Following your methodology you through corporate policy, you make a backup of the drive, wipe the original drive, and fudge the paperwork as to protect the employee and company. You send the backup to the company attorney to take the weight off your shoulders. About a month later, you pull into the office and notice several police cars out front. When you get to your office, there are a detective and several police officers waiting to speak to you. They inform you that an employee, Mr. Acme is in custody for the abduction and sexual battery of a minor. It happens to be this minor is the child of another company employee. This employee was told, through the water cooler convention, that a month ago an employee reported seeing pornographic pictures on Mr. Acmes computer and reported it to you. Several employees saw you work on Mr. Acmes computer that day, and bring in an external drive and hook it up. Later they saw you reinstall the OS. How does this fit into your best course of action is to purposefully falsify the record of the company's response to the incident And how about your will determine whether you ruin one or more innocent persons' lives, possibly destroy your company, your career, the careers of others, trigger suicides or murders, and in other ways that you cannot anticipate and may have difficulty believing possible, become caught in a life-destroying mess of bad statutes and very badly misguided people who think they're doing their jobs but are actually just incompetent, careless, and self-serving. By the way was there ever a mention in the original post about child pornography? Maybe he was just referring to utilizing the computer for surfing porn sites. Just a thought. Dave Jason said:
The people whose advice you take in the next couple of weeks, Edmond, will determine whether you ruin one or more innocent persons' lives, possibly destroy your company, your career, the careers of others, trigger suicides or murders, and in other ways that you cannot anticipate and may have difficulty believing possible, become caught in a life-destroying mess of bad statutes and very badly misguided people who think they're doing their jobs but are actually just incompetent, careless, and self-serving. However, because somebody else (most importantly, law enforcement) may already be investigating without your knowledge, and because you may be in possession of evidence that would prove reasonable doubt of the accused's guilt, you must attempt to get every bit of data (the so-called 'evidence') from the suspect's hard drive preserved forensically and in the custody of the company attorney. Do so 'after' you wipe the drives -- you need to seriously consider the value of keeping logs of your actions which reflect the fact that you wiped the drive AND THEN gave the drive to your company's attorney. Ask your company's attorney... He may tell you that your company's best course of action is to purposefully falsify the record of the company's response to the incident. The company is not legally obligated to keep accurate records of such things, after all, and with a company record showing the drive was wiped and the physical device is now in the custody of the company attorney, the company is able to prevent ANY loss of control over the situation in the event that the company's duty to protect its employee's interests end up in conflict with law enforcement's desire to aggressively prosecute somebody because they were at some point in time associated with or in proximity to a hard drive that was suspected to have contained, if only temporarily, circumstantial evidence of a crime.
Current thread:
- RE: Computer forensics to uncover illegal internet use - Revisted dave kleiman (Aug 31)