RE: Computer forensics to uncover illegal internet use - Revisted

["dave kleiman" <dave () isecureu com>]

Speaking of not following the advice of people offering advice, as you are,
what if we used your advice in a scenario.

You were alerted that people saw pornographic pictures on an employees
system; we will call him Mr. Acme.  Through normal procedures, you do a
check of this system and when you see the pictures you note they are child
pornography.  This of course, is not official as you are not a doctor that
can verify the age of the persons in the pictures.

Following your methodology you through corporate policy, you make a backup
of the drive, wipe the original drive, and fudge the paperwork as to protect
the employee and company.  You send the backup to the company attorney to
take the weight off your shoulders.

About a month later, you pull into the office and notice several police cars
out front.

When you get to your office, there are a detective and several police
officers waiting to speak to you. They inform you that an employee, Mr. Acme
is in custody for the abduction and sexual battery of a minor.  It happens
to be this minor is the child of another company employee.

This employee was told, through the water cooler convention, that a month
ago an employee reported seeing pornographic pictures on Mr. Acmes computer
and reported it to you. Several employees saw you work on Mr. Acmes computer
that day, and bring in an external drive and hook it up. Later they saw you
reinstall the OS.

How does this fit into your “best course of action is to purposefully
falsify the record of the company's response to the incident”

And how about your “will determine whether you ruin one or more innocent
persons' lives, possibly destroy your company, your career, the careers of
others, trigger suicides or murders, and in other ways that you cannot
anticipate and may have difficulty believing possible, become caught in a
life-destroying mess of bad statutes and very badly misguided people who
think they're doing their jobs but are actually just incompetent, careless,
and self-serving.”

By the way was there ever a mention in the original post about child
pornography? Maybe he was just referring to utilizing the computer for
surfing porn sites.


Just a thought.

Dave


Jason said:

> The people whose advice you take in the next couple of weeks,
> Edmond, will determine whether you ruin one or more innocent
> persons' lives, possibly destroy your company, your career,
> the careers of others, trigger suicides or murders, and in
> other ways that you cannot anticipate and may have difficulty
> believing possible, become caught in a life-destroying mess
> of bad statutes and very badly misguided people who think
> they're doing their jobs but are actually just incompetent,
> careless, and self-serving.
>
> However, because somebody else (most importantly, law
> enforcement) may already be investigating without your
> knowledge, and because you may be in possession of evidence
> that would prove reasonable doubt of the accused's guilt, you
> must attempt to get every bit of data (the so-called
> 'evidence') from the suspect's hard drive preserved
> forensically and in the custody of the company attorney.
>
> Do so 'after' you wipe the drives -- you need to seriously
> consider the value of keeping logs of your actions which
> reflect the fact that you wiped the drive AND THEN gave the
> drive to your company's attorney.
>
> Ask your company's attorney... He may tell you that your
> company's best course of action is to purposefully falsify
> the record of the company's response to the incident. The
> company is not legally obligated to keep accurate records of
> such things, after all, and with a company record showing the
> drive was wiped and the physical device is now in the custody
> of the company attorney, the company is able to prevent ANY
> loss of control over the situation in the event that the
> company's duty to protect its employee's interests end up in
> conflict with law enforcement's desire to aggressively
> prosecute somebody because they were at some point in time
> associated with or in proximity to a hard drive that was
> suspected to have contained, if only temporarily,
> circumstantial evidence of a crime.