Re: Controversial (maybe) question

[Brian Erdelyi <brian_erdelyi () yahoo com>]

There are alot of thibgs you can do before gettibg invasive on the PC.  Software on the PC will likely set off alarms 
with AV.  I'd focus more on native audit logging capabilities of the systems and data you want to be monitoring.

I'd suggest:

1. Take a forensic image of the workstation (this is a point in time snapshot and may provide insight into what he has 
been doing in the past).  Internet history may be useful if you do not have a proxy server that logs access.  It may 
also provide an indication if he has copied data to the PC.

2. Ensure NTFS permissions are set appropriately on sensitive resources (applications, folders, etc).  Enable file 
level auditing to determine if he accesses those files.

3.  Enable additional logging on the PC.  You may be able to log what applications are being launched and if data is 
being copied to the PC.

4. Review outbound email for the user at the server.  Get a copy of their mailbox to review.

5. Get a copy of their home directory.

6. PBX records to get a log of inbound and outbound calls.

7.  Review his access to confirm what he does and doesn't have access to. (This can help frame the potential scope of 
exposure if you assume the worst).

Sent from my iPhone

On May 25, 2013, at 11:26 PM, Dan Baxter <danthemanbaxter () gmail com> wrote:

> Okay, yesterday at work, I was asked if I could deploy some spyware to a PC to determine what a particular user is 
> doing.  The requestor was one of our corporate attorneys, no less.  
>
> The concern is that this individual is possibly accessing sensitive documents and getting them to a competitor.  I'm 
> not at this location, so I don't know the person, or the exact circumstances or requirements, yet.  I have been told 
> he's the "unofficial IT guy" for this location, so he may be wary.  
>
> At present, we don't block access to USB drives.  We do block access to cloud based storage (Dropbox, Copy, Skydrive, 
> etc).  
>
> Ironically, this is the same atty that helped shoot down a DLP project I was working on earlier this year.  I took 
> gratification in pissing her off by reminding her that this would be a perfect example of why we need one.  
>
> Anyway, assuming I get signoff from HR and our Ethics department (still questionable), are there any suggestions of 
> what I could deploy?  Also, I realize some testing is going to need to be done to make sure it doesn't set off alarms 
> on his A/V.  Any other pitfalls I need to be aware of?  
>
> Thanks in advance.
>
>
> Dan Baxter
> -------------------------------------------------
> Quis custodiet ipsos custodes?
>
> "A sword never kills anybody; it is a tool in the killers hands."-Lucius Annaeus Seneca, c.4BC-65AD
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom () mail pauldotcom com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com