waddy 0 Posted July 31, 2003 Need some advice. There is a suspicion that one of the network users is stealing data. There is a CD burner in the office + they are allowed web based email also. I thought to install some spy software like: http://www.acespy.com/details.html We need to see if he/she is mailing the data out or even using the CD burner. Windows 2000 server, Exchange 2000 and win 2K Pro workstations I do know that we need to block webmail and the CD burner, but we dont want to until we get the required evidence. We need to find out what they are up to, anyone got some good tips, experience or advice on this one? Share this post Link to post
Lotus 0 Posted July 31, 2003 If you know roughly the time frame this person is doing this, you could do a simple advanced search for files or programs that have been accessed around that time. I'm sure there are programs out there that will track and log this type of thing for you, I just don't know any. We had the same thing happen here where I work...but I knew the time he/she was doing this..that made it easy to trace using file searching. Good luck to you...hopefully someone will answer your question a little better. Share this post Link to post
Mr.Guvernment 0 Posted July 31, 2003 Take the cd burner out of the machine? and put it in only a machine an admin can access? do u not control their email accounts, or is it likea hotmail account type of tthing. u can password protect all shared netwrok directories... Share this post Link to post
thatsteveguy 0 Posted July 31, 2003 First off check with local law enforcement to make sure that nothing you do is illegal. spyware might be yet other forms of surveillance might not be. What we would do in a situation like that is install a packet sniffer and redirect all network traffic from that machine through the sniffer. You can reconstruct everything they are doing. also when the person is away (evenings) I would go in and make a forensic image (sector by sector) of the suspect machine at which point you can mount the image with a forensic software (Encase being an example but I doubt you'll have that kicking around as it is about 4 grand) you can then go through the image (forensic software will also give you everything that has been deleted). One advantage to having the image is that if the person suspects something is up and does a wipe of their machine you still have an original image before it was wiped so you still have evidence. now when taking the image make sure you use a Hard Disk Lock so that no data can be written to the host drive. and I cannot stress this enough, DOCUMENT everything you are doing so that it can stand up in court if need be. S Share this post Link to post
Vermyn 0 Posted July 31, 2003 I would enable auditing on the domain and the workstations involved. Set this in the group policy snap in, then right-click on the files you suspect of being accessed and set them up for auditing in the security tab. Share this post Link to post
Bursar 0 Posted July 31, 2003 I really wouldn't install monitoring software without telling people that it's being done. I know it kind of defeats the object, but as mentioned, there are all kinds of legal implications if you just put this stuff in place without taking the neccessary steps. Your HR dept should know what's what as far as that goes, so check the lie of the land with them. You might find that it is perfectly sufficent to send an email announcing the intention to install monitoring software on certain PCs, and that anyone found breaking the law or browsing unsiutable websites will find themselves in deep do-do. I presume your company has an acceptable-use policy on what they can and cannot do with the computers? Share this post Link to post
prichardson 0 Posted May 21, 2004 I work for the company that produces SofTrack and it has the ability to audit all file open and create attempts for the workstations. SofTrack is used for Metering/Auditing/Inventory software on the network. It also has some control features that you might like. Paul Richardson Integrity Software www.softwaremetering.com Share this post Link to post
clutch 1 Posted May 23, 2004 Originally posted by prichardson: Quote: I work for the company that produces SofTrack and it has the ability to audit all file open and create attempts for the workstations. SofTrack is used for Metering/Auditing/Inventory software on the network. It also has some control features that you might like. Paul Richardson Integrity Software www.softwaremetering.com Normally I am not crazy about people selling their stuff in the forums (with the exception of the trade/selling area, of course) but in this case I believe it's OK. This is an application that is a possible solution for the issue at hand. If this becomes an issue in future (abused, complaints, etc) then further action will be taken at that time. Share this post Link to post
