Tuesday, September 11, 2007

My first run in with CP

At 8:30 Monday morning, the Director of HR called me to her office. I thought, "I haven't been in long enough to get in trouble." Little did I know what would be ahead of me. I knew I had a full plate of fires to put out; what was coming would dwarf everything for the day.

I reached her office and was told to shut the door. It seems there was an incident over the weekend. A female employee had logged into a computer and found "pictures inappropriate for work." There was probably more to the story, but I wasn't privy to it. I was asked to prove or disprove the accusation; and, if it was there find out how and when.

I took my laptop and retired to a smaller conference room, I really didn't want to do this from my cube. After shutting the door, I mapped a drive to the suspect machine, surfed to the My Pictures folder. Sure enough, there were pictures there. So, without opening anything, I copied the entire directory to a cdrom. Upon viewing the cdrom I was quickly able to verify that there were images inappropriate for work.

Now for the how and when. The when was pretty easy, as all the dates were the same. Could they be faked? Sure, but I didn't think so in this case. Next, I opened up regedit and connected to the suspect computer's registry. I looked in the currentcontrolset key, and found an iPod and Creative MuVo that were listed. When I found the Dos:E\ key, I pieced together that it appeared that the iPod was last listed as the E:\. However, the dates didn't match up. I knew the only way we would prove definitively is to get a hold of the iPod.

Before I started to write up my findings, the Director of HR met me in the conference room where I was working. My co-worker had just joined me and we were going over some other leads we wanted to chase down. The Director asked to see the pictures, mostly to see if there were other employees visible. Talk about awkward. But, I guess I had better get used to it. The first couple of pictures were definitely something taken from websites. Another bunch could have gone either way. But, while viewing the last couple, the Director asked me how old the girl was. Uh-oh.

So, we next formulated the steps to take. My part was easy, I was going to provide the facts; as best I knew them, and what I suspected, in order to fill in the holes. But, I tried to impress upon her that all the ducks had to be in a row.

After lunch, I got called into my manager's office, to find the President and the Director of HR. They asked for the cdrom. Calls had already been made to the company attorney. My manager asked me and my co-worker to go through mail and see if the pictures had been mailed anywhere; both in the company and out. Well, we found one outgoing mail message that was pretty incriminating. It was to an external address. My co-worker noticed that the email address was familiar. What?

It turns out the email address turned up in the firewall logs where we logged failed connection attempts to IM. Right after the IM failures, there was another email address with failures. So, we looked up the IP that the failures were coming from, and son of a gun if it wasn't something in the DHCP scope. Uh-Oh. A look at the the DHCP server showed a lease to a computer that we didn't name.

We've gone from proving a simple case of inappropriate images on the computer, to using an unapproved computer on our network. A quick scan of the firewall logs showed that this rogue computer had been on and off the network for about a month; usually third shift, and usually on the weekends. The sites they were visiting were typically web sites that allow you to IM when the firewall blocks those ports. We've pretty much proved that someone is trying to deliberately circumvent the access controls.

We had a quick meeting with upper management. We gave our statements and left. While chasing some last leads we see the accused go to HR. Of course he denied it. When pressed, he finally admitted most of what we knew. He tried to give what he thought was a valid explanation; but it wouldn't hold up in the face of the evidence we had.

Sit down now.......they didn't fire him on the spot. They let him go back to work until they had heard from the attorney. My co-worker and I almost fell over. I ran to my cube, and checked my mapped drive...sure enough, all the evidence was just deleted from his machine. (I was't too worried; worse case, we would have undeleted it.) Here's the good part, we set up the My Documents folder to redirect to the network. Should we need to, it's a simple restore.

Fast forward to today. The accused was fired first thing in the morning. I still haven't heard what the attorney has done. I wouldn't be surprised if the company gets subpoenaed for the data so that the authorities can go after him. As for the rogue laptop, my manager supposedly knows who it is, but nothing has been done. (Personally, I think this is a bigger offense, and has more risk. But that's just me.)

I went home wiped out. I hope the company doesn't screw this up, but I'm not holding my breath.

The good news is I got my tix for Bruce's new tour.

No comments:

Post a Comment