Monday, October 22, 2007

Email addresses and E-Discovery

This has been bugging me for a while. And I'm just now going to write about it. And only because a user inadvertently brought it up.

While I was in the lunchroom, a user came in to eat; and brought her Blackberry. (We don't have a policy on Blackberrys...grrrr...a post for another day.) Anyway, one of the sales reps had emailed her back a one-word answer. "Yes." She ranted that she was sick of this rep replying one-word answers to her questions; and replying from his personal mail. She sent the original question to his corporate email address.

Back in November, the IT department was successful in changing the policy on forwarding all corporate email to personal email addresses. 90% of the users comply with this policy. First of all, management did not like the fact that official company business was being conducted with an "aol" or "hotmail" address. I didn't like it because we have no record of what is really going on. Suppose a salesrep makes a deal with a dealer giving them X% off of a future order. If the company did not comply (for whatever reason) how would we know. We can't grab aol or hotmail email. Should we get sued, we could never produce that email.

Unfortunately, it is not just salesreps that are doing this. There are some in upper management who use their personal email addresses.

So, how do you enforce this policy? I would love to hear some suggestions.

Tuesday, October 2, 2007

Lesson Learned: Always mention when you are going to analyze a machine

It's been an interesting week. People have been leaving the company in record amounts.

The latest occurred yesterday. The manager went to his boss, gave his resignation, said he was going for coffee and would be right back. He hasn't returned yet. At least as far as I've been told. My co-worker disabled the network account and email. He went down to the machine and uploaded to the network any files that were on the C: drive, thereby not being backed up.

We don't have a policy on what to do when a person leaves the company, willfully or not. I've tried. HR doesn't want the extra work.

Later in the afternoon, I figured I would take a look at the ex-employee's computer; looking for deleted files, pictures that shouldn't be, or anything else that shouldn't be on the company computer. So, later in the afternoon, having a few minutes to spare, I head down to the ex-employee's computer; wip out Helix, and start analyzing. I really didn't expect to find anything. I was sidetracked on the way, so I didn't mention to anyone where I was going.

I went to look at IE history, but accidentally hit the button for Nirsoft's Protected Storage Pass View. Well, the Trend Micro client installed on the machine picked it up as "hackerware." A note would be sent to the administrators. About ten minutes later, I there's a knock at the office door, and there standing outside is my co-worker and my boss. I quickly explained what I was doing. They were there because they thought the manager who left had come back and working maliciously on the computer. All was soon well. Important lesson learned, though. Let someone know what you are doing so as not to falsely set off alarms.