Tuesday, October 2, 2007

Lesson Learned: Always mention when you are going to analyze a machine

It's been an interesting week. People have been leaving the company in record amounts.

The latest occurred yesterday. The manager went to his boss, gave his resignation, said he was going for coffee and would be right back. He hasn't returned yet. At least as far as I've been told. My co-worker disabled the network account and email. He went down to the machine and uploaded to the network any files that were on the C: drive, thereby not being backed up.

We don't have a policy on what to do when a person leaves the company, willfully or not. I've tried. HR doesn't want the extra work.

Later in the afternoon, I figured I would take a look at the ex-employee's computer; looking for deleted files, pictures that shouldn't be, or anything else that shouldn't be on the company computer. So, later in the afternoon, having a few minutes to spare, I head down to the ex-employee's computer; wip out Helix, and start analyzing. I really didn't expect to find anything. I was sidetracked on the way, so I didn't mention to anyone where I was going.

I went to look at IE history, but accidentally hit the button for Nirsoft's Protected Storage Pass View. Well, the Trend Micro client installed on the machine picked it up as "hackerware." A note would be sent to the administrators. About ten minutes later, I there's a knock at the office door, and there standing outside is my co-worker and my boss. I quickly explained what I was doing. They were there because they thought the manager who left had come back and working maliciously on the computer. All was soon well. Important lesson learned, though. Let someone know what you are doing so as not to falsely set off alarms.

No comments:

Post a Comment