CHAPTER 11
Human Resources Cases
We’ll Cover
 
image   Results of a human resource case
image   How to work a pornography case
image   How to work a productivity waste case
 
Chapter 10 showed you how to identify the type of investigation you are dealing with. This chapter discusses typical investigation criteria when working with human resource cases. This chapter covers the concepts and artifacts for you to review. If you want to view step-by-step guides, go to www.learndfir.com to watch the videos for this chapter. You’ll read about several different types of real-world cases and the approaches to analysis each presented. This chapter covers the easy stuff—pornography and productivity waste. In later chapters, we’ll move on to more challenging issues such as theft of proprietary information. This information will be most useful for corporate forensic analysts; however, analysts working outside of the corporate environment will find the implications and challenges of working in a networked environment of particular interest.
In my experience, the average HR-related cases end up being fairly straightforward. You may encounter the occasional oddity, but the essential questions to answer are the same: Has an employee violated a policy or otherwise wasted company resources?
Results of a Human Resource Case
In 99.99 percent of all the human resources cases I’ve worked, I’ve been asked to determine whether enough evidence is present to support the termination of an employee for a violation of company policy. What activities violate company policy varies by the company, but for most companies, an employee who views online pornography instead of working is typically on the road to termination, while an employee who plays games instead of working may warrant a reprimand or counseling.
Of cases that involve a terminable offense, the most common issue is the unauthorized surfing of pornographic web sites and other types of adult media. In other cases that end in immediate termination, the issue often involves employees making threats against others via company e-mail or instant messaging—all of which involve risk to the employer.
Of the cases that do not involve immediate termination, the most common is the waste of company time or resources for personal enjoyment. This most often involves seemingly endless web surfing, playing games, using Facebook, and spending time in other distractions. In some cases, such as in pornography, it can involve both waste of company resources, violations of established company policy, and/or cause of personal discomfort or harassment of other employees.
image Note
Although I am covering the most common human resources cases in this chapter, there are other examples of HR cases, such as sexual harassment, threats of physical violence, and affairs in the workplace. Your work in all of these types of cases can involve the same methods discussed in this chapter—that is, reconstructing the user’s Internet activity to find evidence of his or her actions.
How to Work a Pornography Case
Pornography is the easiest of all types of HR cases to analyze and investigate. What you’re looking for is obvious when you see it. (If it walks like a duck and quacks like a duck, guess what? It’s a duck!) This section focuses on a case study of a real-life pornography case. Then you’ll learn a few tips on how to perform an analysis of a pornography case yourself.
IMHO
A pornography case is almost always the first type of case a new corporate investigator will examine. Viewing pornography at work is not only the most common unsavory activity that an employee will do if they think no one is monitoring them, but it is the easiest type of evidence to detect. In most cases, just the existence of pornography on the work system is enough evidence to warrant termination. And most employees will not try to sue for improper termination if they are fired for viewing pornography for fear of embarrassment, so this is a very low risk case for you and for the individuals who request it.
Pornography Case Study
An employee surfing pornography while on the job can occur at almost every company in today’s always-connected work environments. Some employees will waste an hour a day or more surfing pornographic sites. These cases are easy to investigate, because a simple review of the user’s Internet history and a view of the images on his or her hard drive will quickly reveal any pornographic images. And related information you may uncover can take investigations to the next level, and that will challenge you to do some more creative analysis. These investigations occur when the employee is generally aware that someone may be monitoring his or her web browsing and may be using privacy features to prevent evidence of it being created. This leads us to the following scenario.
image Note
According to Neilsen Online, as of October 2008, approximately 25 percent of employees visit an Internet pornography site during working hours. It used to be one of the most common types of internal investigations, though today’s implementation and thorough tuning of web content filtering has reduced the vast majority of access. As you work other HR cases, ask whether you should also check for pornography use. Other types of HR cases can incorporate pornography issues if you look for it.
The Sluggish Network
An employee was surfing pornography sites while on the clock at a regional retail company. However, this man wasn’t an average company employee—he was the corporate IT director.
The matter began as all seem to, with an everyday work issue. In this case, the IT department received multiple complaints over a few days’ time that “the Internet sure is moving slowly.” The IT director received the complaints through the company’s trouble ticket system and assigned the task of troubleshooting the problem to a member of his staff. The employee reviewed the bandwidth consumption report on the firewall and identified the users who were using up the most bandwidth. He found the usual list of activities—streaming music, video, and so on—but when he viewed the list of host sites being visited, he noticed that a particular user was visiting obvious pornographic sites, for anywhere from five to seven hours a day!
This was very unusual, because at this company, policy emphasized that employees were prohibited from surfing pornographic sites. In fact, the company had purchased a content filter appliance and installed it in the infrastructure to prevent such activity. The company also paid for continuing updates to the content filter database.
The IT staff member assigned to the task looked up the static internal IP address assignments in the DHCP server and determined that the offending user was his boss, the IT director. After compiling a thorough list of activity from the firewall, he took the information to the company’s HR department.
After receiving the logs from the IT employee, the HR director contacted in-house counsel. The next day, the in-house counsel contacted outside counsel after determining that the termination of a director might end in litigation. Later in the week, the outside counsel contacted my company.
LINGO
In-house counsel or inside counsel refers to a lawyer who works in your company. Most large companies have legal departments, and the head of the department is called the “general counsel.” Smaller companies might employ one in-house lawyer or an outside law firm that is retained to make legal decisions for the company. In either case, as long as the lawyer is providing advice to the company for internal matters, he or she is considered in-house counsel for the examples presented in this book.
LINGO
Outside counsel refers to law firms retained by companies that desire a third-party opinion of a company decision. The company usually asks for the opinion in writing, which can be referred to at a later time if challenged, or if the company is seeking a lawsuit. Why does a company need outside council for a lawsuit? Typically in-house counsel is not actively practicing law in court, so companies rely on law firms that regularly bring matters to the court and know the rules and have licenses to do so.
The company asked us to conduct this investigation and create all imaging covertly, during the evening when the employees were gone. This is a typical scenario when you investigate a key employee and an outside firm is brought in to perform the analysis. If this investigative work was performed during the work day, the company would have to explain not only why outside consultants were in the building, but also why they needed access to the IT director’s computer.
In Actual Practice
Today, many companies and consultants are making use of enterprise investigation software, such as EnCase Enterprise, AccessData FTK Enterprise, F-Response, and more. These packages allow you to install an agent over the network and create a forensic image of a computer over the network. This works especially well when the examiner is working on the same LAN as the suspect—meaning fast transfer speeds and covert investigations. If this software is set up (and the IT director or another suspect is not in charge of it), it can be used to capture imaging during the work day without the suspect’s knowledge.
In this case, evening data collection was necessary because the IT director was known to have a somewhat aggressive personality and was very paranoid about people going near his work area. (In retrospect, the company should have been suspicious.) In fact, on a few occasions he chastised the cleaning crew if he noticed that they moved items on his desk while cleaning up. To ensure that it didn’t appear as though we had touched the computer, we conducted a “black bag” style job. We were asked to take photographs of his desk before we took the drive out of the computer, so we could put everything back in the exact place we found it.
LINGO
A black bag job refers to a nighttime operation that leaves no evidence of your forensic imaging. This term is based on the military/intelligence community’s technique of grabbing a suspect off the street and placing a black bag over his head to prevent him from knowing who grabbed him or where they are going. I often call this a “covert collection.”
After imaging the system, we began the analysis, and we found evidence of the pornographic web surfing activity. The Internet history file (index.dat) documented all of the suspect’s surfing activity and showed that his pornography surfing activity amounted to approximately three to five hours per day. After documenting all the activity and copying pornographic images and movie data that we could recover from the forensic image, we presented our findings to the HR director. These findings showed the HR director conclusive proof of daily accesses to pornographic web sites—this was not a one-time event—and the long extended sessions of access to pornographic materials—this was not the result of a random pop-up ad.
Afterward, we were informed by the HR director that because the company feared an improper termination lawsuit, this was insufficient for her to terminate him. She said that he would surely fight the conclusions, because he would argue that someone else had obtained his password and logged onto the system under his credentials to explain why the images would appear under his user profile. After I explained to her that this would involve the offending party literally logging on while the IT director was there, at work, she said she believed that she would still need further evidence to confront him with
IMHO
You’ll often encounter nontechnical people who are in a decision-making position in your investigation. It’s important that you understand their fears and learn how to explain your report in plain, simple layman terms to help ease their concerns. In this case, the HR director was considering terminating a member of the company’s senior staff, and her decision would lead to scrutiny from both the other executives, who may be feeling vulnerable themselves, and the legal department, which will be looking at the liability that the termination would expose the company to.
In such cases, it’s understandable that a HR director would be overly cautious about pulling the termination trigger. When you are providing results that, to you, show complete proof of a terminable action, don’t be surprised if you are asked either to explain it further or provide even more evidence that proves the identity of the suspect creating the artifacts you recover. And remember that the HR director may decide to take no action whatsoever, and, if so, there is nothing you can do as a forensic examiner.
At this point, to support our efforts to gather definitive evidence of our suspect’s identity, we were given permission to review the corporate firewall and content filter appliance during another late evening on site, with the HR director advising IT staff to assist us and give us access. We were met that evening by the HR director and the employee who initially found the logged data. Can you already guess who set up the content filter appliance? The IT director, of course, turned on the pornography filter and then wrote a rule that applied to all IP addresses on the network—except his. Thus, his IP was specifically exempted from the pornography filter, and he could go wherever he wanted. That was the specificity—the exemption rule that the IT director had created—that the HR director needed to take actions against the suspect, because it was a known fact that the IT director was the person who set up the content filter and thus could not deny his knowledge of either the setup or the static IP address in use.
In Actual Practice
As you can see, this case involved a bit of overlap in the end. We moved from what began as a simple pornography case to a blended case of pornography and abuse of administrative privileges in the IT director’s actions with the content filter. Keep in mind that there is no rule that says that one type of case can’t lead into another type of case, or a blended case. What is important is that you look at how the case starts and make a plan on how to deal with issues as you discover them, and then handle whatever you discover—because you’ll never know.
How to Investigate a Pornography Case
For those cases not quite as quirky as the preceding example, an average pornography investigation is fairly straightforward. You will find pornographic images in the Internet cache when you review them; some pornographic videos might have been downloaded onto the hard drive and can be located by file signature; and the Internet History file will detail the URLs of the pornographic web sites and date and time the suspect visited them. Let’s look at how you can get at this data.
The following examples use FTK, but you can use whatever tool you’re comfortable with. If you are a new FTK user, we recommend you go through the product’s user manuals first to learn how to add evidence—this book is meant to show you techniques and procedures, but it doesn’t offer individual tool instructions.
In Actual Practice
Almost every commercial suite and many open-source tools support analyzing Internet history files. If you are using EnCase or FTK, they offer built-in support for the major browsers: you simply locate the history files and review them. If you are using SIFT, you need to run either the log2timeline tool or another tool that supports the history files created by the browser.
It is important to answer the following questions:
 
1.  What browser is the suspect using?
2.  What tool in your tool kit supports analyzing the history files that they create?
3.  Can you analyze the history file?
4.  Can you recover deleted history records, either with the tools you have or with specialty tools that you can find on the Internet?
Budget Note
If you have some extra cash for a tool that specializes in Internet history file analysis and can carve out more deleted records that most tools, you should look into Digital Detective’s NetAnalysis tool (www.digital-detective.co.uk/netanalysis.asp)—a great specialized tool for the job. If you don’t have extra cash, multiple open-source and/or free options are available as well. Once you’ve identified the browser being used, you can search sites such as the SANS blog to look for entries of free and/or open-source tools you can use to analyze history files.
Analyzing Internet History
First, we’ll look at obtaining URL and date/time information from the Internet history file (index.dat). Figure 11-1 shows how FTK renders the history file for hits to the keyword “purplepornstars.” To get to this point, I let FTK process the drive, which means it found and analyzed the Internet history entries, and then searched for a keyword of the suspected pornographic web site. All of the entries in the history file that match the keyword are located, and the data in the parsed index.dat file can be bookmarked for inclusion in the FTK report.
image
Figure 11-1   Viewing an Internet history entry from a search result in FTK
image Note
Index.dat is a history file specific to Microsoft Internet Explorer. Each browser has its own way of storing the history of a user’s web activity. You must identify which browser the user is using and then determine where that browser stores its Internet history files. You must also make sure that your forensic tools support that history file type for analysis.
 
Although providing the date/time that the pornographic web site was accessed is often sufficient for most simple investigations, once in a while you’ll be asked to gauge, as best as possible, exactly how much time a particular employee has been surfing web sites. In such a case, you can find great tools that will process all recoverable index.dat files and allow you to parse them and run statistical analysis. Taking that refined and recovered data, you can create a cohesive picture of the amount of time the suspect spent on particular sites. Another approach may be to export all the data to a delimited format, which can then be imported into a relational database such as Microsoft Access and queried as needed.
In simple cases, you may not need to go through the trouble of identifying every pornographic web site the suspect accessed. Instead, providing samples of pornography stored on the system might be enough.
Figure 11-2 shows the EnCase Forensic gallery view that can display all images in a selected folder, group of folders, or the entire drive image. Almost every forensic analysis tool has a similar function, which makes them great for investigations involving pornography. With EnCase, all you have to do is scroll through all the pictures and find those specific to the matter at hand.
image
Figure 11-2   Reviewing images in the EnCase gallery view
Along with finding the images and movies on a user’s hard drive, you should also consider another method of content transfer that is becoming one of the most widely used in the world of Internet pornography: streaming video—more specifically, streaming via Flash. Recently, a slew of new web sites have emerged that stream movie content in both short preview and full length via Flash; these movies have the same look as YouTube video. Streaming is starting to far outpace other methods of pornography distribution. In fact, according to a 2009 Forbes article, “The Challenge of User-Generated Porn,” by Oliver J. Chiang, “Five tube sites—including Youporn, Pornhub and RedTube—are among the top 100 web sites in the world, according to web analytics service Alexa.com. Conversely, the mega pornography movie distributor, Vivid.com, which charges for its content, is ranked 12,718.”
Examples of “tube” style Flash movie sites include these:
 
image   http://www.xxxduck.com/
image   http://www.3tube.com/
image   http://www.8tube.com
image   http://www.flvtube.net
image   http://www.porntube.com
If you are working an HR case with a streaming video component, be it pornographic or not, you’ll probably at one point be asked to show what it was the employee saw. Keep the following in mind when you’re dealing with video streams:
 
image   Images are often downloaded to the browser cache, or links to videos download to the cache and start instances of a media player, but streams don’t work that way.
image   You will usually find the HTML remnants of the page the video was embedded into.
image   If you need to reconstruct the session as it was viewed, the original stream content must still be on the same server that was used when it was originally viewed by the user. This differs from data that is downloaded to the hard drive as part of the rendering process.
The most reliable way to find these HTML remnants is to search for the domain names of the web sites you discovered that the suspect was visiting from parsing their Internet history. The HTML remnants have to link to pages within the site or load JavaScripts, Cascading Style Sheets (CSS), and other elements that should have the name of the domain embedded within them. Once you’ve found all the pages—both active and deleted—available, you can move on to the next step.
After finding the HTML remnants, you’ll need to examine the page source code to get the stream identifier. The simplest way to do this is to remember that the embedded video is just another object, and thus it has properties, including dimensions on the page. If you search for the object properties, what you find will ultimately identify the stream content source. The easiest properties to search for in the remnant HTML are the most obvious. In this case, the video stream has to fit within the confines of the page that’s being viewed, so width and height are the two most obvious properties.
After exporting the artifact HTML found on the image, and going through the source code for the object property of width, we ultimately find the source stream, as shown next:
image
Since this artifact HTML page is from the Evilangel.com web site, all you need to do to reconstruct the stream session is to combine the domain and path to the video content in the browser window, http://www.evilangel.com/en/Made-in-Xspana-05-Scene-1/film/28577. This will show the content as it was viewed by the user. Why is this important? Often, having what was being accessed is not enough; HR professionals may require proof of what was being accessed in order to determine the type of disciplinary action that may be appropriate.
How to Work a Productivity Waste Case
Here are a few statistics that show how much time one “productivity waster” spends each day on things other than their work:
 
image   Thirty to forty minutes setting up recipes and getting them out on time, in order to be named the undisputed champion of Café World
image   One hour spent posting and reading postings on the PC
image   Fifteen to thirty minutes reading updates on a smart phone
Many articles have been written recently about the average productivity loss as a result of unrestrained access to social media sites at work. An August 20, 2007, article by Andrew West, published in the Sidney Morning Herald, gave statistical estimates that Australian business lost approximately $5 billion a year to this type of activity. “The report calculates that if an employee spends an hour each day on Facebook, it costs the company more than $6200 a year. There are about 800,000 workplaces in Australia.”
This is not to say that having a presence on a social media site isn’t profitable for most businesses; however, more and more, HR personnel have to contend with employees spending too much time using social media when they’re supposed to be working. The forensic analyst is typically faced with providing the HR department with a context for how much non-work activity may be going on during business hours. As with pornography investigations, some information is easy to get at, and some takes a little work.
Although there certainly are more social media sites than Facebook, I’ll focus on Facebook for now in terms of the ramifications for the forensics analyst, because it is the largest social network and because there is a greater statistical chance that you will deal with a case involving Facebook. The techniques described here are equally valid for other social media sites.
image Note
I focus on Facebook Chat here because it’s the world’s most popular social web site at the time of writing this book. Many other instant messaging software packages are available for time-wasting. The best way to make sure you know what the suspect could have used is to review their installed programs and their Internet history, and then look for artifacts of their chats. For some applications, they will be in self-contained log files for easy recovery. For web-based chats like Facebook, you will have to search the forensic image as I do in this example.
 
Examining how much time employees spend playing games or viewing their page or a friend’s page on Facebook is easy. All the information is contained in the Internet history file, with URLs, timestamps, and so on. This is very simple stuff already covered in this book, so I won’t waste time here. What is a little more difficult is to analyze the amount of time spent on Facebook Chat, the site’s instant message (IM) service.
But analysis of IM on Facebook is fairly straightforward, once you understand the components. The first thing to remember is that there are forensic artifacts of the chat, and the complete chat sessions are actually cached on the user’s system. Each message thread is cached in its entirety every time the page is refreshed or the user returns focus to the chat window.
When searching for Facebook IM sessions, you’ll find it easy to search for text that’s found in every session. For me, that is the keyword "msgID". Yes, you’ll also get a lot of false positive results, particularly in e-mails; however, you can very easily sort the resulting filenames or extensions to streamline the review. I like to sort by filename because all that remains to be done is to look for the telltale naming conventions of the chat artifacts, which are characterized by long numeric filenames. In some cases, they could be TXT files, or they could be HTML files.
image Tip
If you are having no luck with searching for Facebook chat messages because of a change in Facebook’s format since this book was published, or you are looking for other chat tools, you might want to look into tools that specialize in the recovery of instant messaging. Belkasoft’s Evidence Center and Magnet Forensics’ Internet Evidence Finder are two such tools, but there are many others. Or you can do the research yourself to find the identifiers and search out the chat remnants.
 
I recovered Facebook Chat messages after searching for the keyword "msgID" and sorted by filename to find the following two files in the Temporary Internet Files (Figure 11-3):
image
Figure 11-3   A recovered Facebook chat message
image
image
Examine the following contents and you can see the IM session in its various parts. In the first TXT file, p_100002240784811=2, you see the opening part of the thread:
 
image
Let’s break it down:
 
image   On the first line, the text message “What’s up Ralph” is recorded.
image   On the second line, the time the message is sent is recorded, as well as the "msgID". You can see that the sender is user profile 100002251244504 and the recipient is user profile 100002240784811.
image   On the third line, the aliases of the two user profiles are recorded.
Thus, Ricky sends Ralph the message, “What’s up Ralph”, at Time: 1301937135. The timestamps are Unix time code.
In the second TXT file found on the image, p_100002240784811=3, you see the reply:
image
Notice that the two filenames, p_100002240784811=3 and p_100002240784811=2, correspond to the Facebook profile number of the user alias Ralph. That means the image being worked on was Ralph’s computer.
To discover the date/time of the text message thread, you’ll need to convert the Unix time codes. There are lots of free Unix time converters out there, but the one I prefer is at www.onlineconversion.com/unix_time.htm.
image Note
Although I specify that these chat artifacts can be found in HTML or TXT files, the file type makes no difference to the underlying data. As long as the data you are looking at more or less matches the examples just shown, you know you’re viewing Facebook chat messages.
We’ve Covered
We’ve talked about two types of the most common HR cases and how to approach them. The biggest commonality between these two types of cases is that the user’s Internet activity is the source of the evidence we start with. So if you are starting a HR case, you should begin your investigation by recovering deleted Internet history records. Finding porn and users wasting company time on the Internet are fairly straightforward cases. It can get complicated if the user is trying to hide their tracks; if you encounter this, visit our blog for the newest techniques for identifying and recovering what the suspect is trying to hide.
Results of a human resource case
 
image   What to expect a HR case will need to reach a conclusion
image   When to expect termination versus discipline for your suspect
How to work a pornography case
 
image   Recovering active and deleted Internet history
image   How to recover streaming video usage
How to work a productivity waste case
 
image   Understanding what makes a productivity waste case
image   How to recover chat messages between social network users
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.116.60.158