This week’s blog post discusses a matter that can be a battle for many companies: determining if their employees are actually working when they should be or if they are engaging in other extracurricular activities that should be saved for time spent elsewhere. When taken at face value, this can be a daunting task for the employer. Digital Forensics to the rescue!
However, I do want to make a point before continuing, as the employee’s expectation of privacy comes into play here, and many employees (unless they read the employer’s policies on electronic media utilized in the workplace) may automatically assume they have a complete expectation of privacy for all things electronic that they touch while at work. The following items need to be reviewed carefully by legal counsel before conducting your digital forensics investigation on employees:
- Whether or not a company has exclusive rights to the devices it owns, including the data contained on those devices,
- Whether or not the employee did in fact have an expectation of privacy on any of that data, and
- If any such expectation of privacy transfers to any personal devices the employee uses/used in the workplace.
Once the legal team has come to conclusions on the above points, the first step would be to identify any devices of concern and preserve them as swiftly as possible.
A digital forensics investigation on employees for this kind of suspected behavior would focus on three key areas: Internet history, installed software (and artifacts available from uninstalled software), and program execution.
Analyzing the Internet history of the computer (both deleted and non-deleted) garners a vast amount of information. The user’s day-to-day browsing habits become exposed through this analysis – even those that he perhaps did not want known – and from there it is a matter of how the clients would like the data reported. Oftentimes, we receive requests for things like “I want to know how much time he spent on ESPN per day since we gave him this computer,” or “Give me all of the days in the month of July that the user was visiting gambling websites,” and of course, we are happy to oblige. Exposing Internet searches are also key in telling what the user’s habits are, and our analysis captures those also. Occasionally, if the user was using a web e-mail service (such as Yahoo!) for personal reasons, we are able to determine nuggets of information such as subject line and date of communication of the messages themselves.
We always examine the programs installed on the computer to determine when they were installed, when they were last used, and who had access to them. It is not uncommon that we find games, video downloading software, or peer-to-peer (P2P) programs on the employee’s work computer.
Finally, program execution is a telltale sign if the employee is accessing software they are not supposed to run. Did you know that some programs can be launched from a flash drive and would never need to be copied to the local computer to function? Analysis of program execution would catch this – and thankfully, there are several areas on the computer that would show such program launches taking place. In addition, artifacts such as link files, jump lists, and shellbags can show if an employee was working on company-related presentations and documents or if he was instead putting time into finishing his graduate school thesis.
The Present Day
After examining the forensic image, let’s say that we find that an employee is spending an average of three hours per day browsing Site X and Site Y. However, we cannot exactly determine what he is searching for on those sites due to their website addresses being encoded. If these websites are of concern to the client and more information is needed, software can be installed on the employee’s laptop from a remote location – with or without the employee’s knowledge – that allows someone else with a network connection and the proper credentials to view what the employee is doing at any present moment. In my experience, these pieces of software fit the cliché of “You get what you pay for” in that some offer more features than others, but overall are still an effective means to see what the employee is up to when no one is looking. As mentioned above, seek legal counsel in regards to whether installing and using such software would be against company policy or any law in your jurisdiction.
Determining what an employee is doing while he is at work might seem like a challenging task at first. After all, figuring out what someone is up to without tipping him off is not the simplest thing to do for many employers, but thankfully a digital forensics investigation on employees – after a review of the situation and with the approval of the employer’s legal team – allows us to do just that. Providing statistics on browsing habits or analyzing executed software can provide insight into what the employee is doing with the company’s equipment and help HR determine how to best approach the situation. If more information is needed, software monitoring solutions can be utilized that allow the employer to attain an even more focused grasp on what the employee is currently doing. Regardless of the approach taken, digital forensics can effectively assist employers in making HR decisions.
For more information CONTACT US