Posted: 3/17/2004 10:11:54 AM EDT
|
I have an employee that after more than a year of warnings regarding being productive, I demoted. One of the "straws" that broke this camels back was when I went into his office and was looking on his computer and found under the history on his internet that he had been surfing web dating services. I installed network nanny on his computer and put him under close supervision while I pondered my options. Ultimately I demoted him to a piece work type of position so I could judge his produtivity. Now some 2 months later, I'm getting a grievence filed against me and they want to see the computer/internet abuse evidence. The history is long since gone, (was set for 22 days and he may have deleted it anyway). I checked the "cookies file" and there are a couple of cookies but it doesn't provide the stuff I'm looking for, like the 25 hits in one day at the web dating site that showed up in the history thingy. Is there anyway to resurect that stuff? |
|
Be forewarned; what you have done may be illegal. I would consult a lawyer immediately. Here's what it boils down to: Im most cases, the computer may be company property, but the data that person enters is their property. If you look at anything on their profile, that may be concidered an invasion of privacy. I won't get into specifics, cause there's lot of little details. feel free to IM me for more info. Bottom line: looking though cache on computer is questionable at best. Looking through cache on network infrastructure (firewall, proxy, etc,) is in most cases 100% legal. YMMV, im no lawyer, but i am a network security professional. I know what i can and cannot do. |
|
Quoted: try looking in the temp file in windows. edit: in the future you might want to get some type of key logger will be hard for you to prove though, he could say for instance a janitor came in and looked at stuff Did that (I think) and that's where I found the cookies. NAM: The computer is now mine. I think I can do what ever I want, as far as looking for files. |
|
Quoted: It is my understanding that an employer is allowed to have access to everything that an employee does on a company computer including looking through email. Of course I aint a lawyer either. I'm military, so the rules may be a bit different. With windows, when you logon, it created a specific profile (a part of the drive if you will). That profile contains all your data and no one else's. Now, the administrator does have access to this. But, legally (military legally), i as an administrator cannot look at another user's profile. point blank. Any order to do so is an unlawful order. I can be court martialed for doing so. The only exception is to special investigative units. once the data goes out across the internet, it's all bets off. Once again, i don't want to go too far in depth to cover my own hind quarters. Rather i wish to inform you of what you may be looking at. I think this net surfing turd should be nailed to the wall. However, if you go about it the wrong way, they may end up nailing you to the wall. |
|
Similar situation here. I am an "admin" only because I know more than the other people where I work. People are always messing up the machines so I installed a proxy that log ALL internet transactions. Very easy to do. You can get a program called Wingate (do a search). Install it on your machine or the server. Put it on your machine if you want to actively watch what is going on and also if you know that your machine will always be on before there machine is on. What happens is the program runs on your machine or the server and you route his machine through that machine. All you have to do to his machine is open the internet explorer, tools, internet options, connections, LAN settings. Click on the proxy box at the bottom and put in your machine/or servers IP address and port (8080 by default). Now when he uses the internet all info is logged through the proxy and you can get address, time etc. I set it up in ~ 30mins start to finish. IM if you have specific questions. |
|
What part of the military are you with? When I was an admin in th Navy I had access to all computers and files without asking for permission. Quoted: Quoted: It is my understanding that an employer is allowed to have access to everything that an employee does on a company computer including looking through email. Of course I aint a lawyer either. I'm military, so the rules may be a bit different. With windows, when you logon, it created a specific profile (a part of the drive if you will). That profile contains all your data and no one else's. Now, the administrator does have access to this. But, legally (military legally), i as an administrator cannot look at another user's profile. point blank. Any order to do so is an unlawful order. I can be court martialed for doing so. The only exception is to special investigative units. once the data goes out across the internet, it's all bets off. Once again, i don't want to go too far in depth to cover my own hind quarters. Rather i wish to inform you of what you may be looking at. I think this net surfing turd should be nailed to the wall. However, if you go about it the wrong way, they may end up nailing you to the wall. |
|
Quoted: Be forewarned; what you have done may be illegal. I would consult a lawyer immediately. Here's what it boils down to: Im most cases, the computer may be company property, but the data that person enters is their property. If you look at anything on their profile, that may be concidered an invasion of privacy. I won't get into specifics, cause there's lot of little details. feel free to IM me for more info. Bottom line: looking though cache on computer is questionable at best. Looking through cache on network infrastructure (firewall, proxy, etc,) is in most cases 100% legal. YMMV, im no lawyer, but i am a network security professional. I know what i can and cannot do. BS. As the employer, who pays for the computer the employee uses, and the internet access that the employee uses, any use of said resources is at the employer's discretion. Period. |
|
Quoted: Quoted: Be forewarned; what you have done may be illegal. I would consult a lawyer immediately. Here's what it boils down to: Im most cases, the computer may be company property, but the data that person enters is their property. If you look at anything on their profile, that may be concidered an invasion of privacy. I won't get into specifics, cause there's lot of little details. feel free to IM me for more info. Bottom line: looking though cache on computer is questionable at best. Looking through cache on network infrastructure (firewall, proxy, etc,) is in most cases 100% legal. YMMV, im no lawyer, but i am a network security professional. I know what i can and cannot do. BS. As the employer, who pays for the computer the employee uses, and the internet access that the employee uses, any use of said resources is at the employer's discretion. Period. I'm not goign to get into a pissing contest. In my scenario, i know the law. i know what i can do and i know what i can't do. they specifically trained us on this. the civilian sector may be different. but i can tell you with 100% certaintly that this is how it works on .gov systems. good day. er....night.... |
|
Halfcocked, in support of you being able to look at the computer... At the company I work for, our Personnel department has made it extremely clear that the computer, including the contents of anything on the hard drive, belong to the company. They are obliged to search it at the their convenience. In fact, it is a matter of practice that any time your computer is turned in for service, it is checked for "inappropriate" material. Instant message chatter and web sites are also monitored at the gateway. i.e. big brother watches my colleagues and I whenever we use their computers. As was suggested above, get a lawyer to affirm or refute what has been said here. Never accept legal advice from the internet. ;) Good luck, marm0t |
|
I cant help with the evidence, but did you put anything in writing??? I know hind sight is 20/20 and I am not criticing you. But in the future put it in writng with the problem and have him sign it with a plan to correct this action. Otherwise you are SOL. Good Luck SGtar15 |
|
halfcocked, speak to the company that configured / enabled your company's internet connection. Typical windows networks use a Proxy service, with all office comps making their web requests of your internet-connected server, then that server goes out to the internet. There will / should be log / cache files of all URLs accessed, with date / time, the network IP addy of the requestor, etc. These logs can be switched off, set to overwrite themselves by a date interval, or by a limit set on the growth of the file, or be totally unrestricted and show everything. You need to find out what if any such logging is set up on your server(s). The Net Nanny product has uses, but it is child's play compared to what is really available in the server operating systems. I've worked corporate IT for ~12yrs, participating in several such 'investigations' / HR efforts. Corporate / business 'law' does indeed hold that everything your employees do on company equipment is company property. There is no 'Privacy', even of personal emails or IM trash. Your network, your bidness. You need to consult whomever you've got for IT support, and if you've got no HR rep, better bone up on your state's labor laws. Your problem employee has obviously done so, and is setting you up for a full workout under those laws. Good luck with your substantiation. |
|
First off thanks for everyones help. I do really appreciate it. This site is phenomenal. I'm not that interested in spending a lot of time or effort on this. I think it would be just as interesting to get to the point where I look him in the eye and flat out ask him if he is denying surfing web dating services on company computers, on company time, specifically on the date of January 4, 2004 at or near 9:45 AM. (That's one of the cookies I found.) I do have a witness that was looking over my shoulder when I discovered it in the History thingy. I have a bunch of other "bullets" and this is only one I would like to have but it will be just as valuable in gaining a deeper insight into his character if he denies it. |
|
It sounds like you have the situation under control, but let me give you some advice for the future. First off, I am a network admin for a Government network in Florida with over 800 PCs and several thousand users. If you suspect an employee is misusing a computer, you need to do the following: 1. First monitor activity to/from the computer via your router. You need to be able to prove that the traffic came from a specific source and was not appropriate. 2. You need to be able to prove that this particular employee was the person using the computer. Keylogging is fine, although check the laws in your area carefully. On our network, the policy is we can watch, audit, monitor, or do any damn thing to any PC at any time for no particular reason. We routinely monitor PCs live to see what folks are doing. 3. If you suspect misuse, especially of a criminal nature, go to the PC, unplug the power and isolate the computer. *DO NOT SHUT IT DOWN NORMALLY.* Arrange for a forensic backup by a qualified LEO. Shutting down alters the Windows temp files and can cause data loss. Keep a chain of custody and make no attempt to boot the PC or recover data. (the LEO will make a copy of the HDD onto another drive and do the forensic analysis on it and leave the original source intact). 4. If the matter is internal or not criminal, you can do a quasi-forensic backup using Ghost or Drive Image. I have done this on many occasions and the resulting data has resulted in termination of employees. These programs can do a near-perfect job of making an exact copy of a drive's contents. 5. You can browse the resulting image from Ghost or Drive Image to get histories and cookies. WIth some effort, the Windows swap file can be recovered and browsed for data, although this is difficult. I hope this helps. Honestly, if you are on any network other than your own, assume you are being watched and act accordingly. |