anguish79 Posted November 30, 2009 Share Posted November 30, 2009 I figure this is a good a place as any. The client that I'm contracted to has an employee they suspect of using personal email to discuss company business, divulging information that they shouldn't be. Based on the monitoring of their company email, we have reason to believe that this is indeed the case (and actually affects more than one employee, but at different locations, and we're only specifically concerned with this one employee at the moment). We know that the employee is using their ISP email via the web interface. IIRC, it's also encrypted via SSL. However, it's been requested of me if there is any way to do this. I'm imagining that this is a legal gray area, so I'm already telling them to talk to the company attorneys. But, at the same time, I am wondering if it is indeed possible, and what's the best/easiest way to do it. I'm looking for no cost at this point, as they don't want to invest any money into anything if the attorneys do give the go ahead (budget issues is the excuse, but I know that's partially true). Spectre Pro was my first thought, since they do use that web interface on company provided equipment, but again, there's the no cost issue. Quote Link to comment Share on other sites More sharing options...
Sparda Posted November 30, 2009 Share Posted November 30, 2009 If the employee has broken an non-disclosure agreement, get a civil Court to issue a supina to there ISP for all emails. Illegal wire tapping is most definitely illegal, unless they are accessing there ISP email from the companies computer, in which case there is no expectation of privacy. The easiest way is to setup an SSL proxy and install your proxies certificate on the client machine. Quote Link to comment Share on other sites More sharing options...
anguish79 Posted November 30, 2009 Author Share Posted November 30, 2009 Yeah, it'd be a company machine that they are accessing it from. I'm waiting to hear back from the request of the lawyers before I even think of doing anything on the issue. But, it's good to know what my options are. Quote Link to comment Share on other sites More sharing options...
kickarse Posted November 30, 2009 Share Posted November 30, 2009 It's a hard suit because while they were typing the information on a company workstation the data now resides on an off site server. This information was at one time, although not saved, on the corporate network, which in turn you own. Like Sparda said if you have some NDA policy that they signed then you can probably get a court order from the ISP. Quote Link to comment Share on other sites More sharing options...
VaKo Posted December 1, 2009 Share Posted December 1, 2009 We had a case at our office where a manager requested that one of his reports exchange emails were silently forwarded to him without involving HR, helldesk did this for some reason and the report found out. The subsequent shit storm managed to reach the desk of the global head of HR and the report is currently in the process of extracting a sizable chunk of money from the company due to local HR laws. IMO, bump this up to someone with enough Responsibility to cover your ass. If you hack there personal mail then you will be on the line for it, not the company (the company won't be able to use the info in court anyway), so make sure that whatever you do, you get HR, your line manager and whoever runs the place to sign off on everything you do, and keep this somewhere safe. From a technical standpoint, you can get about a billion "take a screen shot every 60 seconds" applications, use one of these to monitor the usage of the *workstation*, and leave getting access to the mail account to the boys in legal. You should be well within your rights to monitor the companies machines in accordance with your AUP. You can also monitor browser history, recover saved passwords from the browser, and install a key logger to capture the account password if its not stored. And depending on the webmail app in question you might want to look into sidejacking if the above fails. Then, give the account login details to your boss, who can do the dodgey bits himself. Quote Link to comment Share on other sites More sharing options...
h3%5kr3w Posted December 1, 2009 Share Posted December 1, 2009 damn VaKo.. you beat me to it. But actually I had another idea. One that would 'seem' a lot easier. ez@pz# old machine w/ Windows Remote Desktop Viewer | dvr set @ datetime 8_hr_record_time cin << user_login_datetime eh.. some things just sound easier in cli and c :P Quote Link to comment Share on other sites More sharing options...
anguish79 Posted December 1, 2009 Author Share Posted December 1, 2009 LOL.. Thanks for the feedback gang.. I appreciate it it. The one sticky part about the whole ordeal, which is why I'm not doing anything at this point until the lawyers have been spoken to, is that it directly deal with a senior HR manager. I'm not sure they're going to want to go to the point of subpoena's and stuff, so it may already be dead. Might work out if that's the case, cause I think there might be another nail in the coffin of this HR person anyway based on something that happened yesterday. Unfortunately, I've heard since before the beginning of the year that they were going to get rid of this person, and it still hasn't happened. Quote Link to comment Share on other sites More sharing options...
wh1t3 and n3rdy Posted December 1, 2009 Share Posted December 1, 2009 As long as you gathered the proof without yourself violating any regulations, can his arse. If he is dumb enough to do it from a work machine, he deserves all he gets. Quote Link to comment Share on other sites More sharing options...
digip Posted December 1, 2009 Share Posted December 1, 2009 The other option is restrict internet access from the user all together. Most companies have policies on what is acceptable use of the network and what they are allowed to have access to. We had to sign into a proxy to get outside the local lan, and at any time, your access could be revoked, no explanation necessary. Internet access is usually meant for business use only anyway, and if an employee violates that in any way shape or form, they could/should have it revoked. At least where I worked, they would remove their ability to access anything other than local server access for network shares, printers and internal company web pages. If they don't need the internet for their job to begin with, remove it from their profiles. If they do anything to circumvent it, fire them. Also, block access to the web sites in question including their ISP's web portal/webmail access and make sur ethey can't add it to their local machines email clients, like outlook, etc. Quote Link to comment Share on other sites More sharing options...
MRGRIM Posted December 1, 2009 Share Posted December 1, 2009 You can get USB / PS2 dongles that acts as a key logger Quote Link to comment Share on other sites More sharing options...
digip Posted December 1, 2009 Share Posted December 1, 2009 You can get USB / PS2 dongles that acts as a key logger True! And being a business, you really don't have to explain the use, since all system activity is monitored to begin with, there is no expectation of privacy in the work place. Most handbooks explain in detial the employer has rights to record converstations as well as read their email and even go as far as putting cameras in bathrooms(although who would want to watch someone take a dump?) except for in the state of California, its a misdemeanor to have a two way mirror in a bathroom/fitting room filming people without first disclosing it to employees or patrons. Quote Link to comment Share on other sites More sharing options...
PC646 Posted December 1, 2009 Share Posted December 1, 2009 I sent you a private message to contact me. Quote Link to comment Share on other sites More sharing options...
VaKo Posted December 2, 2009 Share Posted December 2, 2009 Secret shenanigans are afoot! Quote Link to comment Share on other sites More sharing options...
metatron Posted December 2, 2009 Share Posted December 2, 2009 I say you just have a few guys grab him of the street and beat the truth out of him. Even if he did nothing wrong it will work as a deterrent to the rest of the work force. Quote Link to comment Share on other sites More sharing options...
h3%5kr3w Posted December 3, 2009 Share Posted December 3, 2009 Is there not (or at least should not there) be a Server 05/08 MMC plug in for a keylogger? I mean it makes sense to me. Tried to see if there is a vbscript keylogger, which supposedly IS possible, but I could not find one that is ready to go. Quote Link to comment Share on other sites More sharing options...
MRGRIM Posted December 3, 2009 Share Posted December 3, 2009 Well you could publish any kinda of script / app to the user via GP. Quote Link to comment Share on other sites More sharing options...
h3%5kr3w Posted December 4, 2009 Share Posted December 4, 2009 Found a pay for keylogger for MMC.. It's Anasil 3.2, but it's $60. just do a good google for it, and there is a demo as well. Quote Link to comment Share on other sites More sharing options...
gcninja Posted December 4, 2009 Share Posted December 4, 2009 HomeKeylogger its free, and easy, you can access his account at night, download it and set it up so it wont pop up on the toolbar without a command like ctrl+shift+m or something its really good, it hides teh log in C: but can be set differently. Quote Link to comment Share on other sites More sharing options...
h3%5kr3w Posted December 4, 2009 Share Posted December 4, 2009 nice.. Quote Link to comment Share on other sites More sharing options...
gcninja Posted December 5, 2009 Share Posted December 5, 2009 nice.. Sarcasm? Quote Link to comment Share on other sites More sharing options...
Bubbasmith07 Posted December 6, 2009 Share Posted December 6, 2009 These are all good ideas but remember to do this legally. Depending on the state that you’re in I would recommend that you have clear cut policies and procedures that state you are allowed to do this. If not push for having legal make them. This could be a mine field your stepping into and or you could really screw somebody’s life over. But if done right you couuld be the new Forensic analyst and show the comapny how valuable you are. We are a large enterprise - I'll tell you a dirty secrect. Everybody has porn on there computer - because of caches. If an over zealous HR manager got a hold of that evidence that I supplied as a security expert they have a duty to interrupt it. And people could lose there livelihoods or lives This has happened a lot more than you think or realize. Your manager could also have alternative motives that you are unaware of. I don’t mean to discourage you – just make sure that you are aware of these issues and I would have a documented trail as a CYA for you ass. Stored off site that clearly states that you a right and a duty to do this. I would also review evidence handling guidlines, custody issues and reccomendations forecnsic pratices in case this blew up on you. If these are not in place and it blew up in your companies face I would be that you my friend will be holding the bag. Especially since you have no training in this. Corporate Lawyers are the worse form of scum on the planet - they will not say your ass if this goes wrong. My 2 cents, Ole Bubba Quote Link to comment Share on other sites More sharing options...
wh1t3 and n3rdy Posted December 7, 2009 Share Posted December 7, 2009 I have had to rebuild many machines and 995 of them either have porn, movies or music on them. I sued to give people a chance to back them up but soon got sick of it because they don't stop doing it. If I find it, it gets blown away and i report it. I'm not risking my job to save somebody else's. Quote Link to comment Share on other sites More sharing options...
h3%5kr3w Posted December 7, 2009 Share Posted December 7, 2009 Sarcasm? NO NO! not sarcasm. I mean that's some pretty nice software then. I saw that on a few sites when I was searching for an MMC version of it, but the way it was worded, it didn't look like it would work in the way that he would like it to. Quote Link to comment Share on other sites More sharing options...
VaKo Posted December 7, 2009 Share Posted December 7, 2009 I have had to rebuild many machines and 995 of them either have porn, movies or music on them. I sued to give people a chance to back them up but soon got sick of it because they don't stop doing it. If I find it, it gets blown away and i report it. I'm not risking my job to save somebody else's. I warn people that while I don't care, other people with a lot more power than me do care and explain to them that a flash drive costs £10 for 8GB, I never judge, especially in the case of road warriors. Quote Link to comment Share on other sites More sharing options...
wh1t3 and n3rdy Posted December 7, 2009 Share Posted December 7, 2009 Problem is that the people with a lot more power will get shitty if we back that up for them. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.