Cyber Diligence investigators faced the challenge of monitoring a governmental agency`s network security against intrusions and internal threats. As part of the engagement, we deployed a "Network Forensics" appliance at the internet gateway, monitoring all internet traffic against security threats and detecting intrusions in a timely fashion. Also deployed was an enterprise-class computer forensic, incident response, and covert monitoring tool on a separate server. Cyber Diligence investigators would log in to our servers every day and analyze the previous 24 hours of captured traffic, looking for anomalies and risky behavior by any one of the employees.
While analyzing collected network traffic, the investigator noticed a workstation had been accessing a blog usually frequented by hackers. A closer look at all activities revealed that the user of this computer was accessing pornographic content and was downloading copyrighted movies. Furthermore, he was spending the majority of his time surfing the web and downloading pornographic and martial arts movies. We immediately notified the client and began awaiting further instructions. We were informed that the workstation was being used by an engineer who was part of a very large contract that was awarded to a major software contractor. The contracting firm was billing the client at a rate of $350.00 an hour for the engineer’s work, and he had been working on the project for more than a year.
This was an unusual situation. Because of the amount of money that was being paid for the engineer’s services, the client was anxious to see if this was an isolated incident or if it was something routine for that individual
We were authorized to forensically image and examine his computer for past activity and to monitor his current usage patterns by deploying a covert monitoring agent into his workstation. We covertly imaged his workstation over the network wire and also pushed a monitoring agent into the workstation. Then, we configured the monitoring agent to capture screen shots every ten seconds, as well as full statistics on all applications being used, web sites visited, and time spent on social media, etc. As part of the forensic analysis of his workstation, we used advanced techniques and specialized software to recover all internet-based artifacts. Analysis revealed that during the previous three months, his usage patterns were very similar to what was observed on the collected internet traffic. He would log in in the morning and spend an hour or so browsing social media sites and surfing the web. He would then do an hour and a half worth of work, break for lunch, come back, and spend the rest of the afternoon surfing the web and downloading videos. The monitoring agent we surreptitiously installed on the workstation showed a similar usage pattern. The monitoring agent provided concrete evidence of how he was spending his time. We continued to monitor his activities for two weeks and collected the evidence the legal department needed for their judgment.
After all the evidence was compiled and put in a comprehensive report, his employer was confronted with our findings. The employee was immediately terminated and the contractor that employed the engineer reimbursed our client for all the fees they had charged based upon his hours for an entire year.Back to Case Studies