Computer misuse in the public sector is now widespread, but recent evidence suggests that the tolerance of it among security and IT professionals is declining rapidly. Computer forensics consultant David White, who's increasingly being called upon to investigate cases of e-mail and Internet abuse, reviews the problem for SMT's readers.
'Computer misuse' in the workplace covers a multitude of sins. Employees may attempt to view material on Internet web sites that has been deemed inappropriate. Occasionally, material such as pornography will be downloaded, viewed and disseminated.

The term also describes the misappropriation of documentation and electronic information by staff when they leave the organisation, as well as the activities of those who attempt to run a second business while still gainfully employed. The Audit Commission has estimated that half of all public sector organisations in the UK are affected by this and other types of computer fraud – for that is what it is – which is said to cost around £35,000 per incident.

A survey recently conducted by KLegal for 'Personnel Today' magazine (entitled 'E-surveillance: the facts and figures') found that UK firms are now more likely to take disciplinary action over e-mail and Internet abuse than traditional office misdemeanours.

The survey also revealed that employees are nearly ten times more likely to be dismissed for exchanging pornographic e-mails than they would be for sending an e-mail which contains damaging information on the company.

Today, more and more disciplinary cases are being brought against employees for violating company e-mail and Internet policies than for acts of dishonesty, violence or breaches of Health and Safety procedures.

Jo Moore's infamous e-mail regarding September 11 which leaked into the tabloid press probably stands as the most high profile case of Internet and e-mail monitoring to date, a procedure which is becoming commonplace throughout local Government and the public sector. Research carried out for certification firm SGS found that 80% of public sector organisations now monitor employee e-mail and Internet use. It's perhaps not that surprising, then, to discover so many cases currently being brought to Court involving computer misuse.

A separate study conducted by Internet filtering concern Websense, again for 'Personnel Today' magazine, revealed that nearly one in four UK employers have sacked staff due to instances of Internet abuse. No less than 43% of the 500 Human Resources professionals who responded to the survey reported dealing with cases of Internet misuse every month. Nearly two thirds of e-mail/Internet-related dismissals and half of the disciplinary cases were for accessing or distributing pornographic or sexual material and, in most cases, the accused are 'informed upon' by their colleagues.

In cases involving child pornography, or other material deemed to be obscene, the powers that be within the organisation may inform the police with a view to beginning criminal proceedings. In the more common instances of soft core pornographic images being viewed, the host company may decide to contact a third party consultancy to conduct an investigation prior to taking any legal action.

Consultants working for you
If you are using a reputable service provider, the investigation should include a total retrieval and analysis of computer evidence. Essentially, this is a computer forensic service used to recover and scientifically analyse data from a computer or network system, the results of which will be admissible in a UK Court of Law.

Such a service is of particular use to end user organisations which might be involved in audits and investigations of fraud or computer misuse, such as the transfer or storage of confidential information.

Today, more and more disciplinary cases are being brought against employees for violating company e-mail and Internet policies than for acts of dishonesty, violence or any breaches of Health and Safety procedures

Even if a pc user in the organisation has attempted to delete incriminating evidence some time ago, it's highly likely that the necessary data can be recovered. One case that we've worked on readily springs to mind here, involving an alleged Internet abuse at a Healthcare Trust. A senior registrar had been accused by many of his colleagues of viewing pornographic material on a computer in an open office. The IT manager had been notified of his behaviour and, by reviewing firewall logs on a regular basis, was able to identify – by way of the computer's IP address, specific dates and times – when that computer was being used to visit pornographic sites.

The employee was subsequently suspended and his pc removed from the network, powered down and sealed in a box. However, in order to instigate further disciplinary proceedings, the organisation needed proof that the individual concerned was unquestionably associated with browsing these sites. The consultant on the project was therefore called in to conduct an independent investigation.

Basis of the forensics examination
A sound forensics examination should never use the source data for review, but instead be based entirely on an image of this data contained on an exact copy of the disk. Your consultants must be able to shield themselves from any accusations that evidence has been tampered with in any way.

By performing tests on a replicated dataset, the untouched disk may then be offered for cross-examination if necessary.

The first technical step in the analysis is carried out under a controlled process using specialist forensic hardware and software. In this particular case, once the image of the suspect disk was taken it became apparent that the pc had been used to enter Internet chat rooms, and to subscribe to mailing lists distributing images of a pornographic nature on a daily basis. Evidence was also found to demonstrate that these web sites had been searched for specifically, and were not merely stumbled upon in error.

For the consultant, analysing the hard disk is the easy part. More problematic is being able to link it to a specific individual. Although it's often possible to associate the actions to specific dates and times which coincide with data from the firewall log and a specific user profile, it's not always easy to associate that profile with the suspect. Often it will be a shared profile, and any one of a number of members of staff in the office could have accessed the computer and carried out the actions subsequently identified.

In this particular case, further circumstantial evidence eliminated each of the other suspects. Eventually, the accused admitted he'd been responsible for viewing pornography and was then dismissed on the grounds that he could have brought the Trust into disrepute.

Acting as expert witnesses
In incidents where computers are misused, the forensics consultant will really be acting as an expert witness. They must therefore treat the computer and its data the same as they would any other form of criminal evidence.

Source

SMT

Postscript

David White is a computer forensics consultant at Sapphire Technologies (www.sapphirenet.co.uk)