Case Study: Inappropriate Employee Behavior
LuciData was asked to examine the computer of a corporate employee who was under investigation for violating his company’s acceptable use policy. During a service call, a helpdesk technician had discovered a movie file that was pornographic in nature. LuciData was asked to determine if the employee had put the file on the computer, and if possible identify when the incident occurred.
Examination of the movie’s metadata showed that the file in question had been on the computer for over 9 months. As the employee in question had only been in possession of the computer for 5 months, it was not likely that he had been the one to copy the file to the computer. Examination of the registry, and internet history recovered from unallocated space confirmed this. Examination of the internet history further revealed the user id of the individual who was the primary user of the computer at the time the movie was copied to the hard drive, to be the previous user of the system. This individual was then contacted by HR for violating the corporate acceptable use policy.
While cleared of violating security policy, the current user of the computer was still disciplined, but for productivity reasons. While the forensic exam revealed no activity on adult internet sites, it showed that the employee was spending approximately 75% of his time during the day on the “Myspace.com” internet site.