[RRGOO7]

I have a little problem at my office. An employee is known to be stealing from the company and I need to gather evidence to prove it. Does anyone know any programs that can be installed on his computer to record his emails, instant messages, and website history???

Any help is greatly appreciated

[solefald]

there is a ton of keyloggers out there... some free, some paid

http://www.actualkeylogger.com/

[RRGOO7]

thanks guys

[kyleb350]

If it's in a corporate environment, can't you just set up to monitor where the web traffic from his computer is going to?

For example, all IMs go through port XXX, and the software will record all of that.

[radix]

Quote:

Originally Posted by kyleb350

If it's in a corporate environment, can't you just set up to monitor where the web traffic from his computer is going to?

For example, all IMs go through port XXX, and the software will record all of that.

Yep. If you have *nix box handy on the same network segment, you can run tcpdump and/or Wireshark. This might not work on a wireless network however, depending on if the card on the box doing the sniffing can be put into promiscuous mode or not. This still will not allow you to sniff encrypted traffic, e.g. https, ssh, etc. For that you would need a proxy capable of doing man in the middle attacks such as bluecoat. Be sure to consult a lawyer and check wiretapping laws in your state first.

Oh yeah, if you want to sniff traffic on that network segment, it'd be ideal if the machine designated as the sniffer had a gigabit interface, and one or more fast processors, otherwise the kernel might not be able to process the traffic fast enough and you might lose key data.

Not that I know anything about this, no sir...

[radix]

As a follow up to my previous post, I realize that my advice to consult a lawyer first might seem like overkill. I'm assuming your going to use this evidence that you collect in order to fire, prosecute, and sue the employee. Since it seems that the company/employee will be seeing the inside of a courtroom, you'll want to make sure all your ducks are in a row. I know that the network/computers are owned by the company, but many states have some really strange computer laws.

BTW... depending on your MTA/MDA, it's also fairly trivial to copy all of their email as well. For example, with sendmail you can use a pipe in /etc/aliases (or /etc/mail/aliases depending on OS) for a particular user, or if you wanted to archive all inbound and outbound mail, you could do this:

http://www.usenix.org/publications/l...archiving.html

[jhv]

radix is the alton brown of this stuff, listen to him

[RRGOO7]

Quote:

Originally Posted by radix

As a follow up to my previous post, I realize that my advice to consult a lawyer first might seem like overkill. I'm assuming your going to use this evidence that you collect in order to fire, prosecute, and sue the employee. Since it seems that the company/employee will be seeing the inside of a courtroom, you'll want to make sure all your ducks are in a row. I know that the network/computers are owned by the company, but many states have some really strange computer laws.

BTW... depending on your MTA/MDA, it's also fairly trivial to copy all of their email as well. For example, with sendmail you can use a pipe in /etc/aliases (or /etc/mail/aliases depending on OS) for a particular user, or if you wanted to archive all inbound and outbound mail, you could do this:

http://www.usenix.org/publications/l...archiving.html

I appreciate the heads up. I plan on talking to my lawyer today. I was told by another lawyer that it is completely legal since the computer belongs to my company. I plan on double checking today.

[hhkim]

Um since this person is working at a company couldnt you just go into his computer and access his information?

The Electronics Communications Privacy Act prohibits an employer from intentionally accessing an employee's electronic communications unless its for a legitimate business purpose. And the good part for you is that 'legitimate business purpose' is anything done with company property. I'm sure your lawyer will tell you a similar thing.

[M_Six]

I assume you or someone you trust has admin rights on the employee's PC, right? Unless said employee is really good with computers, the evidence you need is probably on the PC still. Do you think he/she is only doing the stealing through email (ie, sending out data to someone) or FTP? If you use a keylogger, make sure whatever anti-virus program you use won't detect it (ain't that a kicker?).

Back in the day, I worked for an environmental engineering firm. An employee tried to walk out once with a floppy full of proprietary drawings. The owner stopped him and they ended up in a fight. The owner threw the guy through a wall. Literally. Big hole right through the sheetrock. We had a dialup connection then, so there really was no way for the thief to send things out over the network.

[335e92tx]

Quote:

Originally Posted by RRGOO7

I have a little problem at my office. An employee is known to be stealing from the company and I need to gather evidence to prove it. Does anyone know any programs that can be installed on his computer to record his emails, instant messages, and website history???

Any help is greatly appreciated

Use data leakage protection agents and clients. Your probably gonna have trouble getting anything else to be admissible.
Alternatively, replace his desktop with another machine and just run forensics on it.