tag:blogger.com,1999:blog-21633793.post8226066914745526211..comments2023-12-12T03:19:42.467-05:00Comments on CYB3RCRIM3: Cubicles, Passwords and PrivacySusan Brennerhttp://www.blogger.com/profile/17575138839291052258noreply@blogger.comBlogger6125tag:blogger.com,1999:blog-21633793.post-50241172764442611902012-03-29T08:51:09.384-04:002012-03-29T08:51:09.384-04:00Randy, Thanks for the clarification. And you are...Randy, Thanks for the clarification. And you are completely correct. The circumstances are way different than depicted in the original article.<br /><br />But as you said, When in doubt, get a warrant.<br /><br />J. Hoover, CISSP,<br />DE Committee, IAIJerrynoreply@blogger.comtag:blogger.com,1999:blog-21633793.post-41220991579190062282012-03-26T14:57:41.115-04:002012-03-26T14:57:41.115-04:00Thanks a lot for those very informative comments, ...Thanks a lot for those very informative comments, Randy.Susan Brennerhttps://www.blogger.com/profile/17575138839291052258noreply@blogger.comtag:blogger.com,1999:blog-21633793.post-74699209240253499592012-03-26T12:02:42.990-04:002012-03-26T12:02:42.990-04:00As the forensic examiner in this case, I would lik...As the forensic examiner in this case, I would like to add a few things. It's been a few years and I don't have my report available to refer to so I'm relying on memory:<br /><br />1. I did not have to break the password in order to do the exam. Because there were questions about whether Dan had login access to the computer, I used rainbow tables to obtain the local login passwords from the SAM. It turned out that even though Dan had access via the local admin password, he did not know Robinson's local login as he said he did.<br /><br />2. Even though Concergent (Dan's IT business) ran a domain, I don't believe Robinson's computer was on the domain (this part may be wrong. It's been a few years, but that's what I remember.) This would have prevented Dan from using his domain credentials to login into the computer over the network. So, based on this and the fact that he did not know the local admin account password, unless he broke the password, Dan did not have access to the computer. Arguably, even though the index.dat files were not password protected, the computer profile in which they resided was password protected.<br /><br />3. Robinson did not work for Concergent but instead was using the computer to run his own event/party planning business. There was no Concergent work product on the computer and it did not have domain access to the Concergent network resources. There was no signed user rights agreement and the only notification of privacy rights was verbal and the verbal notifications were focused on Concergent monitoring his Internet activities to ensure they were appropriate. I don't remember from the SID/RID whether the computer activity was occurring from a local login or from a domain login but I don't believe it was on the domain.<br /><br />4. There were no network filter or proxy logs showing Robinson's Internet or other activity (at least when I asked for them, none could be provided.)<br /><br />5. If I remember right, when cleaning up Robinson's work space, Dan found suspicious information on some hand written documents which prompted him to call his attorney. This was part of the probable cause that we used to obtain a search warrant for the computer.<br /><br />This debate is less an issue of an employer providing an employee's computer for analysis than it initially appears. In some ways, it is closer to: http://cyb3rcrim3.blogspot.de/2012/03/wifes-ability-to-consent-to-search-of.html than is is to an employer/employee work computer issue. We had discussed all of these issues prior to the exam and the initial opinion was to rely on Concergent's authority to consent to the search. It was my recommendation to get a search warrant because the questions of whether the fact that Robinson wasn't an employee of Concergent would negate their ability to give consent for the search and that the verbal discussions of monitoring focused on administrative monitoring and did not include notification that they would consent to searches for criminal purposes.<br /><br />Putting the computer aspect of it aside for a moment, imagine if I ran a business and allowed you to use an office for you to run your own business. You were not affiliated with my business at all. After you move in into the office, you change the locks on the door. Sure, I can kick in the door to gain access to search the office, but for criminal investigative purposes, have you reclaimed some of your expectation of privacy by changing the locks or can I consent to the police kicking in your office door and looking through your file cabinets?<br /><br />But in the end, it doesn't really matter. A properly granted search warrant would allow me to kick in the office door and search for whatever was on the warrant regardless of whether there was an expectation of privacy from the person providing the office space.<br /><br />http://www.kscourts.org/Cases-and-Opinions/Opinions/SupCt/2012/20120302/101657.pdf<br /><br />Randy Stone<br />Detective (Retired)<br />Wichita PDRandy Stonenoreply@blogger.comtag:blogger.com,1999:blog-21633793.post-67244171254394964322012-03-23T14:43:25.432-04:002012-03-23T14:43:25.432-04:00Regardless of other privacy aspects of the case, w...Regardless of other privacy aspects of the case, when the accused used a company workstation, he negated any claim to privacy that he might expect from his personal computer. First, one of the first security measures implemented by any ISSO professional is a user rights agreement which (usually) clearly states that there are certain standards of use for all company equipment and employees have no reasonable expectation of privacy. A non employee can expect even less privacy as he is, in effect stealing the service from the company.<br /><br />Secondly, there are no useable digital forensic tools on the market that require a user password to conduct a forensic examination of a hard drive. Even when whole disc encryption is used, most corporate workstations have keys available to unlock the station without the user password.<br /><br />Lastly, when you hide something in my house and I give permission to law enforcement to search, you have zero (nil, nix) expectation of privacy. In fact, in this case, the computer is the actual physical evidence and any information in any memory thus belongs to the owner of the hardware.<br /><br />J. Hoover, CISSP, <br />DE Committee, IAIJ Hoovernoreply@blogger.comtag:blogger.com,1999:blog-21633793.post-66191863172910503512012-03-23T11:30:44.280-04:002012-03-23T11:30:44.280-04:00Exactly, I agree. It also could have been that th...Exactly, I agree. It also could have been that the lack of IT policy and standards within the company... or more so, the attorneys inability to ask the right technical questions to get the clear, concise statements needed. The denial was upheld in the end, thank goodness.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-21633793.post-10983277477669191752012-03-19T13:09:38.956-04:002012-03-19T13:09:38.956-04:00What all the evidence you've described really ...What all the evidence you've described really shows is a massive lack of understanding of the technical aspects.<br /><br />The technical aspects of this case aren't even all that complex - to the average IT staffer - but they were obviously beyond confusing for a judge trying to determine if there was a reasonable subjective expectation of privacy.<br /><br />It really makes me wonder if perhaps we do need to have "IT" courts, financial crimes courts, and medical courts - or at least judges that have some proven baseline understanding of the subject matter.Lokihttps://www.blogger.com/profile/18406257117259929618noreply@blogger.com