#1 2009-06-05 19:08:23

Regardless of how this plays out we believe the BOS is responsible for a very dark chapter in Wareham governance. Who is looking at my private data? What is their objective? What are they looking at about me, my business or my family? What criteria are they using? Who are the 3rd party observers and what is their expertise? Are they professional and certified investigators or computer techs for hire?  Where is my privacy? This is insane!

Offline

 

#2 2009-06-06 09:45:20

While I don't know how the BoS is doing this investigation, I have performed many similar ones myself, and can describe how they are supposed to be done. If there is suspicion of wrongdoing - a system breach, employee misconduct, or other - investigators can be brought in to perform a forensic analysis.  The general steps are usually:

1. Identify the scope of the investigation.  What's surprising to me about this case is that the scope seems to be "everything".  I find it difficult to believe that the selectmen and the TA have equal reason to believe that there is corruption/misconduct/whatever they are looking for across the board.  This is usually limited to no more than a department, and ideally just a couple of individuals.  There are a number of reasons for this - cost control, liability control, and others.  Cost is probably obvious (costs more to investigate more), but liability goes back to your points, Wag.  Why would I want to collect more data than I absolutely need for this?  All that accomplishes is putting that data at risk of loss.  There are a ton of regulations out there that govern collection, storage, and transport of data (Google for GLBA, HIPAA, FERPA, 201 CMR 17.00, and others), and the more data you have, the higher the likelihood that you have some covered data.
2. Identify the "script" that you are going to use for your search.  Typically when you're performing this type of investigation, it's because you have reason to believe that something specific is going on.  Hypothetically, if we're running under the assumption that the BoS is looking for people who post on this site, then the investigators would look for things like "warehamobserver.com", "sauvageau", "BoS", etc...  However, if they are looking for "everything", then there wouldn't be a script to follow.
3. Take a forensic image of the drive(s) to be investigated - There are plenty of software packages that do this, but EnCase is the most popular.  Simply copying a disk is insufficient in this case, as there's no guarantee that data was not changed - EnCase is "forensically acceptable", meaning that nobody can change the data once it's copied, and it has search tools, can pull deleted files, etc.  Time to do this varies, but a standard 120GB disk can be imaged in about 2 hrs.
4. Document chain-of-custody changes and store all disks in a secured location (e.g., a locked, monitored vault)
5. Investigate the disks one at a time.  Depending on the script identified in step 2, this can either be about an hour of work, or a day or more - if the script is tightly scoped, it's easy.  However, if an investigator is pouring through drives looking for anything they can find, that takes a long time.
6. Report findings
7. After it is determined that there is no need for the evidence (generally a couple of years), destroy the disks securely.

Without knowing what firm the BoS is using, it's difficult to say who's looking at it, how qualified they are, etc.  There should be an NDA in place between the town and the firm that would legally prevent them from disclosing any information.  However, it is possible (though I am NOT a lawyer, so don't take this as fact) that there could be some data on the drives which falls subject to the regulations mentioned above, which could cause some legal issues in its transfer. 

I'm actually fairly surprised that the name of the firm has not been leaked.  If anybody has that name, PM me and I can talk to some of my contacts to see what their reputation is.

Offline

 

#3 2009-06-06 10:13:00

acasualobserver wrote:

I'm actually fairly surprised that the name of the firm has not been leaked.

I am, too, and I'm also impressed with your grasp of these procedures. The process hasn't fundamentally changed in 25 years but the emerging accounts of what happened here betray an inept outfit that can not find its own ass with both hands and a flashlight. Cronan the Librarian's price quote of, "$100 to record EACH drive, $250 to read EACH drive," also sounds suspect.

I'm guessing low bid, you think?

Last edited by billw (2009-06-06 10:48:48)

Offline

 

#4 2009-06-06 14:06:39

billw wrote:

I'm also impressed with your grasp of these procedures

Well, it's a good thing - otherwise I'd be out of a job!  As for the pricing, it's tough to wager a guess without knowing (a) who's doing the work and (b) what their scope is.  If it's a high-end national firm, you're looking at $250-$300/hr overall rate.  Smaller local boutiques, figure about half that.  Two guys and a dog working out of a shed, probably $75/hr.  That's before the lawyers get involved.  I've seen posts that differ on whether it was internal or external counsel involved, but I'd guess it's a blend.  Lawyer's ain't cheap, but they probably don't need to put in too many hours on something like this - a chunk of time upfront to say "yeah, we think you can do this", a chunk of time on the backend to say "ok, you found x, that means you can do y", and then who knows what type of lawsuits or other issues will come out of this.

So once you get the rates, it's relatively simple math to figure out the cost - if they're imaging this many drives, they should be doing it in parallel.  This means that an estimate of 2 hrs to copy a drive doesn't mean that you can do 2 * number of drives * hourly rate.  However, 80% of the work reviewing the drives has to be done in sequence - you can kick off an individual search or scan, but the brunt of the hours are spent manually reviewing what was found.  That's where the dollars add up.

Offline

 

#5 2009-06-06 14:53:17

acasualobserver wrote:

the brunt of the hours are spent manually reviewing what was found.  That's where the dollars add up.

That's where I was going, thank you. The town manages 300+ multidisk systems and the Selectmen reviewed, what, 40 of them? Maybe? That number bumped to 100 systems last week but I don't believe it. This should prove interesting.

Two last questions, I promise. I confess, I already know the answer to the first one.

How often do you find intentionally saved porn on home or workplace systems used by adult males?

How often are these "audits" employed to surreptitiously install key loggers and assorted other invasive spyware?

Offline

 

#6 2009-06-06 15:21:14

The word on the street is the Town hired off the state contract to by-pass the bidding process. Whoever currently holds the state contract is doing the work.

Offline

 

#7 2009-06-06 16:50:09

Zoo, I'm trying to track down that state contract, or at least who it's with - I know a few people that do security for various state departments

billw, this probably isn't the answer that you're looking for on your first question - *I* have very rarely found that type of content, because my investigations are always tightly scoped, as they should be.  The last thing you want when you're performing these types of investigations is to find something that creates a legal obligation to notify the authorities, thereby removing the investigation from your control.  For example, my former employer's process for any situation where one comes across child pornography was "pull the plug, call the cops, and lock up the computer".  If you're just poking around, the odds of finding something like that go way up, and it leads to headaches.  That said, there's a surprisingly high amount of....I'll call it "non-work-related" content on corporate systems.  Does the town have an acceptable use policy for technology assets?  I'd love to hear what an HR lawyer would have to say if this investigation leads to the end of some peoples' employment, especially if there's no AUP in place.  I would think that if you do a search like this, you'd have to be consistent across *all* employees, not just those that you'd like to see targeted, and you'd have to fire *everybody* who has inappropriate stuff on their system.  That would be a huge number of people, but I suppose it's one way to solve the budget problems..... (kidding)

As for your second question, I've never seen an audit like this used to install any type of monitoring software, for a couple of reasons:
1) Assuming the network admins have some semblance of an idea of what they're doing, it's far, far easier to just deploy the software remotely.  It's also harder for end-users to detect it this way.
2) If they're doing the investigation right, they're just using copies of the drives - can't install anything that way.

Offline

 

#8 2009-06-06 17:27:52

Taj

Try Global Digital Forensics

Offline

 

#9 2009-06-06 22:59:06

TBL

Taj wrote:

Try Global Digital Forensics

Wow! They look expensive! I want to know the final cost of this witch hunt.

Offline

 

Board footer

warehamwater.cruelery.com