For the last year I've avoided any solicitation of our company's product out of respect for the information shared in this list. BUT, this WFA thread screams for it. If you feel incline, take a look at www.sgtlabs.com. It's an enterprise monitoring product that tracks WFA and more in a simplistic manner. The information [Date,Time,Username,Computername,Application{and/or}Website visited] is collected in a secure appliance that can provide evidence admissible in court. It's targeted to the SMB market but scaleable to larger organizations. I think its a good solution, but hey, I'm just an engineer. Dave Losen Sergeant Laboratories, Inc. 4329 Mormon Coulee Road LaCrosse, WI 54601 608 788 9143 dlosenat_private -----Original Message----- From: dr john halewood [mailto:johnat_private] Sent: Wednesday, July 23, 2003 11:34 AM To: forensicsat_private Subject: Re: Waste, Fraud, Abuse On Tuesday 22 Jul 2003 9:57 pm, Curt Purdy wrote: >The problem comes from someone cluefull enough to wipe cookies/history and >not keep incriminating files. The best best answer is a proxy server that >logs all access and an email server that keeps a record of all mail. Whilst logs from mail and proxy servers are useful in isolating potential culprits (either in WFA cases or others, such as illicit viewing of pornography), and may possibly count as suitable evidence in internal disciplinary procedures, it generally isn't enough to satisfy courts, if things are likely to reach that level. I've been involved in a number of cases where the powers that be have said that server logs were not sufficient (too easily forged, although if you run them straight to a printer or burn to CD-R etc you might be better off), and even that evidence found on a hard drive can be questioned (can you prove your suspect was using the machine at the time?). However a combination of a network sniffer and a few shell scripts to monitor server logs and page appropriate people have lead to the suspects being caught at the machine, which (combined with extra evidence such as log files), is usually enough to prove the offence conclusively. cheers john ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Jul 24 2003 - 12:36:36 PDT