Auditing Workstations

Auditing workstations is one of the most invasive things an auditor can do to an employee. It must be approached with thoughtful consideration and professional demeanor. Auditors must respect the privacy of employees who are not violating policies and procedures. Exercising good judgment by ensuring the auditors have mature attitudes generally goes a long way in workstation audits.

The unannounced workstation audit is an activity that must be predicated on legal and sound policies and procedures. If an organization is going to undertake the workstation assessment process, employees must understand and acknowledge that they do not have a reasonable expectation to privacy for any of their activities conducted on the company's systems.

Audit teams must ensure that they have full concurrence and cooperation of senior managers before engaging in these types of audit practices. Prudent audit team managers will make certain that the organization's legal department is regularly consulted to determine if there have been any recent legislative changes affecting employee privacy before beginning workstation audits. Workstation auditing should not be restricted to stationary desktop systems, but should include all mobile devices including laptop, handheld, wireless, and cellular devices used on the job.

Since Microsoft created its first operating system for Intel processors, there has been an increasing market share for their products. As a result of this rapid and ever-increasing expansion, most offices use Microsoft products and mobile environments. Consequently, this section will concentrate on auditing workstations with Windows operating system environments.

First Steps

Begin at the beginning. Workstation audits must include employee work areas.

  • Are there policies and procedures requiring the proper treatment of paper trash? How often does the employee dispose of her trash?

  • Where does the employee print her jobs? Is there waste paper present at the printer?

  • Does the organization have policies and procedures regarding the shredding or burning of trash?

Auditors should take a careful look at the areas surrounding the workstation. Are passwords written and hidden beneath mouse pads or keyboards? What sensitive materials are left unattended on desk areas?

With a physical review of the work area completed, the first step that should be taken by workstation auditors is the process of "unhiding" files. By clicking the My Computer icon, and selecting View and then Folder Options, the auditor may select the tab for View. Within this pane will be a selection for showing all files. Auditors should select this option to reveal any files the users may have hidden.


Experience Note

An auditor was referred an e-mail for review to determine its compliance with company policy regarding official use. Once received, the auditor opened the e-mail and its obscene attachment in the form of a Microsoft Word document. She started her analysis. She opened the e-mail text in a simple hex editor allowing her to view the hexadecimal coding of the document. She easily located the MAC (Media Access Code) address of the sender. Checking with the inventory control specialist, she located the workstation of the alleged sender. She opened the Word document attachment in a text editor, Notepad, and began looking for the GUID (Globally Unique Identifier). This information is an essential component of Microsoft Word's architecture and is useful in determining the origin of the attachment. After comparing the MAC of the workstation and the GUID, the auditor determined they were the same person, and identified that the attachment had been composed in a copy of Word personally registered to that particular employee. It was composed outside the organization's office space, as all software products are registered in the company's name and not the name of any employee. She began the workstation audit, and located the MAC in the browser cookie file. It was found in a cookie marked, "microsoft.txt." It was the same as the workstation's ethernet card. This went a long way to showing the MAC had not been spoofed. After reviewing obscene attachment text as a final step, the auditor provided a written report to the human resources unit for their action.

Organizing and Searching File Systems

It is important for auditors to be able to organize, search, and display files lodged on media contained within the target workstation or server.

Wilbur

There is a simple, free application known as Wilbur that easily accomplishes the task of organizing a disks files available at www.redtree.com. It is a freeware Windows-based utility that creates an index of the target media, hard drives, floppies, or CDRs. Wilbur will search every file on the target media by the type of file, for example, spreadsheet, word processing, images, html, zipped files, etc. This is very useful if the auditor is looking for images with the extension of jpeg or gif. Having an index of image files will provide the auditor with additional insight into the user's Internet browsing practices. This is particularly useful if the auditor is looking for browsing outside the organizations stated policies. This application can also look into the content of files for specific words displaying the file and the text. Wilbur permits descriptions to contain wild card searches and logical expressions facilitating the auditor's efforts to find the specific files. Searches can be constrained by combinations of, file names, contents, folder names, file size, attributes, and file modification dates (Exhibit 1 and Exhibit 2).

Exhibit 1: Wilbur Configuration



Exhibit 1: Wilbur Options


Little Images

In most cases, reviewing hundreds of images is tedious and somewhat tiresome for auditors. In many cases, large organizations have frequent complaints dealing with employees who engage in unauthorized pornographic Web site browsing. In other cases, employees may be engaged in stealing intellectual property or other sensitive information. Using a simple application known as ThumbsPlus, auditors can create a catalog of image files. ThumbsPlus is available at www.cerious.com. Auditors using this program can select the workstation's drive unit, or directory and the program creates an image catalog displaying all image files. Conscientious auditors can quickly scan the images produced in small aspect and determine if any are offensive.

Unformatting and Undeleting

Many users believe that once the file has been deleted, it is gone forever and cannot be restored to a useable state. Further, users may also believe that once a drive has been reformatted, the information previously contained there is gone. Information may be recovered from deleted files and reformatted disks by using simple utilities. Norton Utilities, currently owned and distributed by Symantec (www.symantec.com), provides applications that will unerase deleted files and unformat media that have been formatted. Norton's is not the only software suite that has these utilities. Auditors can easily locate other suitable programs on the Internet.

It is not practical for auditors to restore all deleted files within the hard drive's multi-gigabyte structure; nevertheless, if auditors identify suspicious files, they have the option of restoring them and possibly recovering their contents. Using unerase and unformat programs are fairly easy and are usually well documented in the help file or literature accompanying the program.

Windows Registry Investigations

The Windows Registry is a database containing information about every program installed on the workstation. Wise auditors will not go idly poking around in the workstation's registry without some degree of expertise, as this is one sure way to make the machine completely unusable if you do not know what you are doing. In essence, the registry contains information about the workstation's users and their configuration preferences.

The Windows operating system registry consists of at least two files: System.dat and User.dat. If the workstation has been configured for multiple users, each user will have their own copies of these files in the Windows\Profiles\user name file. Auditors can boot the workstation into DOS and type scanreg/restore from the DOS prompt launching the DOS version of the registry checker. This will provide a list of existing registry backups and their effective dates. Highlighting the one selected to deliver the restoration and follow the prompts after that.

The best way to view the registry is with the editor provided by Microsoft and already found in Windows. If the auditor is reviewing Windows 9X or ME, it is a matter of going to the Run selection from Start, and entering regedit. In the case of NT, regedit32 is entered. It is a good idea to create a backup of the registry in the event something goes wrong. While in the Registry menu, select Export Registry file. This will prompt for a file name. Saving this file will provide a copy of the Registry.

Operating within the Registry Editor is similar to exploring files in the Windows Explorer. Registry entries are arranged like file system trees. Located on the left side of the are folders indicated by icons. These are called "keys." Keys contain other keys or values and values may be of three types: binary, string, or DWORD (double word 32 bit). If there is a plus (+) sign next to a folder, clicking on it opens other folders and drops down the list of subkeys.

There can be a host of information stored in the Registry; for example, locate the HKEY-CURRENT-USER key, and expand it to find the Software key; expand it, locate the Current Version key, and finally select the DocFindSpecMRU. In the right window pane, you can see the contents of this folder. Reviewing the contents of this file will provide the search history of the workstation. This can also be confirmed by reviewing the search terms contained in the file search utility found in the start, find, and folders utility. Basically, looking at this Registry entry shows where the workstation users have used the Find function and what their search parameters were. Reviewing the search function will reveal if the user has forgotten where she concealed files in the operating system's file system. For example, Alice is engaged in periodically siphoning money from accounts payable and later makes credit entries that offset these debits. She has concealed a small spreadsheet where she tracks the stolen amounts being careful not to take too much too frequently. This spreadsheet is hidden within her workstation's file system. After a three-week vacation, she returns to work and has forgotten where she has hidden the spreadsheet. She clicks on the Find function and begins searching for her spreadsheet. By performing this search, her search parameters are logged in the Registry and can be retrieved by others.

The Explorer/RunMRU is another registry key worth reviewing as it contains information about user activities. This window will display the most recent commands launched from the Run function that is accessible from the Start button. The Run history will show those commands entered by the users. This information is also available from the Run function and clicking on the little box to the right of the entry box. This information is useful in determining if users were running unauthorized software or if they were mapping the interior network using utilities found in the Windows operating system such as Ping, Netstat, Tracert, and Nbtstat. These networking routines are used by Windows to perform its networking function, and if used manually, will provide a very good map of the architecture and naming conventions used in the organization's system. Ping is used to verify connections to hosts; Netstat displays protocol statistics and current TCP/IP connections to the workstation; Tracert determines the route taken to a network destination; and Nbtstat displays protocol statistics and current TCP/IP connections using NetBIOS over TCP/IP. Auditors should be mindful there are very few reasons that employees, outside of those having direct system responsibilities, should be routinely using these commands. It is important to note that these network commands may be run from the DOS prompt function within Windows and these commands will not be recorded in the Registry. Employees interested in the organization's system architecture would likely use these commands to discover details in order to facilitate an attack. Auditors should be mindful that an employee using these commands might just be curious about the system. If there are tools present on the workstation or stored elsewhere in the system, they should be located before making any recommendations.

Another Registry area worth the time for an auditor to investigate is one that records the URLs entered by the user during Web browsing sessions. Remember that this will only be useful if Microsoft's Internet Explorer is operating as the default Web browser. The keys pertinent to this folder are located in the Microsoft Registry under the key named TypedURLs. It also reveals the user's Web browser Startpage. In this folder is a list of all the URLs the user typed into the Internet Explorer's Address field. As an auditing tool, this resource is very useful as it provides a partial record of the Web sites visited by the workstation user. The importance of this investigation is it reveals that the user intentionally typed the URL into the address blank calling the Web page to view.

The HKEY_LOCAL_MACHINE key records information about the individual workstation and the network. The Network/Logon key contains the last user name used to log onto the network and is a good place to look if the auditor is attempting to correlate the workstation's user with workstation activity.

E-Mail Sent by Employees

E-mail is a reasonable place for a workstation audit. It is often the source insight into the employee's daily activities. It is likely that the organization has a policy relating to employees using only the internal system's e-mail services. In this fashion, e-mail content may be examined for inappropriate use and the possibility that users may be using e-mail to transmit sensitive or intellectual property outside the company.

At times, a suspicious e-mail is the first indication that an employee is outside of organizational policies and might be guilty of other things. Auditors may think of e-mail as the database of the employee and their contacts while on duty. Individual messages are often stored in the folders that were installed as a matter of application default or in the folders the employee created. Auditors should investigate the default folder structure within the e-mail client. Looking at the Sent, Outbox, Drafts, Inbox, and Deleted folders may provide some insight into the employee's e-mail activities.

Auditors should note that just because a workstation has an e-mail client, such as "Eudora" or "Outlook" installed, does not necessarily mean all the e-mail activity of the user is recorded. Web-based e-mail has distinct advantages for employees. By not using the e-mail server of the organization's network, the employee can bypass any backup and recording of e-mail being sent. Employees may transmit and receive e-mail without any concern their traffic is going to be examined later from inside the company.

Web-based e-mail allows users to send, receive, and store e-mail from multiple computers and from a wide variety of locations. Because the e-mail is stored on a server with Internet access, the user is free to conduct her e-mail business from any computer having Internet access.

Interested workstation auditors may wish to access the browser's History file and look for the dates and times the user accessed their Web-based e-mail service. Viewing the History file will provide the URL and date the Web site was visited by the user. Auditors may also wish to look into the browser's Favorites or Bookmarks file where the user may have bookmarked those Web sites she wishes to visit again. Having bookmarked a Web site is a fair indication the user intended to visit it again. Frequently, users will not delete the History file, and auditors will discover that the user has at least visited an Internet e-mail site.

Auditors may wish to visit the Cookies file easily located by the Windows Find function. Often, Cookies are deposited on the user's workstation by Internet e-mail sites to facilitate user recognition and logon. By examining this file, auditors may see if the user has visited Internet e-mail or other sites.

This is another more subtle purpose for Internet e-mail use: the users wishing to visit Web sites and avoid being detected by the interior gateway filter. By visiting an Internet e-mail site and sending URLs for prohibited Web sites to herself, an employee may circumvent content filters located on the interior network. She merely visits the Internet e-mail site, sends herself URLs for Web sites that are going to be filtered by the company's system, and clicks on them through the Internet e-mail site.

Looking in all the Right Places

Auditors performing workstation audits should be mindful of areas that generally retain information providing useful insight into the workstation user's day. Before attempting to perform an audit on the target workstation, auditors should visit the business' Help Desk Unit and inquire about recent requests for assistance made by the users of the workstation they are going to audit. Employees requesting efficient file transfer applications such as FTP, file transfer protocol, should have their workstations carefully screened. Unless an employee is engaged in system or Web page development, there is not a legitimate reason to have FTP software.


Experience Note

Auditors suspecting an employee was using unauthorized software performed an audit on her workstation after normal work hours. They did not discover any unauthorized applications on her workstation. However, using the Find feature of Windows, auditors found an interesting file called ""."//.old." The file's extension was not conventional, so the auditors opened the file and looking at the Properties of the file determined that the extension of the file should have been exe. Changing the extension of the file to exe opened an FTP client containing an IP address located on the Internet and password. Perusing the transfer log revealed the employee had been transferring proprietary information outside the company including soon-to-be-released products, suppliers, price lists, and client lists. The employee was subsequently prosecuted and convicted. Additionally, she and her partners were sued for damages with monies recovered by her former employer.


Experience Note

Reviewing the Internet activity logs is another logical place to start the workstation audit. Auditors should coordinate their efforts with appropriate levels of system administrators in obtaining and sorting the employee's Internet activity logs. Auditors should be looking for Web sites that are contrary to organization policy and Web sites that "just don't look right."

Reviewing the contents of the Windows Recycle folder will give the auditor an idea of the discarded items no longer wanted by the user. Looking in this folder will often disclose discarded items from Web pages and any other discarded items. Reviewing the Recycle folder may possibly disclose if the user had attempted to install unauthorized software. Auditors should be mindful that reviewing the Add/Remove Software function located in the Control Panel/Systems folder generally reveals if the user has installed unauthorized software. If the user is not careful, there can be hardware device conflicts that have not been resolved that can reveal any attempts to install hardware. Reviewing the Device Manager will generally disclose if the user has installed or attempted to install unauthorized hardware.

Auditors should be mindful that most browsers have a History file containing the Internet browsing history of the user. This file may be located by the Find function of Windows and may be accessed by clicking on one of the entries. Generally, the entries are cataloged by the week they were accessed. For example, there will be headings such as "54 Weeks Ago," indicating that these were the Internet Web sites visited 54 weeks ago from the time of the current date. Because the listed Web sites are identified only by their URLs, it is a wise auditor who takes a representative sample for examination.

Directories that can provide the auditor with valuable information are Temp and Temp Internet. These directories hold items that are meant to be discarded in the future. For example in the case of Temp downloaded applications or applications needing a temporary file for installation are going to be found here. Frequently, users frequently ignore this file when they delete the program not realizing a copy was deposited on their hard drive. In the case of the Temp Internet file, this file acts as a depository for a variety of Internet-related items, including downloaded images, Web pages, and cookies. Searching through these items can provide information about the user's Internet browsing habits. Depending on the browser, sometimes there are Cache files that serve essentially the same purpose as Temp or Temp Internet. Browser Cache files may be accessed and reviewed for the same purposes as any other "temp" file.

Most Windows systems keep many of the images relative to visited Web pages. These images can be easily displayed by using an application such as ThumbsPlus or they can be found using their extensions. Auditors may input gif or jpeg in the Find function of Windows and the lower pane will display the image files.

Telling the Tale with Cookies

Cookies are text files useful in holding the user's name, password, and other information pertinent to a specific Web site. Sometimes cookies contain custom settings for a given Web site and other data the Web site uses in tracking the user's visit.

From an auditing perspective, cookies may hold information relative to Web sites, as they contain information for the browser's preferred configuration of the site. For example, they may contain preferences for Web site viewing without music or with a particular background color. Cookies do not indicate whether the user intentionally went to the Web site or not. They merely indicate that the viewer was at the Web site for the cookie to be deposited at the browser's cookie file.

Because cookies are text files, they can easily be viewed in a text editor such as Windows Notepad. When viewed in the Windows pane, they will appear similar to the following example: aliceandbob@adlinks[1].txt or alice@yahoo[2].txt. When viewed in the text editor, they will appear similar to the following example: Uid0oxd823903.0x17d7rr0ads.adlinks.com/0o02375044590230*0. Looking at the text will reveal the visited Web site: adlinks.com.

There are no formal requirements for cookies, so it is sometimes difficult to obtain consistently useful information from them other than to see the Web site's URL.

It may be sufficient for auditors to know the URLs visited by the user and correlate this information with the properties of the images contained on the user's workstation. If auditors will right-click on the cookie, they will view the properties of the cookie including the date it was created and the day it was last modified. Because it is being viewed by the auditor, the date it was last accessed will be the date it was viewed by the auditor.

Auditing Windows NT and XP

An integral part of these Windows operating systems is the feature of activity logging or auditing. As a matter of policy and procedure, organizations are advised that operating systems having the ability to enable auditing are strongly recommended. When enabled and correctly configured, auditing causes entries to be made to an event log. Event logs are divided into sections: System Messages, Application Messages, Security Logs, and Iexplore.

The event viewer function is used at "administrator" privilege level to view logs. The time that the event log is retained depends on the configuration settings, telling the workstation when to overwrite the oldest entries. The success auditors have in viewing logs depends on the implementation of policies and procedures relating to proper operating system configurations.

It is important for auditors to have a fair sample of user-activity on which they may draw their assessment sample. If too small, the sample will not reflect the user's activity and if too large, the sample contains too much information to be useful. Default configuration settings will generally overwrite logs in a few days or a week at most. Often the purpose supporting logs is that of debugging systems, not monitoring user-activity. Auditors should be mindful that if suspicious user activity has triggered an audit, it might be advised to have the security manager activate and configure the target workstation's logging feature to capture a larger number of events with greater granularity before actually performing the audit.

Keystroke Monitors

Auditors must be mindful there are hardware and software solutions that provide for the capture of every keystroke made on a given keyboard by the user. It is possible to configure them to either retain all the keystroke information on the workstation's hard drive or send the information via e-mail to the intended recipient. Other versions take snapshots of the target's monitor. Such keystroke software applications are available from www.spectorsoft.com.

Auditors should know these programs are not one hundred percent accurate, but provide a significant degree of insight about what the user is doing on her workstation. Keystroke monitors are generally invisible to the user, but if a user is very computer-savvy he can be discovered with a degree of effort. These users provide an important tool to auditors who are actively looking for illicit or unlawful activity. Because there are legal issues when using keystroke monitors, consult with legal counsel before installing them.

0 comments:

Popular Posts