A family member is being accused of misusing a company computer, and he might lose his job over the issue. He claims that he has not done these things and is quite distraught about the whole mess. He says he wasn’t even using the computer durring some of the times the logs indicate the misuse.
As the family-computer-geek, my family has asked for my advice about this mess. Of course, being a doper, my first advice was to talk to a lawyer! But I am curious if anyone here has any other suggestions about disproving these accusations. The company IT department is not on our side in this matter.
My first thought is that he has a virus or a trojan that is allowing someone access to his computer/IP address. Is there a way to prove that this is happening? are there resources/organizations for people in this situation?
Unfortunately, I am hearing about all this third-hand, and I don’t have any specific info about the computer, the internet connection, or the type of mis-use (although i’m told it isn’t porn), so I am putting this in IMHO rather than GQ. Hopefully, someone out there has some information that I can pass on that might help.
My knowledge of such situations is extremely limited, so take this for what it’s worth. If his computer will be examined by a professional, don’t touch it. Don’t use it, don’t even power it up. When forensics people suspect a computer’s been used for something illegal or compromised by the bad guys, they don’t even shut it down normally, they just pull the power plug. This is the best way to preserve the evidence. If the computer has been in your family member’s control since the incident, it may be too late for this method (presumably the computer could have been altered to conceal any wrongdoing). DIY forensics really isn’t possible, especially if it involves the company’s network.
Other than that bit of advice (which may be completely inapplicable to your situation) all I can advise is talking to a lawyer who has some experience with computer forensics. You may need an employment lawyer if the wrongdoing is a violation of company policy and not anything illegal. They can point you in the right direction.
I hate to say it, but what’s the chance that your family member is guilty as charged?
What logs? Where? I assume, since you mention porn is not an issue, that this is related to something like non-work web surfing.
Questions:
Did the computer allow incoming network connections, especially for things like VNC and Remote Desktop? I used to connect to my work computer from home, but this required the work computer to be set up to accept and use such connections, AND that the work network be set up to accept and pass on such connections.
Did the work computer accept wireless connections, both WiFi or Bluetooth? It’s fairly common, I believe, for crackers to cruise neighbourhoods looking for unsecured wireless networks, and as a result, companies secure their wireless networks or require the use of wired networks. But can the computer provide wireless access to the network all by itself? Many phones can.
If he has a VNC to that computer and he has people living with him, my first guess would be that he accidentally left the VNC client open and the family/roommate mistook the VNC desktop for the actual desktop.
If he claims he wasn’t using the computer at the time in question, all he needs is something that indicates he was somewhere else when one of the incidents occurred. A meeting, a doctors appointment, out of the office that day. A single exception cast doubt that any of the incidents were his fault.
I have a bit more information.
This was a desktop computer in an office with a wired connection.
For one specific item on the list, he has an alabi for his whereabouts (in a work related meeting)
He was fired immediatly.
I’ll get a chance to talk to him tommorrow, but it doesn’t sound like there is anything he can do with the computer at this point. Thanks for the advice guys!
So someone (unverified) used his account access to log into the desktop computer he normally uses. In one case, he has an alibi documenting his whereabouts elsewhere? So is there any evidence to support a claim he actually was at the computer at the time of the incidents? Could he have left his computer accessible to anyone at the time of the incidents (away from his computer without securing it)?
Unfortunately, as he’s been fired, it’s a little late on the technical side.
I’ve been on the other side of this. If it’s a Windows computer, then there are event logs which can be examined, assuming the relevant logging is enabled. If the issue is downloading or viewing porn, then the company’s proxy server should have logs.
One thing we drill into everyone is that if you’re leaving your desk you lock your computer. If he left his computer unlocked during that meeting and someone else used it, it’s his responsibility, even though it’s not his fault.
Also, if it’s an at-will state (which would be question for a lawyer), even if he can prove he didn’t do the bad deeds, the company is under no obligation to rehire him, so there isn’t likely much for a lawyer to work with.
No but qualifying for unemployment can be helpful and may need a lawyers help if they want to fight it. Plenty of companies will cave on unemployment if they know he has a lawyer who is willing to make it into a real fight. doesent take much lawyering to be more expensive than paying the unemployment.
On the tech side, as someone who has been involved in employee monitoring that led to termination. This is not generally a one shot kill offense, either he did something really obviously bad, or this is not the first time this has been discussed with him. Or perhaps he has been problematic in other ways but this is something they could make stick. Annoying job habits, subpar job performance, or being the resident shit disturber, can be difficult to justify termination over. Posting on the SDMB all day on the other hand, is a little more definable and has a more clear cut policy.