My Road to Digital Forensics Excellence

Investigation Workflow – Ethics Violations

Posted by Paul Bobby on November 4, 2008

The ethics cases are a unique flavor of investigation seen within the Corporate environment. The final employee discipline is often based around a time-and-attendance issue, however the initial cause for investigation can range from pornography, game-playing, harassment, personal business, or other policy violation.


A frequent request is to determine computer usage – while computer recording software, such as Spector Pro, is the ideal, there are computer artifacts that can provide some indicators. Event Logs are the first thing usually considered, but they are dependent on the logging policy, and storage size (causing logs to rotate when they get full).

The scheduler service almost always executes on Windows machines, and the schedlgu.txt logfile contains a start/stop timestamp associated with this service, and therefore a start/stop timestamp of the machine also.


The following key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ConDig32\OpenSavedMRU contains a recently used list of files opened from Explorer. The significance of this is that when determining if an employee has connected to another employees machine, that employee typically uses Explorer to navigate the remote machine and not an application.

Instead of finding these recent entries in the typical MRU lists, the Explorer MRUs will list the full path, including drive letter, and since most employees do not use Explorer to Open/Save files – the Last Written timestamps of the various MRU keys can be quite reliable.


A UserAssist analysis is a popular method for identifying the computer activity of an end-user. The UserAssist registry key in the NTUser.dat file can be parsed in to a chronological listing of activity of that user – furthermore, ntuser.dat files from the System Restore points can also be parsed to show activity closer to the timeframe in question.

For example, I parsed the User Assist registry keys of one user using RegRipper:

Tue Aug  5 23:08:43 2008 (UTC)

    UEME_RUNPATH:Remote Desktop Connection.lnk (311)

    UEME_RUNPATH:C:\WINDOWS\system32\mstsc.exe (360)               

Tue Aug  5 22:54:39 2008 (UTC)

    UEME_RUNPATH:G:\AdminResetv2.EXE (2)                       

Tue Aug  5 22:54:33 2008 (UTC)

    UEME_RUNPATH:G:\AdminResetLocalv2.EXE (1)                   

Tue Aug  5 22:52:06 2008 (UTC)

    UEME_RUNPATH:C:\WINDOWS\system32\mmc.exe (11)

Tue Aug  5 22:51:48 2008 (UTC)

    UEME_RUNPATH:C:\WINDOWS\system32\cmd.exe (214)

    UEME_RUNPIDL:%csidl2%\Command Prompt.lnk (206)

Interesting activity don’t you think? Command prompt, AdminReset utilities (local and remote) followed by a Remote Desktop connection somewhere?

What do you like to use for Ethics investigations? And why…


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: