I've spent a good deal of time following the privacy concern issues behind the use of computer forensics in the corporate environment. The fears have been common enough and yet, they seem to stem from a misunderstanding about what forensics can and cannot do. As an employee of any company, you sign documentation to the effect that all company systems, data, inventions on behalf of the company, etc., are property of the company. At least, this is the way North America does business. In knowing and embracing your status as a company employee, you understand that nothing on your desk (save for some pictures, weird objects and a cup of coffee), belong to you. However, this is fundamentally the very first thing that's forgotten when arguments are presented. How can your company "spy" on you? Well, they aren't spying, they are monitoring the data and work flow of their organization. Shouldn't any company in these scary economic times want to assure that it is operating at the most efficient and secure levels possible? If you, as the loyal employee to "Company X", are not in any violation of company policies, then the ad-hoc monitoring of your network communications and actions should not concern you…or should it? Depends on what you're up to.

Computer forensics do not follow you home in your car. Enterprise Forensics, or "Large Scale Forensics", are installed on a base server with a specified number of licenses issued to monitor a specified number of systems on the network. The sys. admin. (or examiner as it may be) does not monitor all systems on the entire network. It isn't really possible and is very inefficient. The company chooses areas that it feels need monitoring, or a specific individual that is most likely committing some type of internal policy violation, and they monitor thusly.

Mirroring a system does not affect performance of that system. Copying down information gleaned from the system while it's in use may slow up the performance a bit, but again, it's highly specific information that an investigator is looking for, not random emails about Friday night's date.


Computer forensic tools can compile custom reports that run unattended 24-7 to monitor certain areas of concern. As an example, because of new regulations for American companies traded on the public market, the Security Exchange Commission (SEC) requires that all corporate heads personally vouch for their company's financial reports. To ensure that these reports are indeed accurate, a CFO might want to employ a forensic solution to monitor cash flow in and out of Sales or Finance. A custom report could be programmed that would glean specific information for the CFO through the network capabilities of the enterprise forensic tool. In this way, there is consistent visibility into areas of the company that might otherwise go unnoticed but may cause catastrophic downfall all the same. Read: Enron.

Also of note, enterprise computer forensics do not work across the internet. They are company network specific. The Administrator exchanges a digital key with the vendor company and the vendor company holds the master agreement in an extremely secure location off-site. This again leads back to the licenses, and how many a company is utilizing. There is the potential to have a license to mirror every system on the network, but this is defeating to any real purpose and there are definitely not enough IT folks in a single company to do the monitoring on that scale.

Log Files