Network Monitor Logs Aid Police in Computer Theft Investigation
When a company's physical security measures failed and equipment was stolen, savvy networking administrators used their network monitor logs to try to track the laptops down.
February 21, 2007
We were in the process of moving our offices to a new location, and for reasons beyond the scope of this story, we had to move in a week before the building was completely ready. Although the network was live and we were open for business, our security camera system was pretty much just for looks at that point. Furthermore, the magnetic door locks weren't hooked up. The building is a long, one-story structure, with entrances at the north and south ends as well as the main entrance in the middle. Because of the lack of a working security system, we had two on-site security guards patrolling the building 24 x 7, and only the main entrance was allowed to be unlocked. Despite the efforts of security and office management, employees were using the entrances at the ends of the building to leave.
The Incident
About 7:30 A.M. on Monday the week after the move, a user came to the IT office and asked if we had picked up his laptop. He had left it on his desk over the weekend, and it wasn't there now. I was the only IT person in the office at that early hour, but I hadn't heard of any of the other guys picking up a user's laptop. I told him to check back at 8 A.M. after the first desktop support guy got in. To speed up the story, by 9:30 A.M., we had determined that 13 practically new laptops and two portable projectors had disappeared off people's desks over the weekend. They were all taken from the two cubicle areas at the far ends of the building (near the exits). The security guards hadn't seen anything unusual, and we had no security system logs to check. So what to do?
Creative Thinking
Because the network was up, we had some info available to us. We use SolarWinds Orion for network monitoring, and one of the things we monitor and log is the up/down status of ports on our Cisco network switches. We also have our cabling plant well labeled, so we know which network port at a desk links to which switch port in which server room. So even though we didn't have a security system per se to reference, we were able to pin down the exact time on Saturday afternoon that the network port each laptop was plugged into went from up to down. By using our network logs to pinpoint exact times, the IT network team was able to aid the police in narrowing the field of people (contractors and employees) who would have been in the building at the time. Knowing what time each laptop went off the network also enabled the police to recreate the crime scene in terms of the possible number of thieves and the path they took through the building. With that information, the police were able to uncover additional forensic evidence, which aided them in their investigation.
Although the police didn't ultimately recover the stolen equipment, the situation resulted in us thinking about our security environment in a new way and making creative use of monitoring systems that we might not have considered previously as being relevant to security.
—Will Willis
About the Author
You May Also Like