For those of you who came here hoping to see some visually inappropriate content I am sorry to disappoint you. What I am writing about to day is a technique that I have developed over a number of internal Enterprise HR investigations that I supported involving the emailing of inappropriate material.
Historically when I have supported HR in their inappropriate content investigations (our company takes a strong stand on such unprofessional behaviour in the work place), I would produce for them a standard FTK (Forensic Tool Kit) HTML report. This would have each email (based on sender) bookmarked and the original email and attachments linked in the report. This was great from an detailed evidence point of view, however it did lack a lot of detail to give an over all view of the scope of the problem. The biggest issue was, there was no easy way (especially as the number of people involved grew) to show how each individual was linked in the email/forwarding behaviour with others with-in the company.
In the later half of last year I started to work on providing HR with an overview of email communications between employees using a linking visualization technique that I had seen used in a vendors product. I have also seen this a similar example is Raffael Marty’s (http://secviz.org/content/applied-security-visualization) book as shown in the Facebook application “Friend Wheel”.
The visualization technique involves mapping all the internal senders of inappropriate material around a circle, and then linking a sender and recipient by a line that crosses the inside of the circle. Arrow heads on the lines were used to represent who was sending the inappropriate email and each sender was represented by a different colour line. If the email had originated from external to the company, then a small line from the outside to the internal employee was used, and the colour was selected as if the recipient had sent the email (this would make it easier to see if employees were getting external emails and then forwarding them on). If during the analysis of an email, only one email was found after it had been forwarded a couple of times (with other sending details still forwarded), then an appropriate line would still be added based on who sent the email to whom during the chain of emails. This would allow me to show how emails were passed from one person to another, even if I didn’t have copies of the original emails from the each of the senders mailboxes.
I manually mapped this out using Microsoft Visio, and also used the layering capability to give each sender their own Visio layer. This would allow me to later select just a single sender layer to provide HR with employee specific visualizations of their inappropriate email usage. Using the custom properties of each Visio line, some of the FTK data was recorded. This allowed for double checking all the linking later. The format I used was generally the title set as the mailbox of the specific email evidence was found, and the value set to the subject of the email and the date sent. This would enough details to search the FTK evidence quickly to find the original evidence.
Often during the investigations using FTK I would come across the same inappropriate content numerous times as being sent or received. If this was the case then I created a dedicated layer for such attachments. This allowed me to easily show how the specific inappropriate material entered the Enterprise, and how it got forwarded around to different employees.
Using this visualization technique has served to give HR greater confidence when interviewing employees based on their behaviour. They are able to structure the interview and council/discipline an employee knowing if they had only received inappropriate content once but had not deleted it, had received inappropriate material multiple times but may not have requested for such material to be sent to them, or were participating in forwarding such content around the Enterprise. The visualizations were also a good tool to show those employees who were “network hubs” the extent of what the investigation had found with out needing to walk through a large pile of email evidence.
Since then I have also added an Excel chart to the individual senders diagrams to show the time period that each emails were sent. This was to overcome the problem with a natural assumption when first viewing a visualization that a lot of emails were sent by a person. It may instead have been the case that they had only been a couple of specific emails sent out to two different groups of people with the incident being separated by months of time.
Any improvements that can be suggested to help non-technical HR personal understand investigation evidence would be greater appreciated.
While I was drafting this blog I noticed Raffy twit that he was playing with the MooWheel (http://www.unwieldy.net/projects/moowheel/) code to do similar wheel visulisations with network data (http://raffy.ch/moo/moowheel.html). This code could have the potential to embed a dynamic visualization for HR along with the FTK report. I have have not had a chance to look at the MooWheel, but the potential at this stage does intrigue me.
Update 4th April 2009 I have uploaded the full size images to http://secviz.org