As everyone knows, the behaviour of regular business users is rather predictable. This predictability can be visualised and wrapped in a bubble allowing for granular and non-granular analysis.
With the image below, I created a non-granular view where each bubble represents a user's normal interactions. Even with a casual glance you can immediately see how one bubble stands out from the others.
This visualization provides clear evidence of one individual who had accessed the contents of more than 2,500 mail files of other employees in the organisation.
In greater detail, each bubble in the above image represents a single user who accesses a particular number of databases. Each type of database is given a designated color, described in the legend. The entire visualization represents the activity of 5,000 users inside the organization's IBM Domino collaboration environment.
Some of you may have noticed the second largest bubble (in the blue bubbles). This represents the activity by a well-known performance monitoring tool.
A forensics engagement like this typically takes about one to two weeks to perform with a lead time < 24 hours. All of the work is performed remotely, with the exception of the data collection (online screen sharing session, appr. 1 hour) and presentation of findings (again online screen sharing session).
Some of you may have noticed the second largest bubble (in the blue bubbles). This represents the activity by a well-known performance monitoring tool.
A forensics engagement like this typically takes about one to two weeks to perform with a lead time < 24 hours. All of the work is performed remotely, with the exception of the data collection (online screen sharing session, appr. 1 hour) and presentation of findings (again online screen sharing session).
No comments:
Post a Comment
I like interaction, thank you!
Note: Only a member of this blog may post a comment.