Suspended, awaiting employment hearing

[Xarbain]

I have been employed with this company for approx 2.5 years.

 

Today I was called into a meeting and told I am facing a diciplinary hearing Monday for excessive internet usage.

 

Now I do use the internet at lunch times, social networking sites etc are blocked so normally news and shopping (amszon)

we are allowed online at lunch btw and I generally have a busy day with little time to play online otherwise in any case.

 

I do sometimes leave the browser open in the background if I forget to close it after lunch,

but this does not explain the "evidence" of what I apparently am surfing at work.

 

I have yet to receive the full file, but from what I can gather and was confronted with,

my PC is accessing the home page (I see no other pages listed than home) of an adult website even when I am nowhere near my PC.

 

I can prove on several instances that I was nowhere near my PC when I "accessed" this site and for about 15 occurrences

actually have photos on my phone that proves I was out of the office.

I have no doubt once the full file has been received that I can disprove more of the allegations.

 

However, it is a website I did visit a few weeks back on the company laptop (no porn it is a forum) in my own personal time

(stupid I know, my PC was defragging and working like a three legged donkey)

but I have never ever accessed it on my work PC during working hours knowingly.

 

My question is,

where do I go from here,

what do I need to do to prove that on a regular basis my PC was doing its own thing,

and how is it even possible that my PC is accessing websites without me knowing it and being my the PC?

 

The browsers are Google and internet explorer, and I counted about 270!!!! connections in one single day!

 

I am dumbfounded as that is a forum I use yes,

but on my phone (smart phone which connects to the work wifi yes but that should not tie back to my PC,

and I do not use it apart from sometimes at lunch on my PHONE not the PC,

in any case I would have thought it be automatically blocked

as we cannot even access something as basic as hotmail from the work PC)

 

I am confused and worried,

if anyone has any advice,

then please help me out here.

 

I have already checked my browser history and found none non work related access in my history in Google during work hours

(I checked under settings, and web history)

but my ie is set to delete history, cookies etc on exit,

so had no luck trying to access those entries.

 

Thank you in advance.

Edited May 15, 2014 by Xarbain
adding extra info per request

[renegadeimp]

Could anyone else have access to the system and have access to your login info?

 

Im a sys admin by trade, so i know a fair amount of ways it could happen. However, the first port of call is to eliminate all the obvious ways.

 

I also handle disciplinaries for my employer and have done so for issues like yours. What you need to do is show 100% that you did not access the site, and you were out of the office when this site was loaded up and accessed. The key is the loaded up part, as it would show that their is something on your system, or someone has accessed the system and Gone to that site while you were not there.

 

The fact that even if this happened 1 time and you can prove it, it casts doubt on every other attempt, unless they can show you were at the system when it happened.

 

If your server admins are worth their salary, they will have comprehensive logs that show browser initialisation time and date, along with the time that every page was loaded and viewed, and for how long.

 

For instance, on the systems i maintain, EVERYTHING is logged, apart from logging the contents of emails to and from various departments. The emails themselves are encrypted and i would need an authorisation code to view them which only the store manager has.

 

So im pretty sure that the sys admins where you are should have the same sort of setup.

[Xarbain]

Thank you,

my log in is well known (same set up for all of us) but the password is individually set up, and changed every 4-6 months.

 

I confess (as I did today) I have accessed this site,

but on my own time,

and mainly on my PHONE not my PC,

but the log on my PC I cannot understand.

 

It has the Day, date, time stamp (no mention of how long I apparently was on for) URL Bandwith User and IP address

but it shows me on every few minutes from arrival till I leave, which is what confuses me,

as I have never logged on at work on my PC,

on my phone yes (personal phone, not work phone, I do not have a work phone)

 

I have only been given the data of two days today,

and have asked HR to forward me the full log which I have yet to receive

(my hearing was supposed to be tomorrow at 9.30am,

but I asked for an extension as I do not have the full records yet and was granted it,

calling HR tomorrow to set the time for Monday)

 

I just do not understand how it can keep on showing me online on this site when I do not even have local internet open,

and is happily working away on my VPN, and in other cases nowhere near my desk.

[renegadeimp]

Personally, i think you should be focusing on getting YOUR evidence together to counter what they are saying. Remember, if you are connected to their network via your phone, then you are still in breach of Their terms.

 

get your evidence together and also get a representative/witness if possible to accompany you to your disciplinary.

[Xarbain]

Thank you and I am, just still in shock..

. and no I do not spend most of my time on my phone.

 

It spends 99% of the time idle on my desk.

I do appreciate the advice though,

really appreciate your time and effort replying.

 

However, the phone is anominous, the records comes back to my PC

and the records when I was nowhere near my PC..

. well neither was my phone to the network.

 

I am happy to share the details with you uncensored once I receive them to get an independent opinion.

[renegadeimp]

Double check the records. Does it come back to the pc or login? Can you prove you were not on site when it happened.

 

Are there any cameras close that can show you entering and leaving the area

[SabreSheep]

Also in most hearings notes are taken and you are asked to confirm them by signing them at the end along with your representative or witness.

Make sure if you have no representative you at least have a witness.

 

READ THE NOTES THOROUGHLY and request alterations if they are misleading or inaccurate. If they refuse at the end of the notes write "I sign under duress as these are not complete or accurate." Request copies as well at the end of the hearing for any appeal and/or for you to file away in case this situation or one like it rears its ugly head again.

 

Not my area of experience but can malware be causing the problem and when was the last time the system was checked for malware?

[renegadeimp]

Indeed saber. Malware can cause it, but instead of initially relying on that, the best course of action would be to check those records. Match things up, THEN request consistency checks or Scan results. The methods my team use is pretty simple: Logs > investigation > determination. Logs always ALWAYS come first. The only exception would be if you were caught red handed by someone, then the logs would simply be a formality.

[Xarbain]

Thank you again,

HR have yet to send me the complete set of the files,

so I only have two days worth of records to work with,

 

the entries comes back to my RakId (generic, same of all of us, part of the surname and first name to identify the user)

This is the ID I use together with My password to access my PC (Both for window and for the VPN)

I can also see my IP address listed (different IP address for each day)

 

As for proof I was not at my desk, most of the time I was, as I was working (I was just not on this site)

but at lunch one of the days I was out for a walk, the weather was really good so I took some photos

(they are time stamped and dated on my phone) and uploaded them onto Facebook,

 

I then went to the shop where I bought lunch on my debit card and met two colleagues who gave me a ride back to the office.

 

This covers one hour and approx 14-15 times when I apparently was accessing the site.

 

We do not have cameras, only a sign in and out sheet with no times.

I am hoping once I get the rest of the file that I will consistently be able to prove I was out for most of the lunches

where access have been made (I should have electronical records from buying some lunches,

and witnesses that I walked with at lunch, including an ex-colleague I met for lunch that came back to the office to say hi to everyone

(memorable event for everybody)

 

But without the rest of the proof against me, obviously the latter is speculation as I do not even know which dates and times

I apparently went onto this site yet, apart from the printed pages I received yesterday detailing TWO days

(although I was told there was a LOT more, but I was too shocked at the time to think clearly and ask to see the complete records)

 

I did contact my HR representative yesterday evening when I got home, and requested

the hearing moved from this morning at 9.30 to Monday morning, and for the file to be e-mailed to me by a mobile phone conversation,

which she said was not an issue.

 

She only asked if she could call me back during today as she needed to move meetings around to fit my hearing in, which I agreed to.

 

It does seem from the records that my PC is accessing the home page (now I do not have the full URL

as the file as pointed out earlier has not been sent to me,

I am working off two days records printed out on A4 paper)

 

But I did access the site from my HOME personal PC last night and without the full URL the home page seems most likely (speculation)

 

As for malware, I honestly do not know when it was last checked. It has the company anti-virus which is run from and maintained by the HQ IT team.

 

It might be worth mentioning that we are going through redundancies at the moment, could this affect my case?

 

We are closing down the office so will ALL be made redundant at some point in 2014

(this has been communicated to all employees in the office,

both in writing and by office meetings with the senior management team)

[SabreSheep]

Unless they think they have reasonable grounds that you did the act complained and sanctioned you as a result then I would imagine that there is no way it could be used in relation to redundancy legitimately.

 

However any sanction from a "warning upwards" would in theory go on your personnel file which depending on how they select for redundancy *may* have an impact.

[Xarbain]

The redundancies have already been selected (not sure if mine will be amended due to this) two rounds, first lot end of July, the rest in December. I have received an invite to go through my deal and date next week (which I presume will still go ahead as planned?) I hope the offer that was available prior to this will not be amended either, as we are offered better than the normal statutory deal.

 

If I could have it my way, personally I would like to be in the first lot to leave (but we do not get the option of choosing ourselves)

 

I presume this will get an impact on future references? I have never had as much as a warning, never sacked or been in any sort of trouble before.

[Xarbain]

I have now received the full file of my browsing spanning a week,

obviously the site I am being done for gross misconduct for is there,

and there are hundreds of entries (actually there are a LOT of entries I do not even get,

I presume some of these are ads etc on sites I have been on)

including legimate sites I have visited for work, and reading the paper online whilst eating my lunch.

 

Questions:

Over the two days I apparently spent my whole day on this site,

there are 4 IP addresses showing,

and the excel spreadsheet lists me as the "owner"

 

I have been logging on even when I can prove with witnesses that I was not even in the office.

 

One IP address seems to have all legit entries (apart from the lunch time when I was out)

Now the legit entries are all from ie (I know this de to the sites visited where the short cuts are only set up on ie, not on Google)

 

Where does the second IP address come from?

 

When I visited the offending site on my own time (as explained previously)

could I have set it as remember me by mistake and accidentally opened Google, not closed it

and had it running in the background all day updating itself? I

f so, what clues do I look for?

(I have the offending laptop, but I have not used it since yesterday when checking my history.

 

2 Does each browser have different IP addresses?

 

3 If I accidentally did open Google in the background (I know it was Google I originally visited the original day,

as Google history tells me so) why would it keep refreshing?

(If refreshing is the answer)

 

would that be due to my private phone having it open and refresh works over different devices?

 

This would explain how I managed to be online on my PC at the same time as I was physically in another location.

 

Thank you in advance for any help/advice in this matter. I truly appreciate it.

[renegadeimp]

To me, it very much sounds like the logging system they have is flawed and is taking each click through ad as a separate web page.

.

Regarding Ip addresses, each browser using the one assigned to it via the ISP, or in a workplace scenario, the proxy server. This can change, but would be done at an administrator level, and usually times out around every 12 hours or so and a new one is generated.

 

if you use chrome as your browser and also use chrome on your phone, then it is possible the history is shared. Especially if you are signed into both browsers with the same google account.

 

 

However, if you have witnesses that are prepared to make a statement and have proof that you were not in the office at the time, then i would strongly suggest you get them to prepare their statements. If there are few logs that say you were there when you obviously weren't, then as a sys admin myself, i would immediately halt the disciplinary and perform a full investigation on the specificed logs, the system concerned and the log generating system itself.

[Atlas01]

This sounds like a case i once dealt with

 

one website will have many embedded links leading to others and even some you can't see running in stealth.

 

Example, I go to the "second choice" holidays website but in the background it says "hey this IP just came to us and for the 000.1p you pay us here is the IP ping"

 

There was an article on the daily fail a while ago which actually showed what i mean where when i tried the web page it was passing my data from the mail link (facebook, twitter, marketing etc.) to around 15 other sites without my knowledge. (couldn't find it when looking for the link just now sorry)

 

I actually think if you are adamant you have not been near these sites that you find a PC geek/nerd/anorak forum, they can explain this to you, i can't, CAG may even have one

 

I had a great rep who was a pc nerd, he made mincemeat of the case against the person on the above grounds.

[griffzilla]

Are the 4 IP addresses similar? eg: 145.67.200.xxx where the numbers in certain sections are the same?

[renegadeimp]

The above is correct. For instance, if you know how to use netstat, run it while browsing this site.

[Xarbain]

Thank you all, 3 of the IP addresses are pretty close, one is not:

 

10.48.0.xxx

10.48.0.xxx

10.48.0.xx

10.60.65.xx

Edited May 18, 2014 by Xarbain
Duplication of several lines by mistake

[renegadeimp]

To me, that looks like its passing through a local proxy server.

[Xarbain]

To me, that looks like its passing through a local proxy server.

 

That would be correct I think. The company uses proxy servers when we first log on (where the sites were accessed) then I work mainly off our VPN

[griffzilla]

Thank you all, 3 of the IP addresses are pretty close, one is not:

 

10.48.0.xxx

10.48.0.xxx

10.48.0.xx

10.60.65.xx

 

There's a possibility that the 60.65 could be an IP assigned by wireless, and 48.0 is assigned to wired devices - I assume you're PC is wired to the network, and not wireless?

[Xarbain]

There's a possibility that the 60.65 could be an IP assigned by wireless, and 48.0 is assigned to wired devices - I assume you're PC is wired to the network, and not wireless?

I am wired to the network yes. For my workstation I never connect wireless in the office.

[defaye]

When you first connected to the work wireless on your mobile was it a simple case of clicking it and entering the key or was there infact a login screen to authorise?

[Xarbain]

When you first connected to the work wireless on your mobile was it a simple case of clicking it and entering the key or was there infact a login screen to authorise?

 

First time connection I entered the wireless password that we all have and use for personal and work mobiles and tablets. Since then it connects automatically.

[defaye]

Ok following on from that is your device name applicable just to you? Eg "Johns iPhone" with you being the only John at the company? Just worth ruling out that it definitely isn't the phone refresh on browser open or general browsing which has been tied back to you.

[Xarbain]

I am the only one with my name in the company and yes my phone's name does reflect this.

 

I only use Google on my phone and only recently on my work pc. Most of my internet usage is on ie for work purposes. Purely because my shortcuts are set up there.

 

I do however not spend much time using my phone at work. It will have lots of web pages open as I am notorious in not closing down tabs to sites I am not on. At work I mainly use my phone to surf a bit at lunch and to check and reply to messages from recruitment agencies as my office is closing down and we have been told we can do this at work (verbally) due to our current situation.