Security Basics mailing list archives
Re: Computer forensics to uncover illegal internet use
From: Mike Sweeney <mikesweeney () packetattack com>
Date: Mon, 29 Aug 2005 21:40:30 -0700
Before anything.. make a copy of the disk and lock the original away with a chain of evidence. Use Ghost or DD. Work only on a copy.
Examine the disk using something like Knoppix STD or Audit or other bootable CD.
swap file.. history files for IE Alternative Browser history files use a undelete tool to see what might be recovered for cookies etc check for firewall logs or proxy server logsIf he is really that clever, look for alternative data streams and hidden files..
Look for a hidden partition Some history and last URLs can be found in the registry I'm sure other will toss in their 3 cents too :) MikeS ____________________________________ mikesweeney () packetattack com www.packetattack.com Home of "Network Security using Linux" Office 714.637.4235 On Aug 29, 2005, at 8:45 PM, Edmond Chow wrote:
Dear List, I'm working on the following project and would appreciate your views:I have been tasked with finding out if a certain desktop computer was used to view pornographic sites on the internet. This user has gone to great lengths to try to mask his illegal activities by erasing cookies, temp. files and by installing anti-spyware software on his computer. Are there any tools that would allow me to still uncover proof that he had accessed these sites? So far, the tech department is telling me that he did access illegal sites on only two dates but I suspect that this illegal activity started many months or years ago and it will be up to me to find more proof.Also, at a network level, we know his IP address but yet my technicalsupport department is telling me that they cannot (either because they don'twant to or because they are not technically capable of) tell me whatinternet sites this IP address has accessed in the past. Logically, theremust be a point in the network (on some piece of hardware) where I canconsult log files to track his activities? Or, is there a log file that I can consult that will tell me what sites all my users have accessed and fromwhat IP address?In terms of access to the desktop in question, I will have full access asthe computer will be in my possession in the coming days. Thank-you and any help that you can provide would be most appreciated. Regards, Edmond
Current thread:
- RE: Computer forensics to uncover illegal internet use McHenry, Glenn CTO1 (Aug 30)
- Re: Computer forensics to uncover illegal internet use Greg Stiavetti (Aug 30)
- <Possible follow-ups>
- Re: Computer forensics to uncover illegal internet use Mike Sweeney (Aug 30)
- RE: Computer forensics to uncover illegal internet use James McEachern (Aug 30)
- RE: Computer forensics to uncover illegal internet use Beauford, Jason (Aug 30)
- RE: Computer forensics to uncover illegal internet use Edmond Chow (Aug 30)
- Re: Computer forensics to uncover illegal internet use Jason Coombs (Aug 30)
- RE: Computer forensics to uncover illegal internet use CJI Support (Aug 30)
- RE: Computer forensics to uncover illegal internet use Bob Radvanovsky (Aug 31)
- RE: Computer forensics to uncover illegal internet use CJI Support (Aug 30)
- RE: Computer forensics to uncover illegal internet use Brunner, Mark (Aug 30)
- RE: Computer forensics to uncover illegal internet use Beauford, Jason (Aug 30)
- Re: Computer forensics to uncover illegal internet use Dave Aronson (SecBasics) (Aug 30)
- RE: Computer forensics to uncover illegal internet use Craig, Tobin (OIG) (Aug 30)
(Thread continues...)