RE: Computer forensics to uncover illegal internet use

["Joel A. Folkerts" <jfolkert () hiwaay net>]

Edmond,

 You need to tackle this problem from two fronts: user's computer and the
network. Legal issues aside, the first thing you need to do is get smart on
computer forensics. If your company plans on combating this numerous times,
you probably want to invest in some hardware and software. The hardware
doesn't have to be anything special - a simple PC with moderate hard drive
space that has free 5 1/2" bays. The software is a little pricier - I
recommend either EnCase ~ $3,000
(http://www.encase.com/products/ef_index.asp) or FTK ~ $1,000
(http://www.accessdata.com/Product04_Overview.htm?ProductNum=04). I
personally prefer EnCase but both products are equally capable. If your
budget is restrictive - you can use a suite of free or relatively
inexpensive tools. 

 For the budget conscience - here is just one example of how you can do it:
http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-willis-c/bh-us-03-w
illis.pdf

 Coming from a law enforcement background, there are fundamental steps that
must be taken to ensure the exam is legally sufficient. You must image the
machine (make an exact bit-for-bit replica of the user's hard drive). This
ensures that you are working from a copy and not altering the original
drive. The next thing you must do is lock up the original for evidentiary
purposes. (This allows user's lawyers to compare your findings with the
original so he or she cannot claim you planted evidence.) Conduct the exam.
During this entire process, document everything! It may seem overkill but
the notes can make all the difference. 


 Regardless of how you obtain forensic access to the user's machine - there
are a ton of little niches that Internet activity is stored.
(http://www.securityfocus.com/print/infocus/1827)

 Now onto the network side -- If you have a moderate to large company,
you're most likely using a proxy device to access the web. This device
provides a centralized point of controlling and logging web use. *Most*
companies do not store these for more than 30 days - the logs simply take up
too much room. 

 Above all - make sure you're legally cleared to conduct the exam and obtain
proxy information. There's nothing more frustrating than having a whinny
lawyer having your case dismissed because of a minor legal issue. Even if
this is all being done in-house and you don't foresee this going to court -
always be prepared for that day to come. The user can turn around and sue
your company for numerous reasons if he or she feels they were unjustly
fired.

Good luck!

-Joel


-----Original Message-----
From: Edmond Chow [mailto:echow () gettechnologies com] 
Sent: Saturday, August 27, 2005 1:23 AM
To: security-basics () securityfocus com
Cc: Edmond Chow
Subject: RE: Computer forensics to uncover illegal internet use


Dear List,

I'm working on the following project and would appreciate your views:

I have been tasked with finding out if a certain desktop computer was used
to view pornographic sites on the internet.  This user has gone to great
lengths to try to mask his illegal activities by erasing cookies, temp.
files and by installing anti-spyware software on his computer.  Are there
any tools that would allow me to still uncover proof that he had accessed
these sites?  So far, the tech department is telling me that he did access
illegal sites on only two dates but I suspect that this illegal activity
started many months or years ago and it will be up to me to find more proof.

Also, at a network level, we know his IP address but yet my technical
support department is telling me that they cannot (either because they don't
want to or because they are not technically capable of) tell me what
internet sites this IP address has accessed in the past.  Logically, there
must be a point in the network (on some piece of hardware) where I can
consult log files to track his activities?  Or, is there a log file that I
can consult that will tell me what sites all my users have accessed and from
what IP address?

In terms of access to the desktop in question, I will have full access as
the computer will be in my possession in the coming days.

Thank-you and any help that you can provide would be most appreciated.

Regards,


Edmond



--
No virus found in this incoming message.
Checked by AVG Anti-Virus.
Version: 7.0.344 / Virus Database: 267.10.16/83 - Release Date: 8/26/2005
 

-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.344 / Virus Database: 267.10.16/83 - Release Date: 8/26/2005