RE: Computer forensics to uncover illegal internet use

["dave kleiman" <dave () isecureu com>]

Jason,

Even an attorney, District Attorney, or the doctor who verifies the evidence
as child pornography, may not view or posses the contraband without the
investigating law enforcement agency being present.  They are still bound by
the same "possession of contraband" law.
Therefore, the immediate contacting of an LEA is the only proper real
resolve. Turning it over to the company attorney would be possession and
distribution of contraband a definite no-no.

However, just as if you found a bag of drugs on the ground, you have no
obligation to report it, but picking it up and playing with it is
ill-advised.

Nonetheless, if you simply saw what you thought was child pornography, and
you stopped and wiped the system you would technically be ok, since it takes
a doctors examination to, for the courts, say it truly is/was child
pornography.


Dave


> -----Original Message-----
> From: Jason Coombs [mailto:jasonc () science org]
> Sent: Tuesday, August 30, 2005 19:14
> To: Edmond Chow; security-basics () securityfocus com; Beauford, Jason
> Subject: Re: Computer forensics to uncover illegal internet use
>
> Edmond,
>
> You cannot 'investigate' viewing of child pornographic
> material without violating the very same laws that you are
> informed may have been violated by the employee of your
> company who stands accused.
>
> You must stop your work immediately. Do not begin your work
> if you have not already, and get your company to turn the
> hard drive and other details over to the corporate attorney.
>
> What you must understand is that certain persons have a legal
> obligation to report any finding of evidence of child
> pornography, but that your company and its employees, in the
> employees' professional capacity, may not have an obligation
> to report to law enforcement.
>
> The company is typically allowed to simply wipe the hard
> drive of any computer that may have been used to view child
> pornography, and take whatever internal disciplinary action
> it deems appropriate with respect to the accused employee.
>
> Only your company's attorney can guide you properly, and you
> are completely wrong to want to investigate this yourself.
>
> Your company's attorney should advise you that the best thing
> to do is wipe the drive, and get on with the business that you are in.
>
> If you report this to law enforcement, the employee WILL go
> to prison. Innocent or not.
>
> If the employee goes to prison and is innocent, or is even
> accused publicly and is innocent, and eventually finds a way
> to prove his innocence, your company will be sued. The
> employee will win the lawsuit. Your company may go out of
> business over its improper handling of this incident.
>
> Please feel free to contact me directly to discuss this
> matter in more detail. This is an area of criminal computer
> forensics with which I have much experience.
>
> Sincerely,
>
> Jason Coombs
> jasonc () science org
>
> -----Original Message-----
> From: Edmond Chow <echow () videotron ca>
> Date: Tue, 30 Aug 2005 10:27:24
> To:security-basics () securityfocus com,       "Beauford, Jason"
> <jbeauford () EightInOnePet com>
> Cc:Edmond Chow <echow () videotron ca>
> Subject: RE: Computer forensics to uncover illegal internet use
>
> Good morning Jason,
>
> Thank-you to you and all who responded to me with their
> ideas.  I am wondering if there are any reference books
> available that would guide me through an investigation of
> this sort?  I am dealing with a case involving the viewing of
> child pornographic websites so I want to be careful to follow
> reference guidelines of some sort so that I don't end up in
> jail myself!
>
> Any help that you can provide in the form of links to
> articles and/or books on this subject would be greatly appreciated.
>
> Regards,
>
>
> Edmond
>
>
> -----Original Message-----
> From: Beauford, Jason [mailto:jbeauford () EightInOnePet com]
> Sent: Tuesday, August 30, 2005 8:50 AM
> To: Edmond Chow; security-basics () securityfocus com
> Cc: Edmond Chow
> Subject: RE: Computer forensics to uncover illegal internet use
>
>
> Check out INDEXVIEW.exe.  Internet explorer writes a history
> of all visited sites to a file labeled INDEX.DAT.  This file
> is usually hidden.
> Most end users are not bright enough to research thoroughly
> and will not delete this file.  If they use Internet Explorer
> as their Browser, then find this file and you will have your
> proof.  Download INDEXVIEW here =>
> http://superwebsearch.com/dwl/IndexView.exe
>
> Additionally, SecurityFocus has a great article which
> describes what you want to do:
>
> Part 1 (for IE):  http://www.securityfocus.com/infocus/1827
>
> Part 2 (for Firefox) http://www.securityfocus.com/infocus/1832
>
>
> Good Luck.
>
>
> JMB
>
>      =|   -----Original Message-----
>      =|   From: Edmond Chow [mailto:echow () gettechnologies com]
>      =|   Sent: Friday, August 26, 2005 7:23 PM
>      =|   To: security-basics () securityfocus com
>      =|   Cc: Edmond Chow
>      =|   Subject: RE: Computer forensics to uncover illegal
>      =|   internet use
>      =|
>      =|
>      =|   Dear List,
>      =|
>      =|   I'm working on the following project and would
>      =|   appreciate your views:
>      =|
>      =|   I have been tasked with finding out if a certain
>      =|   desktop computer was used to view pornographic sites
>      =|   on the internet.  This user has gone to great lengths
>      =|   to try to mask his illegal activities by erasing
>      =|   cookies, temp.
>      =|   files and by installing anti-spyware software on his
>      =|   computer.  Are there any tools that would allow me to
>      =|   still uncover proof that he had accessed these sites?
>      =|    So far, the tech department is telling me that he
>      =|   did access illegal sites on only two dates but I
>      =|   suspect that this illegal activity started many
>      =|   months or years ago and it will be up to me to find
>      =|   more proof.
>      =|
>      =|   Also, at a network level, we know his IP address but
>      =|   yet my technical support department is telling me
>      =|   that they cannot (either because they don't want to
>      =|   or because they are not technically capable of) tell
>      =|   me what internet sites this IP address has accessed
>      =|   in the past.  Logically, there must be a point in the
>      =|   network (on some piece of hardware) where I can
>      =|   consult log files to track his activities?  Or, is
>      =|   there a log file that I can consult that will tell me
>      =|   what sites all my users have accessed and from what
>      =|   IP address?
>      =|
>      =|   In terms of access to the desktop in question, I will
>      =|   have full access as the computer will be in my
>      =|   possession in the coming days.
>      =|
>      =|   Thank-you and any help that you can provide would be
>      =|   most appreciated.
>      =|
>      =|   Regards,
>      =|
>      =|
>      =|   Edmond
>      =|
>      =|
>      =|
>      =|
>
> --
> No virus found in this incoming message.
> Checked by AVG Anti-Virus.
> Version: 7.0.344 / Virus Database: 267.10.17/84 - Release
> Date: 8/29/2005
>
> --
> No virus found in this outgoing message.
> Checked by AVG Anti-Virus.
> Version: 7.0.344 / Virus Database: 267.10.17/84 - Release
> Date: 8/29/2005