PaulDotCom mailing list archives
A question about browser history
From: dorne.mabais at googlemail.com (Dorne Mabais)
Date: Wed, 16 Dec 2009 09:52:21 -0500
I figured that after all the good advice I owed an update. For this particular case, the best piece of advice was to not just rely on the browser logs. After expanding the search to include the network logs, I found that there seemed to be other machines accessing the same sites. While it was not infeasible to assume the multiple people viewed the same bad sites, it did warrant further investigation. To cut i long story short it ended up being malware using iframes. It seems to have been caused by a bad password recovery program the people had been trying to use (which is another story). But two things things this incident showed me, which I hope I remember; 1. Never assume that what you assume to be the 'smoking gun' is all there is 2. That it is nice to sometimes prove a person innocent after all the bad stuff seen Thanks again to all for all the help. D.M. On Tue, Nov 10, 2009 at 10:17 PM, David A. Gershman < dagershman_dgt at dagertech.net> wrote:
anyone knows of a way this could have happened which backs up theemployee'sstory or do I just go ahead and assume guilt?First (IMHO) Don't assume guilt or innocence. Stick to what you were asked...find evidence if its there. If its not there, fine. Start assuming anything or taking the employee's "nature" into account and you're doing the manager's/company's job. If this employee gets fired for an 'assumption', you'll feel it. Provide the best evidence you can and let the verdict reside with the company. I know it sounds cold, but when doing forensics its important to remain as objective as possible. Second As for how their history could have been populated, I really have no idea. I do know this, don't just look within the browser. A good piece of malware coming from a thumbdrive could screw with browser files just as easily. Be sure to scour the big picture. ---------------------------------------- David A. Gershman gershman at dagertech.net http://dagertech.net/gershman/ "It's all about the path!" --d. gershman _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
-------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20091216/e099ad2d/attachment.htm
Current thread:
- A question about browser history Dorne Mabais (Nov 03)
- A question about browser history PJ McGarvey (Nov 03)
- A question about browser history Karl Schuttler (Nov 03)
- A question about browser history Joel Folkerts (Nov 03)
- A question about browser history Michael Miller (Nov 10)
- <Possible follow-ups>
- A question about browser history David A. Gershman (Nov 10)
- A question about browser history Butturini, Russell (Nov 11)
- A question about browser history Dorne Mabais (Dec 16)