Re: Internet Explorer History

[Max Ashton <maxashton () eml cc>]

On Monday 17 July 2006 00:13, kruptos wrote:
> Hello All,
>
> I have been tasked with recovering the recent history of an individual
> laptop. It is suspected that the individual may have gone to a "escort"
> site and attempted to make a purchase via company credit card.


First rule of forensics is not to compromise your 'scene.

Take an image of the hard disk. I reccomend using DD or simmilar to take an 
image of your suspect's hard disk (at the most basic level " dd if=/dev/hda 
of /home/you/noobhdd.img" .. bear in mind using dd you will need as much free 
space as the original hd contains).  Other tools are fine, but bear in mind 
it needs to be a known documented tool. And take an MD5 hash of the image 
while you're at it.

Only then do any analysis of the hard disk. Most of the forensics livecd's 
contain tools for examining IE's index.dat... backtrack has one, helix has 
one... 

But whatever you do, don't ever examine a live environment. A halfway 
competent defence lawyer would just say you put the evidence there yourself. 
At the very best, they'd throw the evidence out and your suspect would claim 
no knowledge of the CC's use, at worst, you could be up for fraud or who 
knows what.

IANAL, check your local laws regarding computer forensics.


-- 
Max Ashton
----------
No ammount of network security is as good as a wood chipper.
0x7951CF83  http://www.maxashton.com/pgpkeys/maxashton.asc
----------

Attachment: _bin
Description: