Penetration Testing mailing list archives
Re: Internet Explorer History
From: Max Ashton <maxashton () eml cc>
Date: Mon, 17 Jul 2006 10:23:11 +0000
On Monday 17 July 2006 00:13, kruptos wrote:
Hello All, I have been tasked with recovering the recent history of an individual laptop. It is suspected that the individual may have gone to a "escort" site and attempted to make a purchase via company credit card.
First rule of forensics is not to compromise your 'scene. Take an image of the hard disk. I reccomend using DD or simmilar to take an image of your suspect's hard disk (at the most basic level " dd if=/dev/hda of /home/you/noobhdd.img" .. bear in mind using dd you will need as much free space as the original hd contains). Other tools are fine, but bear in mind it needs to be a known documented tool. And take an MD5 hash of the image while you're at it. Only then do any analysis of the hard disk. Most of the forensics livecd's contain tools for examining IE's index.dat... backtrack has one, helix has one... But whatever you do, don't ever examine a live environment. A halfway competent defence lawyer would just say you put the evidence there yourself. At the very best, they'd throw the evidence out and your suspect would claim no knowledge of the CC's use, at worst, you could be up for fraud or who knows what. IANAL, check your local laws regarding computer forensics. -- Max Ashton ---------- No ammount of network security is as good as a wood chipper. 0x7951CF83 http://www.maxashton.com/pgpkeys/maxashton.asc ----------
Attachment:
_bin
Description:
Current thread:
- Internet Explorer History kruptos (Jul 16)
- RE: Internet Explorer History Erin Carroll (Jul 16)
- Re: Internet Explorer History mikeiscool (Jul 16)
- Re: Internet Explorer History Max Ashton (Jul 17)
- Re: Internet Explorer History fd lists (Jul 18)
- Re: Internet Explorer History okrehel (Jul 17)
- Re: Internet Explorer History Chetan Gupta (Jul 17)
- Re: Internet Explorer History killy (Jul 19)
- RE: Internet Explorer History Erin Carroll (Jul 16)