investigating misuse of the internet

• Previous message: Pogue: "Re: FW: Keyboard Locking/Invisible Screensaver"
• Next in thread: Jason.North_at_ch2m.com: "re:investigating misuse of the internet"
• Maybe reply: Jason.North_at_ch2m.com: "re:investigating misuse of the internet"
• Maybe reply: Reava, Jeffrey [IT/0200]: "RE: investigating misuse of the internet"
• Maybe reply: Mark McConnell: "RE: investigating misuse of the internet"
• Reply: M. Burnett: "Re: investigating misuse of the internet"
• Reply: Craig Foster: "RE: investigating misuse of the internet"
• Maybe reply: Shay Wilson: "RE: investigating misuse of the internet"
• Maybe reply: Richard Bejtlich: "RE: investigating misuse of the internet"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 9 Jul 2003 09:21:57 +0100 (BST)
To: focus-ms@securityfocus.com

Hello all,

Occasionally our monitoring software alerts us that
someone has tried to access a dodgy web site. If it
is deemed serious enough then as well as the reports
the we can generate from the software, we are asked to
actually go and check out the user's machine for any
evidence of misuse.

Does anyone know of a formal check list of stuff to go
through when doing this on a Windows PC (98 or 2000).
I have found lots of info about what to look for when
investigating a hacked PC, but what about when looking
for signs of a user's internet activity? Temporary
internet files, history, cookies, search for jpegs,
mpegs, etc. These are the sort of things we normally
look at, but I want to make sure that I don't miss
anything important just in case it goes legal.

Also, if the user had set Internet Explorer options to
keep 0 days history then does this mean all evidence
has gone, or is there anything else I can look at,
e.g. any registry keys?

Thanks,

Andy

__________________________________________________
Yahoo! Plus - For a better Internet experience
http://uk.promotions.yahoo.com/yplus/yoffer.html

-----------------------------------------------------------------------------
------------------------------------------------------------------------------

• Previous message: Pogue: "Re: FW: Keyboard Locking/Invisible Screensaver"
• Next in thread: Jason.North_at_ch2m.com: "re:investigating misuse of the internet"
• Maybe reply: Jason.North_at_ch2m.com: "re:investigating misuse of the internet"
• Maybe reply: Reava, Jeffrey [IT/0200]: "RE: investigating misuse of the internet"
• Maybe reply: Mark McConnell: "RE: investigating misuse of the internet"
• Reply: M. Burnett: "Re: investigating misuse of the internet"
• Reply: Craig Foster: "RE: investigating misuse of the internet"
• Maybe reply: Shay Wilson: "RE: investigating misuse of the internet"
• Maybe reply: Richard Bejtlich: "RE: investigating misuse of the internet"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]