RE: investigating misuse of the internet

From: Reava, Jeffrey [IT/0200] (jeffrey.reava_at_pharmacia.com)
Date: 07/09/03

  • Next message: Marc Fossi: "Article Announcement: Antivirus Concerns in XP and .NET Environments" 
    To: "'ICT User'" <ictuser2002@yahoo.co.uk>, focus-ms@securityfocus.com
Date: Wed, 9 Jul 2003 07:52:45 -0500

    Assuming that you're using IE, here is a list that will be a fair indicator:

    Temporary Internet Files
    History
    Cookies
    Index.dat - use pasco, spider, datalifter ($), bintext or strings.exe to
    retrieve saved browsing history

    then some registry keys may be important to check also:

    typed URLs from Internet Explorer Address Bar (unaffected by 0-day History
    setting)
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs

    Windows Explorer OpenSaveMRU list (If any files are saved to other locations
    using the File|Save common control dialog box)
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg3
    2\OpenSaveMRU

    Contents of the Run line
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

    If legality is a concern here, its best to use these tools on a ghost or dd
    image of the drive, not the original system.

    Depending on how much time it takes you to gather and present the
    information, it may make sense to automate the imaging and data extraction
    for this specific type of investigative request. The registry piece may be a
    bit dicey, but everything else can be automated using Sleuthkit forensic
    tools. I'm working on a process to do that; if you think it would be helpful
    drop me a note and I'll share what I've got.

    Jeff

    -----Original Message-----
    From: ICT User [mailto:ictuser2002@yahoo.co.uk]
    Sent: Wednesday, July 09, 2003 4:22 AM
    To: focus-ms@securityfocus.com
    Subject: investigating misuse of the internet

    Hello all,

    Occasionally our monitoring software alerts us that
    someone has tried to access a dodgy web site. If it
    is deemed serious enough then as well as the reports
    the we can generate from the software, we are asked to
    actually go and check out the user's machine for any
    evidence of misuse.

    Does anyone know of a formal check list of stuff to go
    through when doing this on a Windows PC (98 or 2000).
    I have found lots of info about what to look for when
    investigating a hacked PC, but what about when looking
    for signs of a user's internet activity? Temporary
    internet files, history, cookies, search for jpegs,
    mpegs, etc. These are the sort of things we normally
    look at, but I want to make sure that I don't miss
    anything important just in case it goes legal.

    Also, if the user had set Internet Explorer options to
    keep 0 days history then does this mean all evidence
    has gone, or is there anything else I can look at,
    e.g. any registry keys?

    Thanks,

    Andy

    __________________________________________________
    Yahoo! Plus - For a better Internet experience
    http://uk.promotions.yahoo.com/yplus/yoffer.html

    ----------------------------------------------------------------------------
    -
    ---------------------------------------------------------------------------- 

    --
This communication is intended solely for the use of the addressee and may
contain information that is legally privileged, confidential or exempt from
disclosure.  If you are not the intended recipient, please note that any 
dissemination, distribution, or copying of this communication is strictly 
prohibited.  Anyone who receives this message in error should notify the 
sender immediately and delete it from his or her computer.
-----------------------------------------------------------------------------
------------------------------------------------------------------------------
  • Next message: Marc Fossi: "Article Announcement: Antivirus Concerns in XP and .NET Environments"

    Relevant Pages

    • Re: Clean Browser
      ... Unless History is set to 0 days. ... [[The AutoComplete feature saves previous entries you've made for Web ... On the Tools menu in Internet Explorer, ... >> deletes the temporary internet files ...
      (microsoft.public.windowsxp.newusers)
    • Re: Internet History Fills in Only 8 Weeks
      ... The History is part of the Cache, as is the Temporary Internet Files, ... How to Reinstall or Repair Internet Explorer and Outlook Express in Windows ...
      (microsoft.public.windows.inetexplorer.ie6.browser)
    • Re: Internet Explorer not allowing me to view a university websitre
      ... First clear the cache (Temporary Internet Files) and History from IE> Tools> ... If clearing the cache and History didn't work, delete the TIF and History ...
      (microsoft.public.windows.inetexplorer.ie6.browser)
    • Re: cant completely delete history on ie!!
      ... Under internet options i've cleared the history, ... "How to clear the History entries in Internet Explorer". ... "How to Delete the Contents of the Temporary Internet Files Folder". ... About CCleaner, courtesy of Sandi Hardmeier - Microsoft MVP: ...
      (microsoft.public.windows.inetexplorer.ie6.browser)
    • Re: problem with disc cleanup - cant delete temp internet files
      ... I did download disc cleaner and it did a great job. ... > Close all instances of Internet Explorer first!!!!!!!!! ... > %homepath%\Local Settings\Temporary Internet Files ... > Temporary Internet Files {Including the contents of the Content.IE5 folder} ...
      (microsoft.public.windowsxp.help_and_support)