RE: investigating misuse of the internet
From: Mark McConnell (mmcconnell_at_ctiusa.com)
Date: Wed, 9 Jul 2003 13:11:12 -0400 To: <Jason.North@ch2m.com>, <firstname.lastname@example.org>
Just a note here, I have seen a couple of posts in this thread that mention the "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs " registry key as a place to gather local evidence. This really only works if the user types the URL in the URL field, not if the user types ctr-o (File|Open) and then types the URL. Just a heads up....
From: Jason.North@ch2m.com [mailto:Jason.North@ch2m.com]
Sent: Wednesday, July 09, 2003 11:13 AM
Subject: re:investigating misuse of the internet
A few initial thoughts, based on my experience.
1. How important is the maintenance of evidence for legal purposes? (Not just prosecution of the offender, I have had more than one lawyer try to rake me over the coals on behalf of an alleged 'wrongfully terminated' former employee...
2. Also in that vein, is it clearly defined what a 'dodgy' website is? This is kind of difficult, and can also be the subject of inquiry. One person's trash is another's pleasure, as they say. The best way I have seen to handle this is a committee (no more than 5) that decides, based on majority (during a weekly review of web usage) to pursue naughty internet users. The committee that I worked on spanned Computer Security(3), IT(1), and HR(1).
3. 0 days history will severely limit your ability to collect evidence locally. Also, the logs are really your friend in this. I would say that upwards of 80% of people I have investigated cleared their local data on a regular basis, some of them even used tools (like EvidenceEliminator) to facilitate this.
4. HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs Will keep a record of the URLs a user typed in themselves, but not of followed links.
Having gotten that out of the way, here is my personal (not CH2MHill's) opinion on a good checklist. In my infinite mercy, I will give the short steps first, followed by detail...
1.Extract log data for user/machine from proxy/firewall
2a. Review data for violations of acceptable use.
2b Collect screenshots of websites.
3a Remote (or local) search of local HD
3b Remote search of user's network storage
4 Copy and review index.dat files from url history
5 (Reporting process)
The long form:
1. Extract all relevant proxy (or firewall) data for the user for the period of investigation (which in most cases should not exceed a 7 day period, but might). This is made easier if you use something like WebSweeper that allows a nice graphical dump, otherwise, its to the logs. Hopefully, your logs map to a user's domain account, and not their machine name/IP. These days, even Squid can be configured to authenticate via NTLM.
2. Review the log data, looking for trends. This is the fuzzy part, where you're looking for specific stuff, and then looking for other things that stand out. I have found mangement types to like an abbreviated extract, showing only the stuff folks should not have been doing. Typically I also collect screenshots of the websites a user visited that were out of bounds, and insert them into a word document
3. Depending on your company policies, you might or might not search the user's HD and network storage. This is handily done if your subject is running Windows NT or Windows 2000. Mounting the user's local drives (and network home directory, where applicable) in turn, perform the following search: *.jpg;*.gif;*.avi;*.mpg;*.zip;*.ppt;*.bmp;*.rar;*.ace;*.rm;*.ram;*.mpeg;*.7z
This will save you the time of digging through the drives and temporary internet files, etc, and rar, ace, and 7z files tend to be an indicator that someone may be doing something untoward, as they are often used by warez/cracks distributors, and have not (IME) found alot of mainstream popularity. On Windows 98 machines, the only really good way to get at the local drives is locally, from the machine itself. The same search string should work handily, but you also get into the question of evidence maitenance, particularly as Win98 has no means to verify file ownership...
4. the index.dat file(s) (on windows 2000, under Documents and Settings\northj\Local Settings\History\History.IE5) are also a good source of detail (particularly if your logs don't map to usernames), but are a bit hard on managerial eyes. I like to get a copy of the file(s), and I wrote a little VB app to render the data into a more accessible format. Like with the logs, look for traffic outside of acceptable use, and collect samples (screenshots) of web pages.
5. Odds are, you have a reporting/escalation process already.
Occasionally our monitoring software alerts us that
someone has tried to access a dodgy web site. If it
is deemed serious enough then as well as the reports
the we can generate from the software, we are asked to
actually go and check out the user's machine for any
evidence of misuse.
Does anyone know of a formal check list of stuff to go
through when doing this on a Windows PC (98 or 2000).
I have found lots of info about what to look for when investigating a hacked PC, but what about when looking for signs of a user's internet activity? Temporary internet files, history, cookies, search for jpegs, mpegs, etc. These are the sort of things we normally look at, but I want to make sure that I don't miss anything important just in case it goes legal.
Also, if the user had set Internet Explorer options to
keep 0 days history then does this mean all evidence
has gone, or is there anything else I can look at,
e.g. any registry keys?
--- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.498 / Virus Database: 297 - Release Date: 7/8/2003 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.498 / Virus Database: 297 - Release Date: 7/8/2003 ----------------------------------------------------------------------------- ------------------------------------------------------------------------------