Re: investigating misuse of the internet
From: M. Burnett (mb_at_xato.net)
Date: 07/09/03
- Previous message: Mark McConnell: "RE: investigating misuse of the internet"
- In reply to: ICT User: "investigating misuse of the internet"
- Next in thread: Craig Foster: "RE: investigating misuse of the internet"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: <focus-ms@securityfocus.com> Date: Wed, 9 Jul 2003 10:26:46 -0600
If the system has not been powered off, you may be able to type:
ipconfig /displaydns. This will show all recent host name lookups
that are still cached. The advantage of this is that even if the
person used a proxy or tunnel to bypass your monitoring software, the
DNS lookups were still probably done locally.
Of course, if you wish to pursue legal action, you must carefully
consider the ramifications of how you gather evidence.
M.
On Wed, 9 Jul 2003 09:21:57 +0100 (BST), ICT User wrote:
>Hello all,
>
>Occasionally our monitoring software alerts us that someone has
>tried to access a dodgy web site. If it is deemed serious enough
>then as well as the reports the we can generate from the software,
>we are asked to actually go and check out the user's machine for any
>evidence of misuse.
>
>Does anyone know of a formal check list of stuff to go through when
>doing this on a Windows PC (98 or 2000). I have found lots of info
>about what to look for when investigating a hacked PC, but what
>about when looking for signs of a user's internet activity?
>Temporary internet files, history, cookies, search for jpegs, mpegs,
>etc. These are the sort of things we normally look at, but I want
>to make sure that I don't miss anything important just in case it
>goes legal.
>
>Also, if the user had set Internet Explorer options to keep 0 days
>history then does this mean all evidence has gone, or is there
>anything else I can look at, e.g. any registry keys?
>
>Thanks,
>
>Andy
>
>
>
>__________________________________________________ Yahoo! Plus - For
>a better Internet experience
>http://uk.promotions.yahoo.com/yplus/yoffer.html
>
>
>---------------------------------------------------------------------
>--------
>---------------------------------------------------------------------
>---------
-----------------------------------------------------------------------------
------------------------------------------------------------------------------
- Previous message: Mark McConnell: "RE: investigating misuse of the internet"
- In reply to: ICT User: "investigating misuse of the internet"
- Next in thread: Craig Foster: "RE: investigating misuse of the internet"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
