RE: investigating misuse of the internet

From: Craig Foster (fostware_at_iinet.net.au)
Date: 07/09/03

  • Next message: Simon R. Binder: "How to generate list of patches installed?" 
    To: "'ICT User'" <ictuser2002@yahoo.co.uk>, <focus-ms@securityfocus.com>
Date: Thu, 10 Jul 2003 00:39:21 +0800

    ICT User wrote:
    > Hello all,
    >
    > Occasionally our monitoring software alerts us that
    > someone has tried to access a dodgy web site. If it
    > is deemed serious enough then as well as the reports
    > the we can generate from the software, we are asked to
    > actually go and check out the user's machine for any
    > evidence of misuse.
    >
    > Does anyone know of a formal check list of stuff to go
    > through when doing this on a Windows PC (98 or 2000).
    > I have found lots of info about what to look for when
    > investigating a hacked PC, but what about when looking
    > for signs of a user's internet activity? Temporary
    > internet files, history, cookies, search for jpegs,
    > mpegs, etc. These are the sort of things we normally
    > look at, but I want to make sure that I don't miss
    > anything important just in case it goes legal.
    >
    > Also, if the user had set Internet Explorer options to
    > keep 0 days history then does this mean all evidence
    > has gone, or is there anything else I can look at,
    > e.g. any registry keys?
    >
    > Thanks,
    >
    > Andy
    >

    Never underestimate the usefulness of roaming profiles. Sometimes the
    data in cookies here survives the cleaning process aa little longer than
    on the local machine. This gave us a bead on which logs (proxy and login
    audit) to look at and at what times.

    That person is now barred from teaching.

    Craig F.

  • Next message: Simon R. Binder: "How to generate list of patches installed?"