RE: investigating misuse of the internet
From: Shay Wilson (shay_wilson_at_legis.state.ak.us)
Date: 07/09/03
- Previous message: Simon R. Binder: "How to generate list of patches installed?"
- Maybe in reply to: ICT User: "investigating misuse of the internet"
- Next in thread: Richard Bejtlich: "RE: investigating misuse of the internet"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 9 Jul 2003 08:58:40 -0800 To: <focus-ms@securityfocus.com>
What about other browsers?
I was recently investigating a user who used Opera and the settings were set to hide any use so upon closing the cache was cleaned out the history, everything. I found one persistant file that lives through closing the browser and even a reboot
C:\Documents and Settings\username\Application Data\Opera\Opera7\profile\download.dat
contains the path of any downloads including pictures clicked upon to give a close-up view. Does anyone know why that file is persistant?
-----Original Message-----
From: Reava, Jeffrey [IT/0200] [mailto:jeffrey.reava@pharmacia.com]
Sent: Wednesday, July 09, 2003 4:53 AM
To: 'ICT User'; focus-ms@securityfocus.com
Subject: RE: investigating misuse of the internet
Assuming that you're using IE, here is a list that will be a fair indicator:
Temporary Internet Files
History
Cookies
Index.dat - use pasco, spider, datalifter ($), bintext or strings.exe to
retrieve saved browsing history
then some registry keys may be important to check also:
typed URLs from Internet Explorer Address Bar (unaffected by 0-day History
setting)
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs
Windows Explorer OpenSaveMRU list (If any files are saved to other locations
using the File|Save common control dialog box)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg3
2\OpenSaveMRU
Contents of the Run line
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
If legality is a concern here, its best to use these tools on a ghost or dd
image of the drive, not the original system.
Depending on how much time it takes you to gather and present the
information, it may make sense to automate the imaging and data extraction
for this specific type of investigative request. The registry piece may be a
bit dicey, but everything else can be automated using Sleuthkit forensic
tools. I'm working on a process to do that; if you think it would be helpful
drop me a note and I'll share what I've got.
Jeff
-----Original Message-----
From: ICT User [mailto:ictuser2002@yahoo.co.uk]
Sent: Wednesday, July 09, 2003 4:22 AM
To: focus-ms@securityfocus.com
Subject: investigating misuse of the internet
Hello all,
Occasionally our monitoring software alerts us that
someone has tried to access a dodgy web site. If it
is deemed serious enough then as well as the reports
the we can generate from the software, we are asked to
actually go and check out the user's machine for any
evidence of misuse.
Does anyone know of a formal check list of stuff to go
through when doing this on a Windows PC (98 or 2000).
I have found lots of info about what to look for when
investigating a hacked PC, but what about when looking
for signs of a user's internet activity? Temporary
internet files, history, cookies, search for jpegs,
mpegs, etc. These are the sort of things we normally
look at, but I want to make sure that I don't miss
anything important just in case it goes legal.
Also, if the user had set Internet Explorer options to
keep 0 days history then does this mean all evidence
has gone, or is there anything else I can look at,
e.g. any registry keys?
Thanks,
Andy
__________________________________________________
Yahoo! Plus - For a better Internet experience
http://uk.promotions.yahoo.com/yplus/yoffer.html
----------------------------------------------------------------------------
-
----------------------------------------------------------------------------
-- This communication is intended solely for the use of the addressee and may contain information that is legally privileged, confidential or exempt from disclosure. If you are not the intended recipient, please note that any dissemination, distribution, or copying of this communication is strictly prohibited. Anyone who receives this message in error should notify the sender immediately and delete it from his or her computer. ----------------------------------------------------------------------------- ------------------------------------------------------------------------------ ----------------------------------------------------------------------------- ------------------------------------------------------------------------------
- Previous message: Simon R. Binder: "How to generate list of patches installed?"
- Maybe in reply to: ICT User: "investigating misuse of the internet"
- Next in thread: Richard Bejtlich: "RE: investigating misuse of the internet"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
