Re: Computer forensics to uncover illegal internet use

• Previous message: Steven Kalcevich: "Re: University Degree or CISSP"
• Next in thread: Jason Coombs: "Re: Computer forensics to uncover illegal internet use"
• Maybe reply: Jason Coombs: "Re: Computer forensics to uncover illegal internet use"
• Maybe reply: Jason Coombs: "Re: Computer forensics to uncover illegal internet use"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 29 Aug 2005 21:40:30 -0700
To: "Edmond Chow" <echow@gettechnologies.com>

Before anything.. make a copy of the disk and lock the original away
with a chain of evidence. Use Ghost or DD. Work only on a copy.

Examine the disk using something like Knoppix STD or Audit or other
bootable CD.

swap file..
history files for IE
Alternative Browser history files
use a undelete tool to see what might be recovered for cookies etc
check for firewall logs or proxy server logs

If he is really that clever, look for alternative data streams and
hidden files..
Look for a hidden partition

Some history and last URLs can be found in the registry

I'm sure other will toss in their 3 cents too :)

MikeS
____________________________________

mikesweeney@packetattack.com
www.packetattack.com
Home of "Network Security using Linux"

Office 714.637.4235

On Aug 29, 2005, at 8:45 PM, Edmond Chow wrote:

>
> Dear List,
>
> I'm working on the following project and would appreciate your views:
>
> I have been tasked with finding out if a certain desktop computer
> was used
> to view pornographic sites on the internet. This user has gone to
> great
> lengths to try to mask his illegal activities by erasing cookies,
> temp.
> files and by installing anti-spyware software on his computer. Are
> there
> any tools that would allow me to still uncover proof that he had
> accessed
> these sites? So far, the tech department is telling me that he did
> access
> illegal sites on only two dates but I suspect that this illegal
> activity
> started many months or years ago and it will be up to me to find
> more proof.
>
> Also, at a network level, we know his IP address but yet my technical
> support department is telling me that they cannot (either because
> they don't
> want to or because they are not technically capable of) tell me what
> internet sites this IP address has accessed in the past.
> Logically, there
> must be a point in the network (on some piece of hardware) where I can
> consult log files to track his activities? Or, is there a log file
> that I
> can consult that will tell me what sites all my users have accessed
> and from
> what IP address?
>
> In terms of access to the desktop in question, I will have full
> access as
> the computer will be in my possession in the coming days.
>
> Thank-you and any help that you can provide would be most appreciated.
>
> Regards,
>
>
> Edmond
>
>
>
>
>
>
>

• Previous message: Steven Kalcevich: "Re: University Degree or CISSP"
• Next in thread: Jason Coombs: "Re: Computer forensics to uncover illegal internet use"
• Maybe reply: Jason Coombs: "Re: Computer forensics to uncover illegal internet use"
• Maybe reply: Jason Coombs: "Re: Computer forensics to uncover illegal internet use"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]