Re: Computer forensics to uncover illegal internet use

From: Steven Kalcevich (lists_at_ciscokid.net)
Date: 08/30/05

  • Next message: Steve.Cummings_at_barclayscapital.com: "Re: what to do?" 
    Date: Tue, 30 Aug 2005 13:40:02 -0400
To: Steve Hillier <securityfocus@mastermindtoys.com>

    See if they have auto complete on the web broser go to say google or
    yahoo most people use those and see if they have searched for items just
    double click the input box. otherwise some porn sites add bookmarks
    check pcs for porn bookmarks.

    Steve Hillier wrote:

    >If they use any type of internal HTTP Proxy server and it has logging
    >enabled there is a log file that should show you what URLs were visited
    >from any internal IP address, provided they went through the proxy server.
    >
    >If they don't force users on the network through the HTTP proxy, or they
    >don't have logging enabled on the proxy, they won't have the information
    >you're looking for.
    >
    >As for the forensics, you may want to read the following:
    >http://www.securityfocus.com/infocus/1827
    >http://www.securityfocus.com/infocus/1832
    >
    >sph
    >
    >
    >On 08/26/2005 7:23 p, Edmond Chow wrote:
    >
    >
    >>Dear List,
    >>
    >>I'm working on the following project and would appreciate your views:
    >>
    >>I have been tasked with finding out if a certain desktop computer was used
    >>to view pornographic sites on the internet. This user has gone to great
    >>lengths to try to mask his illegal activities by erasing cookies, temp.
    >>files and by installing anti-spyware software on his computer. Are there
    >>any tools that would allow me to still uncover proof that he had accessed
    >>these sites? So far, the tech department is telling me that he did access
    >>illegal sites on only two dates but I suspect that this illegal activity
    >>started many months or years ago and it will be up to me to find more proof.
    >>
    >>Also, at a network level, we know his IP address but yet my technical
    >>support department is telling me that they cannot (either because they don't
    >>want to or because they are not technically capable of) tell me what
    >>internet sites this IP address has accessed in the past. Logically, there
    >>must be a point in the network (on some piece of hardware) where I can
    >>consult log files to track his activities? Or, is there a log file that I
    >>can consult that will tell me what sites all my users have accessed and from
    >>what IP address?
    >>
    >>In terms of access to the desktop in question, I will have full access as
    >>the computer will be in my possession in the coming days.
    >>
    >>Thank-you and any help that you can provide would be most appreciated.
    >>
    >>Regards,
    >>
    >>
    >>Edmond
    >>
    >>
    >>
    >>
    >>
    >>
    >>
    >
    >
    >

  • Next message: Steve.Cummings_at_barclayscapital.com: "Re: what to do?"