Re: illegal activity on non-networked computer

ColdFusion <fusionnetjoe2@xxxxxxxxx> writes:

If anyone has any information that can help me, please feel free to
respond.

I was recently contracted to investigate a
situation..........Someone had tampered with a computer and saved some
pictures of illegal activity on the hard drive.

Ugh.

The computer was not
at any time connected to the internet, used the Ubuntu operating
system, had a system admin account with password protection and a
general user account for any other use.

FYI: None of which prevents a user from booting an alternate operate
system.

I am trying to figure out how they altered the dates in the file
that they were saved to the hard drive. If I'm not
clear.................Some pictures were saved to the hard drive on
(let's say) January 1, 2009 but yet the file properties say the
file was saved on February 1, 2009 and altered on December 1, 2008. I
have never encountered a situation where there was a discrepency
between the saved date and altered date like this.

There are utilities designed to muck with timestamps to make forensics
nearly impossible. Things like timestomp and I'm sure there are
others.

Another question is how to track how the files where placed on the
hard drive. Whether by disk, USB, or other media; there should be
some trace of where the pictures came from.

You can scrape through the system logs, but this level of logging at
least isn't something I've seen. You can maybe see through logs or
dmesg if there were external devices inserted into the system and then
you can perhaps correlate times and make a good guess. Grok through
the various .*history files in user accounts, but you may not find
anything as I suspect that -- if the attacker didn't have access to
the 2 OS level accounts, they simply threw in a bootable linux CD or
equivalent, and could've written things to the drive directly from
that OS, leaving no traces on the disk other than the files and
(possibly modified) timestamps.

--
Todd H.
http://www.toddh.net/
.

Relevant Pages

  • Re: Changed default location for my documents but now users cant
    ... files including some documents and pictures to the d drive under various ... limited user account in that d drive. ... the default folders created ie.e my documents, ... I really don't want to make them administrators on their user ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: Photos on Desktop
    ... I'm experiencing the exact same problems in getting my pictures onto the ... >> Screen Saver Quits in Windows XP ... >> in your User Account. ...
    (microsoft.public.windowsxp.photos)
  • Re: Welcome Screen Pictures (Icons) Only Show Chess Set
    ... Does providing the SYSTEM account Full Control help? ... Here are the Permission entries for "user account pictures" folder in my system: ... This is to check if the Local system account has permissions to read files from the above folder. ... Yes I am able to preview all the pictures in the Default Pictures folder. ...
    (microsoft.public.windowsxp.general)
  • Re: User Pictures
    ... and rename it to your user account name. ... > Ramesh - Microsoft MVP ...
    (microsoft.public.windowsxp.customize)