RE: Computer forensics to uncover illegal internet use

["dave kleiman" <dave () isecureu com>]

Sounds like you do not have a lot of experience with this.  Remember...

The knowledge, integrity, and credibility of expert witnesses and
investigating police officers can be crucial to the outcome of a case.
Integrity and confidence in the process and the person may be the
determining factor in the success or failure of an investigation.

My advice is seeking the advice of a local computer forensic expert.

If you cannot:

1.      Start a chain of custody log on the system.
2.      Do not let anyone touch the system
3.      Make forensically sound copies of the H/D or H/Ds.
4.      Work only from those copies.
5.      You can find what you seek with tools such as EnCase or FTK.
6.      If you just need to recover Internet data, you may be able to
utilize Pasco, Galleta, and Rifiuti form Foundstone, even if they cleared
the history and deleted files.


You might want to post this on the forensics_at_securityfocus group.

Regards,


________________________________________________________
Dave Kleiman, CAS, CIFI, CISM, CISSP, ISSAP, ISSMP, MCSE

www.SecurityBreachResponse.com www.ComputerForensicInvestigations.com
 




> -----Original Message-----
> From: Edmond Chow [mailto:echow () gettechnologies com]
> Sent: Friday, August 26, 2005 19:23
> To: security-basics () securityfocus com
> Cc: Edmond Chow
> Subject: RE: Computer forensics to uncover illegal internet use
>
>
> Dear List,
>
> I'm working on the following project and would appreciate your views:
>
> I have been tasked with finding out if a certain desktop
> computer was used to view pornographic sites on the internet.
>  This user has gone to great lengths to try to mask his
> illegal activities by erasing cookies, temp.
> files and by installing anti-spyware software on his
> computer.  Are there any tools that would allow me to still
> uncover proof that he had accessed these sites?  So far, the
> tech department is telling me that he did access illegal
> sites on only two dates but I suspect that this illegal
> activity started many months or years ago and it will be up
> to me to find more proof.
>
> Also, at a network level, we know his IP address but yet my
> technical support department is telling me that they cannot
> (either because they don't want to or because they are not
> technically capable of) tell me what internet sites this IP
> address has accessed in the past.  Logically, there must be a
> point in the network (on some piece of hardware) where I can
> consult log files to track his activities?  Or, is there a
> log file that I can consult that will tell me what sites all
> my users have accessed and from what IP address?
>
> In terms of access to the desktop in question, I will have
> full access as the computer will be in my possession in the
> coming days.
>
> Thank-you and any help that you can provide would be most appreciated.
>
> Regards,
>
>
> Edmond