Security Basics mailing list archives
RE: Computer forensics to uncover illegal internet use
From: "Joel A. Folkerts" <jfolkert () hiwaay net>
Date: Tue, 30 Aug 2005 07:54:47 +0200
Edmond, You need to tackle this problem from two fronts: user's computer and the network. Legal issues aside, the first thing you need to do is get smart on computer forensics. If your company plans on combating this numerous times, you probably want to invest in some hardware and software. The hardware doesn't have to be anything special - a simple PC with moderate hard drive space that has free 5 1/2" bays. The software is a little pricier - I recommend either EnCase ~ $3,000 (http://www.encase.com/products/ef_index.asp) or FTK ~ $1,000 (http://www.accessdata.com/Product04_Overview.htm?ProductNum=04). I personally prefer EnCase but both products are equally capable. If your budget is restrictive - you can use a suite of free or relatively inexpensive tools. For the budget conscience - here is just one example of how you can do it: http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-willis-c/bh-us-03-w illis.pdf Coming from a law enforcement background, there are fundamental steps that must be taken to ensure the exam is legally sufficient. You must image the machine (make an exact bit-for-bit replica of the user's hard drive). This ensures that you are working from a copy and not altering the original drive. The next thing you must do is lock up the original for evidentiary purposes. (This allows user's lawyers to compare your findings with the original so he or she cannot claim you planted evidence.) Conduct the exam. During this entire process, document everything! It may seem overkill but the notes can make all the difference. Regardless of how you obtain forensic access to the user's machine - there are a ton of little niches that Internet activity is stored. (http://www.securityfocus.com/print/infocus/1827) Now onto the network side -- If you have a moderate to large company, you're most likely using a proxy device to access the web. This device provides a centralized point of controlling and logging web use. *Most* companies do not store these for more than 30 days - the logs simply take up too much room. Above all - make sure you're legally cleared to conduct the exam and obtain proxy information. There's nothing more frustrating than having a whinny lawyer having your case dismissed because of a minor legal issue. Even if this is all being done in-house and you don't foresee this going to court - always be prepared for that day to come. The user can turn around and sue your company for numerous reasons if he or she feels they were unjustly fired. Good luck! -Joel -----Original Message----- From: Edmond Chow [mailto:echow () gettechnologies com] Sent: Saturday, August 27, 2005 1:23 AM To: security-basics () securityfocus com Cc: Edmond Chow Subject: RE: Computer forensics to uncover illegal internet use Dear List, I'm working on the following project and would appreciate your views: I have been tasked with finding out if a certain desktop computer was used to view pornographic sites on the internet. This user has gone to great lengths to try to mask his illegal activities by erasing cookies, temp. files and by installing anti-spyware software on his computer. Are there any tools that would allow me to still uncover proof that he had accessed these sites? So far, the tech department is telling me that he did access illegal sites on only two dates but I suspect that this illegal activity started many months or years ago and it will be up to me to find more proof. Also, at a network level, we know his IP address but yet my technical support department is telling me that they cannot (either because they don't want to or because they are not technically capable of) tell me what internet sites this IP address has accessed in the past. Logically, there must be a point in the network (on some piece of hardware) where I can consult log files to track his activities? Or, is there a log file that I can consult that will tell me what sites all my users have accessed and from what IP address? In terms of access to the desktop in question, I will have full access as the computer will be in my possession in the coming days. Thank-you and any help that you can provide would be most appreciated. Regards, Edmond -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.344 / Virus Database: 267.10.16/83 - Release Date: 8/26/2005 -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.344 / Virus Database: 267.10.16/83 - Release Date: 8/26/2005
Current thread:
- Outlook Security Thiago Lima lst (Aug 02)
- Re: Outlook Security dallas jordan (Aug 03)
- Re: Outlook Security Joao Collier de Mendonca (Aug 03)
- Re: Outlook Security Naval Kishor Tripathi (Aug 16)
- RE: Outlook Security Ramki B (Aug 24)
- Re: Outlook Security Micheal Espinola Jr (Aug 26)
- Re: Outlook Security Jacob Bresciani (Aug 26)
- RE: Computer forensics to uncover illegal internet use Edmond Chow (Aug 29)
- RE: Computer forensics to uncover illegal internet use Keenan Smith (Aug 30)
- RE: Computer forensics to uncover illegal internet use dave kleiman (Aug 30)
- RE: Computer forensics to uncover illegal internet use Joel A. Folkerts (Aug 30)
- RE: Computer forensics to uncover illegal internet use Edmond Chow (Aug 30)
- RE: Computer forensics to uncover illegal internet use Joel A. Folkerts (Aug 30)
- RE: Computer forensics to uncover illegal internet use Subscription (Aug 30)
- Re: Computer forensics to uncover illegal internet use Frankie Li (Aug 30)
- Re: Computer forensics to uncover illegal internet use James Leighe (Aug 30)
- Re: Computer forensics to uncover illegal internet use dallas jordan (Aug 30)
- RE: Computer forensics to uncover illegal internet use Eduardo Suzuki (Aug 30)
- RE: Computer forensics to uncover illegal internet use Jonathan Loh (Aug 30)
- Re: Computer forensics to uncover illegal internet use Steve Hillier (Aug 30)
- Re: Computer forensics to uncover illegal internet use Steven Kalcevich (Aug 30)