Re: Computer forensics to uncover illegal internet use

["Jason Coombs" <jasonc () science org>]

Are you searching for evidence of child pornography?

If so, you need to stop your work right now. That kind of thing must be done with experienced help, because you can end 
up being prosecuted for the same child pornography offenses that you are investigating.

Furthermore, you need a very solid understanding of the limits of computer forensics as far as gathering reliable 
evidence, and you clearly do not have that understanding.

You have already drawn a number of invalid conclusions, such as that the use of privacy protection software equates to, 
and is proof of, the user's efforts to conceal his illegal activities.

Are you aware that if the user had not used antispyware and anti-cookie software, that the computer would definitely be 
filled with evidence that your examination could misinterpret or misrepresent to others in your report?

Those privacy and data sanitation programs are used to protect the user from harm as a result of YOUR MISTAKES. Those 
programs also protect the user against harm caused by hidden third-party control over the computer, which may result in 
illegal activities being present on the computer's hard drive despite the innocence of the computer user, just as much 
as they are used for other reasons.

I would be happy to discuss these issues with you further, and offer you additional insight privately.

Sincerely,

Jason Coombs
jasonc () science org


-----Original Message-----
From: Edmond Chow <echow () gettechnologies com>
Date: Fri, 26 Aug 2005 19:23:01 
To:security-basics () securityfocus com
Cc:Edmond Chow <echow () videotron ca>
Subject: RE: Computer forensics to uncover illegal internet use


Dear List,

I'm working on the following project and would appreciate your views:

I have been tasked with finding out if a certain desktop computer was used
to view pornographic sites on the internet.  This user has gone to great
lengths to try to mask his illegal activities by erasing cookies, temp.
files and by installing anti-spyware software on his computer.  Are there
any tools that would allow me to still uncover proof that he had accessed
these sites?  So far, the tech department is telling me that he did access
illegal sites on only two dates but I suspect that this illegal activity
started many months or years ago and it will be up to me to find more proof.

Also, at a network level, we know his IP address but yet my technical
support department is telling me that they cannot (either because they don't
want to or because they are not technically capable of) tell me what
internet sites this IP address has accessed in the past.  Logically, there
must be a point in the network (on some piece of hardware) where I can
consult log files to track his activities?  Or, is there a log file that I
can consult that will tell me what sites all my users have accessed and from
what IP address?

In terms of access to the desktop in question, I will have full access as
the computer will be in my possession in the coming days.

Thank-you and any help that you can provide would be most appreciated.

Regards,


Edmond