RE: Computer forensics to uncover illegal internet use

["Brunner, Mark" <MBrunner () tor fasken com>]

Well Edmund,
I'm not a lawyer and do not intend to offer legal advice...

If you have installed Websense, SurfControl or some other content management system, you could refer to it for IP and 
Active Directory login based web tracking.
If you don't have logging in place, you could setup a sniffer to log his/her actions.  Of course, you may need a fairly 
substantial hard disk on the sniffer because you don't know when you need to capture.
Keystroke logger is another option.  Some will do "screen scraping" to show proof of what was being done at various 
points in the day.

As for analyzing the computer, you could use a pristine hard disk to duplicate the users' disk, then perform a deleted 
file analysis.  This sort of investigation can be as simple or complex as you need to make it.
If you _may_ press charges as a result of this investigation, you're best off getting a forensics evidence consultant 
to come in and do the deed, maintaining chain of evidence and unbiased analysis.
If you are investigating potential policy breach to justify monitoring this particular user (prove that policy was 
breached in the past), just undelete everything and see what is there.
If you are just being nosey, beware the users' assumption of privacy.  

Make sure that whatever you do is within the scope of your WRITTEN and ACKNOWLEDGED policies.
Don't have a personal use and an acceptable usage policy in place and signed by the user?  FORMAT C: ENTER.

Cheers!
Mark

-----Original Message-----
From: Edmond Chow [mailto:echow () gettechnologies com]
Sent: Friday, August 26, 2005 7:23 PM
To: security-basics () securityfocus com
Cc: Edmond Chow
Subject: RE: Computer forensics to uncover illegal internet use



Dear List,

I'm working on the following project and would appreciate your views:

I have been tasked with finding out if a certain desktop computer was used
to view pornographic sites on the internet.  This user has gone to great
lengths to try to mask his illegal activities by erasing cookies, temp.
files and by installing anti-spyware software on his computer.  Are there
any tools that would allow me to still uncover proof that he had accessed
these sites?  So far, the tech department is telling me that he did access
illegal sites on only two dates but I suspect that this illegal activity
started many months or years ago and it will be up to me to find more proof.

Also, at a network level, we know his IP address but yet my technical
support department is telling me that they cannot (either because they don't
want to or because they are not technically capable of) tell me what
internet sites this IP address has accessed in the past.  Logically, there
must be a point in the network (on some piece of hardware) where I can
consult log files to track his activities?  Or, is there a log file that I
can consult that will tell me what sites all my users have accessed and from
what IP address?

In terms of access to the desktop in question, I will have full access as
the computer will be in my possession in the coming days.

Thank-you and any help that you can provide would be most appreciated.

Regards,


Edmond