Re: Computer forensics to uncover illegal internet use

["Dave Aronson (SecBasics)" <sfbasics2dave () davearonson com>]

Edmond Chow [echow () gettechnologies com] writes:

> I have been tasked with finding out if a certain desktop computer was used
> to view pornographic sites on the internet.  This user has gone to great
> lengths to try to mask his illegal activities by erasing cookies,

So examine the deleted filespace too.  Sure, the blocks used by the cookies and other temp files may have been 
overwritten by now, but probably not.  I doubt he would have gone to the trouble to ensure that by hand.

Sorry, I am not personally familiar with the latest tools to do that.  Mount the drive as a second HD (NOT THE FIRST 
ONE, you don't want to run anything on it, don't even swap to it) under Linux, and it should be easy to look at it 
exactly bit by bit, and thereby search the deleted space for things like cookies, jpgs, etc.

> Also, at a network level, we know his IP address but yet my technical
> support department is telling me that they cannot (either because they
> don't want to or because they are not technically capable of) tell me
> what internet sites this IP address has accessed in the past.
> Logically, there must be a point in the network (on some piece of
> hardware) where I can consult log files to track his activities?  Or,
> is there a log file that I can consult that will tell me what sites
> all my users have accessed and from what IP address?

It all depends on what tools your network uses, how they are arranged, how verbose the logs are, how soon they are 
purged, etc.  It is very possible that there is no such log, but any company would be well-served to at least log what 
URLs are accessed from which IPs, "for, uh, just such an emergency".


-Dave