Security Basics mailing list archives
RE: Computer forensics to uncover illegal internet use
From: "Sadler, Connie" <Connie_Sadler () Brown edu>
Date: Tue, 30 Aug 2005 12:24:11 -0400
I think the individual below referred to "illegal porn" - which is an entirely different matter. Now you're talking about serious criminal activity, and if this is suspected, you're better off getting Law Enforcement involved early. If you don't, and you end up not handling the "evidence" in a matter consistent with "chain of custody", etc., you could let a criminal "off the hook". If this user is accessing child porn, law enforcement and legal folks must be involved to make anything you do really "stick". Connie -----Original Message----- From: James Leighe [mailto:jamesleighe () gmail com] Sent: Tuesday, August 30, 2005 1:51 AM To: security-basics () securityfocus com Subject: Re: Computer forensics to uncover illegal internet use This sure is allot of trouble to bust someone for looking at porn however to each his own... You could use drive imaging software and then data recovery software to get all the files on the hard drive that have not been written over as of yet, like cookies and the tmp files n' all that noise... Other than that, advanced routers have logging capabilities, if you have an IDS that would be a place too look... you know your network better than we do, check around. Also, here is a list of some interesting registry and file locations, taken from a scanlog from adaware: ------------------------------------------------------------------------ -------------- MRU List Object Recognized! Location: : C:\Documents and Settings\****\recent Description : list of recently opened documents MRU List Object Recognized! Location: : software\microsoft\direct3d\mostrecentapplication Description : most recent application to use microsoft direct3d MRU List Object Recognized! Location: : software\microsoft\direct3d\mostrecentapplication Description : most recent application to use microsoft direct X MRU List Object Recognized! Location: : software\microsoft\directdraw\mostrecentapplication Description : most recent application to use microsoft directdraw MRU List Object Recognized! Location: : S-1-5-21-1417001333-725345543-1003229946-1003\software\microsoft\mediapl ayer\medialibraryui Description : last selected node in the microsoft windows media player media library MRU List Object Recognized! Location: : S-1-5-21-1417001333-725345543-1003229946-1003\software\microsoft\mediapl ayer\preferences Description : last playlist index loaded in microsoft windows media player MRU List Object Recognized! Location: : S-1-5-21-1417001333-725345543-1003229946-1003\software\microsoft\mediapl ayer\preferences Description : last playlist loaded in microsoft windows media player MRU List Object Recognized! Location: : S-1-5-21-1417001333-725345543-1003229946-1003\software\microsoft\windows \currentversion\explorer\comdlg32\lastvisitedmru Description : list of recent programs opened MRU List Object Recognized! Location: : S-1-5-21-1417001333-725345543-1003229946-1003\software\microsoft\windows \currentversion\explorer\comdlg32\opensavemru Description : list of recently saved files, stored according to file extension MRU List Object Recognized! Location: : S-1-5-21-1417001333-725345543-1003229946-1003\software\microsoft\windows \currentversion\explorer\recentdocs Description : list of recent documents opened MRU List Object Recognized! Location: : S-1-5-21-1417001333-725345543-1003229946-1003\software\microsoft\windows media\wmsdk\general Description : windows media sdk ------------------------------------------------------------------------ -------------- On 26/08/05, Edmond Chow <echow () gettechnologies com> wrote:
Dear List, I'm working on the following project and would appreciate your views: I have been tasked with finding out if a certain desktop computer was
used
to view pornographic sites on the internet. This user has gone to
great
lengths to try to mask his illegal activities by erasing cookies,
temp.
files and by installing anti-spyware software on his computer. Are
there
any tools that would allow me to still uncover proof that he had
accessed
these sites? So far, the tech department is telling me that he did
access
illegal sites on only two dates but I suspect that this illegal
activity
started many months or years ago and it will be up to me to find more
proof.
Also, at a network level, we know his IP address but yet my technical support department is telling me that they cannot (either because they
don't
want to or because they are not technically capable of) tell me what internet sites this IP address has accessed in the past. Logically,
there
must be a point in the network (on some piece of hardware) where I can consult log files to track his activities? Or, is there a log file
that I
can consult that will tell me what sites all my users have accessed
and from
what IP address? In terms of access to the desktop in question, I will have full access
as
the computer will be in my possession in the coming days. Thank-you and any help that you can provide would be most appreciated. Regards, Edmond
Current thread:
- RE: Computer forensics to uncover illegal internet use, (continued)
- RE: Computer forensics to uncover illegal internet use Beauford, Jason (Aug 30)
- RE: Computer forensics to uncover illegal internet use Edmond Chow (Aug 30)
- Re: Computer forensics to uncover illegal internet use Jason Coombs (Aug 30)
- RE: Computer forensics to uncover illegal internet use CJI Support (Aug 30)
- RE: Computer forensics to uncover illegal internet use Bob Radvanovsky (Aug 31)
- RE: Computer forensics to uncover illegal internet use CJI Support (Aug 30)
- RE: Computer forensics to uncover illegal internet use Brunner, Mark (Aug 30)
- RE: Computer forensics to uncover illegal internet use Beauford, Jason (Aug 30)
- Re: Computer forensics to uncover illegal internet use Dave Aronson (SecBasics) (Aug 30)
- RE: Computer forensics to uncover illegal internet use Craig, Tobin (OIG) (Aug 30)
- RE: Computer forensics to uncover illegal internet use Steve.Cummings (Aug 30)
- RE: Computer forensics to uncover illegal internet use Sadler, Connie (Aug 30)
- RE: Computer forensics to uncover illegal internet use dave kleiman (Aug 31)
- RE: Computer forensics to uncover illegal internet use Robinson, Sonja (Aug 30)
- RE: Computer forensics to uncover illegal internet use Robinson, Sonja (Aug 30)
- RE: Computer forensics to uncover illegal internet use Robinson, Sonja (Aug 30)
- Re: Computer forensics to uncover illegal internet use Jason Coombs (Aug 30)
- RE: Computer forensics to uncover illegal internet use dave kleiman (Aug 31)
- Re: Computer forensics to uncover illegal internet use Micheal Cottingham (Aug 31)
- RE: Computer forensics to uncover illegal internet use McKinley, Jackson (Aug 31)
- Re: Computer forensics to uncover illegal internet use Jason Coombs (Aug 31)
- RE: Computer forensics to uncover illegal internet use dave kleiman (Aug 31)
(Thread continues...)
- RE: Computer forensics to uncover illegal internet use Beauford, Jason (Aug 30)