Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Computer forensics to uncover illegal internet use

From: "Robinson, Sonja" <SRobinson () HIPUSA com>
Date: Tue, 30 Aug 2005 17:39:38 -0400
Please contact me offline and I will help you.  I am assuming that you
are not looking at hisoriginal drive but a forensic copy??? If not, kiss
the case goodbye.  If so, I can assist you in network and workstation
correlation.  You must maintain chain of custody.  Who has it now?  What
have they done with it?  Have the booted it or looked at it?  Egads....

And yes, there are plenty of tools, Encase, FTK, SMART, Coroner's
Toolkit, etc.  INFO.DAT file will extract have it but you need to
correlate that with network logs if possible.  You need logs from the
network side, ie. Proxy, firewall, cachefarm, websense, something....
They may or may not have these but the workstation will have quite a bit
he thinks he erased.   NOT! 


Sonja L. Robinson, CISSP, CIFI, CISA, CISM
Forensic Specialist, Digital Investigations
HIP Information Security Group
Tel: 212-806-4125
srobinson () hipusa com
 

-----Original Message-----
From: Edmond Chow [mailto:echow () gettechnologies com] 
Sent: Friday, August 26, 2005 7:23 PM
To: security-basics () securityfocus com
Cc: Edmond Chow
Subject: RE: Computer forensics to uncover illegal internet use


Dear List,

I'm working on the following project and would appreciate your views:

I have been tasked with finding out if a certain desktop computer was
used to view pornographic sites on the internet.  This user has gone to
great lengths to try to mask his illegal activities by erasing cookies,
temp.
files and by installing anti-spyware software on his computer.  Are
there any tools that would allow me to still uncover proof that he had
accessed these sites?  So far, the tech department is telling me that he
did access illegal sites on only two dates but I suspect that this
illegal activity started many months or years ago and it will be up to
me to find more proof.

Also, at a network level, we know his IP address but yet my technical
support department is telling me that they cannot (either because they
don't want to or because they are not technically capable of) tell me
what internet sites this IP address has accessed in the past.
Logically, there must be a point in the network (on some piece of
hardware) where I can consult log files to track his activities?  Or, is
there a log file that I can consult that will tell me what sites all my
users have accessed and from what IP address?

In terms of access to the desktop in question, I will have full access
as the computer will be in my possession in the coming days.

Thank-you and any help that you can provide would be most appreciated.

Regards,


Edmond
Previous By Date Next
Previous By Thread Next

Current thread: