Security Basics mailing list archives

RE: Computer forensics to uncover illegal internet use

From: "dave kleiman" <dave () isecureu com>
Date: Tue, 30 Aug 2005 20:42:01 -0400

Connie,

Actually, if any "illegal" items are discovered, at least in the US, you
must stop and contact Law Enforcement immediately.
Forget making anything stick, you would be in possession of contraband, no
different than finding a bag of drugs on the ground, you pick it up you are
in possession of it.  The felony is on you...

Dave

-----Original Message-----
From: Sadler, Connie [mailto:Connie_Sadler () Brown edu]
Sent: Tuesday, August 30, 2005 12:24
To: James Leighe; security-basics () securityfocus com
Subject: RE: Computer forensics to uncover illegal internet use


I think the individual below referred to "illegal porn" -
which is an entirely different matter. Now you're talking
about serious criminal activity, and if this is suspected,
you're better off getting Law Enforcement involved early. If
you don't, and you end up not handling the "evidence" in a
matter consistent with "chain of custody", etc., you could
let a criminal "off the hook". If this user is accessing
child porn, law enforcement and legal folks must be involved
to make anything you do really "stick".

Connie

-----Original Message-----
From: James Leighe [mailto:jamesleighe () gmail com]
Sent: Tuesday, August 30, 2005 1:51 AM
To: security-basics () securityfocus com
Subject: Re: Computer forensics to uncover illegal internet use

This sure is allot of trouble to bust someone for looking at
porn however to each his own... You could use drive imaging
software and then data recovery software to get all the files
on the hard drive that have not been written over as of yet,
like cookies and the tmp files n' all that noise... Other
than that, advanced routers have logging capabilities, if you
have an IDS that would be a place too look... you know your
network better than we do, check around.

Also, here is a list of some interesting registry and file
locations, taken from a scanlog from adaware:
--------------------------------------------------------------
----------
--------------
  MRU List Object Recognized!
    Location:          : C:\Documents and Settings\****\recent
    Description        : list of recently opened documents


  MRU List Object Recognized!
    Location:          :
software\microsoft\direct3d\mostrecentapplication
    Description        : most recent application to use microsoft
direct3d


  MRU List Object Recognized!
    Location:          :
software\microsoft\direct3d\mostrecentapplication
    Description        : most recent application to use
microsoft direct
X


  MRU List Object Recognized!
    Location:          :
software\microsoft\directdraw\mostrecentapplication
    Description        : most recent application to use microsoft
directdraw


  MRU List Object Recognized!
    Location:          :
S-1-5-21-1417001333-725345543-1003229946-1003\software\microso
ft\mediapl
ayer\medialibraryui
    Description        : last selected node in the microsoft windows
media player media library


  MRU List Object Recognized!
    Location:          :
S-1-5-21-1417001333-725345543-1003229946-1003\software\microso
ft\mediapl
ayer\preferences
    Description        : last playlist index loaded in microsoft
windows media player


  MRU List Object Recognized!
    Location:          :
S-1-5-21-1417001333-725345543-1003229946-1003\software\microso
ft\mediapl
ayer\preferences
    Description        : last playlist loaded in microsoft
windows media
player


  MRU List Object Recognized!
    Location:          :
S-1-5-21-1417001333-725345543-1003229946-1003\software\microso
ft\windows
\currentversion\explorer\comdlg32\lastvisitedmru
    Description        : list of recent programs opened


  MRU List Object Recognized!
    Location:          :
S-1-5-21-1417001333-725345543-1003229946-1003\software\microso
ft\windows
\currentversion\explorer\comdlg32\opensavemru
    Description        : list of recently saved files, stored
according to file extension


  MRU List Object Recognized!
    Location:          :
S-1-5-21-1417001333-725345543-1003229946-1003\software\microso
ft\windows
\currentversion\explorer\recentdocs
    Description        : list of recent documents opened


  MRU List Object Recognized!
    Location:          :
S-1-5-21-1417001333-725345543-1003229946-1003\software\microso
ft\windows
media\wmsdk\general
    Description        : windows media sdk
--------------------------------------------------------------
----------
--------------

On 26/08/05, Edmond Chow <echow () gettechnologies com> wrote:


Dear List,

I'm working on the following project and would appreciate

your views:


I have been tasked with finding out if a certain desktop

computer was
used

to view pornographic sites on the internet.  This user has gone to

great

lengths to try to mask his illegal activities by erasing cookies,

temp.

files and by installing anti-spyware software on his computer.  Are

there

any tools that would allow me to still uncover proof that he had

accessed

these sites?  So far, the tech department is telling me that he did

access

illegal sites on only two dates but I suspect that this illegal

activity

started many months or years ago and it will be up to me to

find more
proof.


Also, at a network level, we know his IP address but yet my

technical

support department is telling me that they cannot (either

because they
don't

want to or because they are not technically capable of)

tell me what

internet sites this IP address has accessed in the past.  Logically,

there

must be a point in the network (on some piece of hardware)

where I can

consult log files to track his activities?  Or, is there a log file

that I

can consult that will tell me what sites all my users have accessed

and from

what IP address?

In terms of access to the desktop in question, I will have

full access
as

the computer will be in my possession in the coming days.

Thank-you and any help that you can provide would be most

appreciated.


Regards,


Edmond

Current thread:

RE: Computer forensics to uncover illegal internet use, (continued)
- - RE: Computer forensics to uncover illegal internet use Edmond Chow (Aug 30)
- Re: Computer forensics to uncover illegal internet use Jason Coombs (Aug 30)
  - RE: Computer forensics to uncover illegal internet use CJI Support (Aug 30)
    - RE: Computer forensics to uncover illegal internet use Bob Radvanovsky (Aug 31)
- RE: Computer forensics to uncover illegal internet use Brunner, Mark (Aug 30)
- RE: Computer forensics to uncover illegal internet use Beauford, Jason (Aug 30)
- Re: Computer forensics to uncover illegal internet use Dave Aronson (SecBasics) (Aug 30)
- RE: Computer forensics to uncover illegal internet use Craig, Tobin (OIG) (Aug 30)
- RE: Computer forensics to uncover illegal internet use Steve.Cummings (Aug 30)
- RE: Computer forensics to uncover illegal internet use Sadler, Connie (Aug 30)
  - RE: Computer forensics to uncover illegal internet use dave kleiman (Aug 31)
- RE: Computer forensics to uncover illegal internet use Robinson, Sonja (Aug 30)
- RE: Computer forensics to uncover illegal internet use Robinson, Sonja (Aug 30)
- RE: Computer forensics to uncover illegal internet use Robinson, Sonja (Aug 30)
- Re: Computer forensics to uncover illegal internet use Jason Coombs (Aug 30)
  - RE: Computer forensics to uncover illegal internet use dave kleiman (Aug 31)
  - Re: Computer forensics to uncover illegal internet use Micheal Cottingham (Aug 31)
- RE: Computer forensics to uncover illegal internet use McKinley, Jackson (Aug 31)
- Re: Computer forensics to uncover illegal internet use Jason Coombs (Aug 31)
  - RE: Computer forensics to uncover illegal internet use dave kleiman (Aug 31)
- Re: Computer forensics to uncover illegal internet use Jason Coombs (Aug 31)

(Thread continues...)