Security Basics mailing list archives
RE: Computer forensics to uncover illegal internet use
From: "dave kleiman" <dave () isecureu com>
Date: Fri, 2 Sep 2005 11:11:44 -0400
Jason, Contraband is contraband end of story. It does not matter if it is substance or chil p***. If you come across it the only thing to do is back off an report it. Picking it up or making copies of it, and then distributing it to someone else, even an attorney, is not legal PERIOD. Can you cite a case that you, or anyone, has worked where any of your methodology has been used? As far as not having to report a crime, or finding contraband, that may very well be, although I have not been able to find anything to back your point.. However, it would seriously undermine the ethics of a person who is forensic investigator. Further, it would violate the ethics of most forensic and security certifications. Jason, now that you have publicly announced your ideas of, destroying evidence, covering up logs and not reporting crimes, how will this affect you credibility as an expert witness. I am sure an opposing council in a case would do an internet and background investigation before deposing you, they always do me.....if the come across this...well I think you get the point. Regards, ________________________________________________________ Dave Kleiman, CAS, CIFI, CISM, CISSP, ISSAP, ISSMP, MCSE www.SecurityBreachResponse.com www.ComputerForensicInvestigations.com
-----Original Message----- From: Jason Coombs [mailto:jasonc () science org] Sent: Wednesday, August 31, 2005 20:38 To: dave kleiman; security-basics () securityfocus com Cc: 'Sadler, Connie'; 'James Leighe' Subject: Re: Computer forensics to uncover illegal internet use Dave, You're substantially oversimplifying and producing rhetoric rather than teaching the issues as a result... Not that rhetoric is a bad thing, I like rhetoric. First of all, finding a bag of white powder on the ground isn't sufficient for a lay-person to conclude that they are in possession of drugs. Finding a bag, testing it for contraband, and then leaving it there can be reckless endangerment, and the proper thing to do is to call authorities immediately upon suspicion of a dangerous substance, but the first thought you should have is for safety and health, and that means you call the fire department. Immediately presuming a crime has occurred and calling the police is not necessarily the right action. I have seen people harmed by other people's panic reaction to what they believe is evidence of a crime. The vigilante emotion and the opportunity to do something exciting (play cops and robbers) is completely inappropriate and can rise to the level of a crime itself -- though most often it results only in civil liability (i.e. you can be sued for improperly handling such an incident, where your actions and finger-pointing harm others) The suggestion that every person who picks up such a bag is guilty of possession is just wrong, even though the best advice is to not touch the bag. Neither of us are attorneys, but you're arguing from your experience with casework on the law enforcement side while my experience and detailed conversations on these matters with capable defense attorneys makes this issue look very different from the defense side. You're excluding from your consideration all of the exception scenarios where no crime occurs. Generally-speaking, intent matters. A person who innocently ends up in possession of contraband but does not intentionally possess it is not guilty of the crime of possession. Perhaps you were unaware of that? Most law enforcement computer forensics professionals I have encountered seem also to lack this understanding. Regards, Jason Coombs jasonc () science org -----Original Message----- From: "dave kleiman" <dave () isecureu com> Date: Tue, 30 Aug 2005 20:42:01 To:<security-basics () securityfocus com> Cc:"'Sadler, Connie'" <Connie_Sadler () Brown edu>, "'James Leighe'" <jamesleighe () gmail com> Subject: RE: Computer forensics to uncover illegal internet use Connie, Actually, if any "illegal" items are discovered, at least in the US, you must stop and contact Law Enforcement immediately. Forget making anything stick, you would be in possession of contraband, no different than finding a bag of drugs on the ground, you pick it up you are in possession of it. The felony is on you... Dave-----Original Message----- From: Sadler, Connie [mailto:Connie_Sadler () Brown edu] Sent: Tuesday, August 30, 2005 12:24 To: James Leighe; security-basics () securityfocus com Subject: RE: Computer forensics to uncover illegal internet use I think the individual below referred to "illegal porn" -which is anentirely different matter. Now you're talking about seriouscriminalactivity, and if this is suspected, you're better off getting Law Enforcement involved early. If you don't, and you end upnot handlingthe "evidence" in a matter consistent with "chain ofcustody", etc.,you could let a criminal "off the hook". If this user is accessing child porn, law enforcement and legal folks must beinvolved to makeanything you do really "stick". Connie -----Original Message----- From: James Leighe [mailto:jamesleighe () gmail com] Sent: Tuesday, August 30, 2005 1:51 AM To: security-basics () securityfocus com Subject: Re: Computer forensics to uncover illegal internet use This sure is allot of trouble to bust someone for looking at porn however to each his own... You could use drive imaging software and then data recovery software to get all the files on the hard drive that have not been written over as of yet, like cookies and the tmp files n' all that noise... Other than that, advanced routers have logging capabilities, if you have an IDS that would be a place too look... you know your network better than we do, check around. Also, here is a list of some interesting registry and filelocations,taken from a scanlog from adaware: -------------------------------------------------------------- ---------- -------------- MRU List Object Recognized! Location: : C:\Documents and Settings\****\recent Description : list of recently opened documents MRU List Object Recognized! Location: : software\microsoft\direct3d\mostrecentapplication Description : most recent application to use microsoft direct3d MRU List Object Recognized! Location: : software\microsoft\direct3d\mostrecentapplication Description : most recent application to use microsoft direct X MRU List Object Recognized! Location: : software\microsoft\directdraw\mostrecentapplication Description : most recent application to use microsoft directdraw MRU List Object Recognized! Location: : S-1-5-21-1417001333-725345543-1003229946-1003\software\microso ft\mediapl ayer\medialibraryui Description : last selected node in the microsoft windows media player media library MRU List Object Recognized! Location: : S-1-5-21-1417001333-725345543-1003229946-1003\software\microso ft\mediapl ayer\preferences Description : last playlist index loaded in microsoft windows media player MRU List Object Recognized! Location: : S-1-5-21-1417001333-725345543-1003229946-1003\software\microso ft\mediapl ayer\preferences Description : last playlist loaded in microsoft windows media player MRU List Object Recognized! Location: : S-1-5-21-1417001333-725345543-1003229946-1003\software\microso ft\windows \currentversion\explorer\comdlg32\lastvisitedmru Description : list of recent programs opened MRU List Object Recognized! Location: : S-1-5-21-1417001333-725345543-1003229946-1003\software\microso ft\windows \currentversion\explorer\comdlg32\opensavemru Description : list of recently saved files, stored according to file extension MRU List Object Recognized! Location: : S-1-5-21-1417001333-725345543-1003229946-1003\software\microso ft\windows \currentversion\explorer\recentdocs Description : list of recent documents opened MRU List Object Recognized! Location: : S-1-5-21-1417001333-725345543-1003229946-1003\software\microso ft\windows media\wmsdk\general Description : windows media sdk -------------------------------------------------------------- ---------- -------------- On 26/08/05, Edmond Chow <echow () gettechnologies com> wrote:Dear List, I'm working on the following project and would appreciateyour views:I have been tasked with finding out if a certain desktopcomputer was usedto view pornographic sites on the internet. This user has gone togreatlengths to try to mask his illegal activities by erasing cookies,temp.files and by installing anti-spyware software on hiscomputer. Arethereany tools that would allow me to still uncover proof that he hadaccessedthese sites? So far, the tech department is telling methat he didaccessillegal sites on only two dates but I suspect that this illegalactivitystarted many months or years ago and it will be up to me tofind more proof.Also, at a network level, we know his IP address but yet mytechnicalsupport department is telling me that they cannot (eitherbecause they don'twant to or because they are not technically capable of)tell me whatinternet sites this IP address has accessed in the past.Logically,theremust be a point in the network (on some piece of hardware)where I canconsult log files to track his activities? Or, is therea log filethat Ican consult that will tell me what sites all my usershave accessedand fromwhat IP address? In terms of access to the desktop in question, I will havefull access asthe computer will be in my possession in the coming days. Thank-you and any help that you can provide would be mostappreciated.Regards, Edmond
Current thread:
- Re: Computer forensics to uncover illegal internet use Jason Coombs (Sep 01)
- RE: Computer forensics to uncover illegal internet use dave kleiman (Sep 06)
- <Possible follow-ups>
- Re: Computer forensics to uncover illegal internet use Jason Coombs (Sep 01)
- FW: Computer forensics to uncover illegal internet use dave kleiman (Sep 01)
- RE: Computer forensics to uncover illegal internet use McKinley, Jackson (Sep 01)
- Re: Computer forensics to uncover illegal internet use spyros (Sep 01)
- Re: Computer forensics to uncover illegal internet use spyros (Sep 01)
- RE: Computer forensics to uncover illegal internet use Billy Dalud (Sep 01)
- Re: Re: Computer forensics to uncover illegal internet use ardean (Sep 06)
- RE: Computer forensics to uncover illegal internet use Jude DaShiell (Sep 06)
- Re: RE: Computer forensics to uncover illegal internet use pro_logos (Sep 06)
- RE: Computer forensics to uncover illegal internet use dave kleiman (Sep 06)
(Thread continues...)