Re: Computer forensics to uncover illegal internet use

[spyros <sninos () ee duth gr>]

hello listmates,
 I'm new to security field and I'm particularly intrested in this 
topic. Even though I have no personal experience or involment (direct or 
indirect) in such cases, I do have some observations to make (more to be 
considered as questions to be answered).

1) I do assume that Edmond is a network admin. In any case he noticed 
illegal internet use. If we are to accept his claims (illegal use) then 
he must have some specification or policy according to which he 
concluded that internet was being used illegally. As a network admin he 
has the right to investigate things further, right? I mean, even if it's 
about child porn or just spyware, he has a company-policy to 
investigate, because he *is* after all the guy responsible for the 
company's network.
In this case, would I be naive if I suggested that Edmond preserved a 
low profile and started monitoring the network? In other terms, after 
having the appropriate permission (from his supervisor or whatever) 
couldn't he just start logging verbosely the network traffic in order to 
reduce the possibility of a wrong-assumption?

2) In either case (child porn or spyware) Edmond is oblidged to 
investigate the indications. The fact is this: he has clues that illegal 
 internet traffic is going through the company's network (for which he 
is responsible). He's not the one to make accusations against an 
employee, he just follows some clues. He should find out what this 
illegal use is about. Thus, if it concerns child porn he reports it to 
whomever he's supposed to. If it concerns just spyware, then one 
computer is infected with malware and it must be fixed. In either case, 
Edmond is not making any assumptions about the employee, he just 
investigates "evidence" (which may have been created by someone else, 
like an intruder).

3) I don't know exactly, but I do have in mind that some formal 
procedures must be followed for a digital evidence to be accepted in a 
legal case. It's what we call a "chain of evidence". The way I have 
figured it out, one must make a replica of the hard-disk-evidence, and 
he must assure that the replica can not be modified in any case -using 
legally accepted tools. And of course he must have some witnesses that 
will reassure that he did a legal replica and he didn't modify the data. 
How will he be able to prove that he didn't tamper with the data, 
without making a copy in front of law enforcement people, and having 
those law enforcement people sign a paper? That should involve the 
police in the first place, right? And of course wiping the hard disk I 
suppose is not part of the procedure!

4) Let's suppose that Edmond snoops into the "illegal" employees 
computer without someone seeing him, and finds some child porn material 
(just a few pics for example) but also finds out that the employee has a 
lot of spyware installed (highly unlike since Edmond knows that the 
employee erases cookies, temp etc - that is he is basically consious of 
what a trace is and what is security or/and privacy invasion). So he 
decides that he is not the one to play with other people's lifes/careers 
and wipes the disk, and re-installs the OS. After a period of time he 
re-notices the illegal traffic which directs him again to the same 
computer or/and employee. So he manages to snoop once more in to the 
employee's computer and finds new pics but again some spyware installed 
(again cookies erased, temp etc). What would he do then? He can't go to 
the police because he has little evidence (the other was wiped) and he 
knows for certain that those pics aren't there by accident. So, what 
would be his position?

5) Even if Edmond finds tons of spyware in the "illegal" employee's 
computer, how does he know that the spyware wasn't intentionally planted 
there by the employee, so in case of a "compromise" he would claim that 
it was not him but the spyware?

6) How many spywares does anybody in the list know that download child 
porn in someones' computer and save them there? I always thought that 
spyware was "invented" in order to do a sort of traffic analysis 
(customer habbits logging) and not spreading child porn..

7) Why does everybody in this list assume that it concerns child porn 
and not simply porn? As far as Edmond says at his email (which is 
purposely attached below, at the end of all replied mails) it's just 
porn. That means that probably it is a company-policy violation and 
nothing more. Am I wrong?

8) Edmond, "This user has gone to great lengths to try to mask his 
illegal activities by erasing cookies, temp" that means (to me at least) 
that he is a little security concious. Which means (to me again) that he 
could be subscribed to security-basics_at_securityfocus.com, which means 
that he might have read this thread. Don't you think that by now he must 
have wiped the whole disk?

Sorry for the long message, and sorry for my english :)

spyros

dave kleiman wrote:
> Jason,
>
> Remember I have the utmost respect for you and have valued your opinion on
> many occasions, but I have to disagree here on several points.
>
>
>
>
>
> > Dave, Edmond, and Jason,
> >
> > How many times have you worked on, or been involved
> > indirectly as a consultant in, real-world criminal cases or
> > corporate investigations that involve child pornography
> > offenses where the evidence is obtained entirely from
> > computer hard drives and server log files?
>
>
> Very many actually, you are more than welcome to check with the local DA and
> Computer Crimes offices. I am also a FDLE certified LEO.
>
>
>
> > Attempting to give the hard drive to the company's attorney
> > guarantees that attorney-client confidentiality is created
> > with respect to the hard drive and the entire incident,
> > whether or not the attorney advises that it is necessary, in
> > the situation at hand, to report the incident to law
> > enforcement. It also forces the attorney to contemplate more
> > fully just what the proper response is to the situation. You
> > do not want, under any circumstances, the hard drive to be in
> > any person's possession, or for there to be any way for the
> > company's possession of the drive to result in particular
> > individuals being associated with that ownership -- certainly
> > not the original employee who was supposedly the one who had
> > 'exclusive control or access' -- because the truth is that
> > nobody knows whether that employee was the one who had
> > exclusive control, and it is always the case that the
> > employee was not the only person to have potential access.
> > If you report this incident to law enforcement, you become
> > one of the potential persons who could have done whatever it
> > is that the computer shows somebody might have done.
> >
> > If you think your computer expertise or the expertise of any
> > 'computer forensic' expert can distinguish between actions of
> > particular human persons and actions of other persons or
> > actions of spyware or third-party intruders who gained
> > control over the computer, you are badly confused and very mistaken.
> >
> > The proper legal advice in different jurisdictions varies.
> > The proper incident handling advice does not vary.
> >
> > Before you contact any law enforcement agency, before you go
> > any further with any investigation, as soon as you see that
> > there is reason to believe one of the computers used by a
> > company employee may have acted to download child
> > pornography, you isolate and contain and ensure custody of
> > the potential evidence by the company and only the company.
> > These are official company actions carried out by authorized
> > employees, and the company is already in possession of its
> > own equipment and the data stored thereon. You then wipe the
> > drive as soon as possible, without investigating further, and
> > if possible without doing any data backup from the drive, or
> > if you must access the drive to backup company data, do so
> > with care not to expose any employee to any potential
> > contraband images, and do what you must to figure out what
> > happened using only investigative techniques that have little
> > or no chance of resulting in further access to child porn,
> > wiping the drive only after confirming with the company
> > attorney that this is the right thing to do (which you will
> > not find out for sure unless you attempt to turn over the
> > hard drive to the company attorney, who should refuse the
> > offer unless the attorney knows of a reason in the
> > jurisdiction in question for the attorney to receive the hard drive).
>
>
> Handing the drive to, and conferring with the company attorney are two
> different things.  You are almost making this sound like company attorneys
> are exempt from the law??
>
> If you found a pound of cocaine in the company lunch room, would you pick it
> up and drive it to the company attorneys office? You might call the company
> attorney, and say "what should I do?"  But, I do not think the attorneys
> advice would be to "throw it in your car and drive it to my office." If you
> happen to get pulled over on the way, I do not think you could convince any
> LEO that you were just taking it to your attorneys office. Alternatively,
> they might let you finish your journey there, and wait for you to hand it to
> the attorney and arrest both of you?!?
>
> There is no difference contraband is contraband, the attorney-client
> privilege is not created nor extended to the hard drive, it is extended
> between you and your attorney.
>
>
>
>
> > As for the statement that �posses the contraband without the
> > investigating law enforcement agency being present� -- that
> > is so completely wrong as to be absurd and dangerous.
>
>
> Once the evidence is in the LEAs possession, this is absolutely the
> procedure.  If you had a lot of experience with this, as you stated, you
> would know that when you go to an evidence room and do an image of a
> contraband drive, let us say for arguments sake you are working for a
> defense attorney.
> You bring a drive to do an image, you have to do your examination there, if
> you want to leave the imaged info on it, your imaged drive now stays in the
> evidence room.  The defense attorney would have to come there to view the
> images, or the LEO would bring it to them, but they would not leave I there
> with them.
>
>
>
> > The people whose advice you take in the next couple of weeks,
> > Edmond, will determine whether you ruin one or more innocent
> > persons' lives, possibly destroy your company, your career,
> > the careers of others, trigger suicides or murders, and in
> > other ways that you cannot anticipate and may have difficulty
> > believing possible, become caught in a life-destroying mess
> > of bad statutes and very badly misguided people who think
> > they're doing their jobs but are actually just incompetent,
> > careless, and self-serving.
> >
> > You cannot follow the interesting and useful technical advice
> > offered by the other persons on this list -- they are
> > mistaken, badly, to give you tips on how to engage in child
> > pornographic investigations. You cannot, and you must not, do
> > any investigations, and you must do everything in the
> > company's considerable power to ensure that nobody else does, either.
>
>
>
> You sure are quick to claim someone is innocent, and you may ruin their
> lives.  Alternatively, could someone be destroying the lives of young
> children??
>
> Transporting it to anyone or sitting on the contraband while deciding what
> to do is the main part in either of your e-mails I disagree with.
>
> Personally I believe in calling an LEA immediately to report it, as opposed
> to immediately wiping it upon discovery, but that is my personal opinion.
>
>
>
> > However, because somebody else (most importantly, law
> > enforcement) may already be investigating without your
> > knowledge, and because you may be in possession of evidence
> > that would prove reasonable doubt of the accused's guilt, you
> > must attempt to get every bit of data (the so-called
> > 'evidence') from the suspect's hard drive preserved
> > forensically and in the custody of the company attorney.
>
>
>
> > Do so 'after' you wipe the drives -- you need to seriously
> > consider the value of keeping logs of your actions which
> > reflect the fact that you wiped the drive AND THEN gave the
> > drive to your company's attorney.
> >
> > Ask your company's attorney... He may tell you that your
> > company's best course of action is to purposefully falsify
> > the record of the company's response to the incident. The
> > company is not legally obligated to keep accurate records of
> > such things, after all, and with a company record showing the
> > drive was wiped and the physical device is now in the custody
> > of the company attorney, the company is able to prevent ANY
> > loss of control over the situation in the event that the
> > company's duty to protect its employee's interests end up in
> > conflict with law enforcement's desire to aggressively
> > prosecute somebody because they were at some point in time
> > associated with or in proximity to a hard drive that was
> > suspected to have contained, if only temporarily,
> > circumstantial evidence of a crime.
> >
> > If you do not understand by now just how screwy this whole
> > mess is, in the real world, and how uncertain things are in
> > your situation, then nobody can help you, or your company, or
> > the accused person, and you're all doomed to whatever outcome
> > the local law enforcement, prosecution, and courts decide for you...
> >
> > ... All because one of your Windows computers got a spyware
> > infection and some spammer who runs a porn business caused
> > some Web pages to be requested and perhaps some pop-ups or
> > pop-unders to occur.
>
>
>
> Obviously you have dealt with some poor LEAs.  The ones I have dealt with
> have always checked for spyware and things of that nature and have dropped
> many cases because of it.  Further, they do not run in and arrest somebody
> because an IT person found child porn on a computer.  First, they do a
> thorough investigation, then decisions are made.
>
>
>
> Regards,
>
> Dave
>
>
>
> > Good luck. You need it.
> >
> > Jason Coombs
> > jasonc () science org
> >
> > -----Original Message-----
> > From: "dave kleiman" <dave () isecureu com>
> > Date: Tue, 30 Aug 2005 22:33:02
> > To:<security-basics () securityfocus com>
> > Cc:"'Jason Coombs'" <jasonc () science org>,       "'Edmond
> > Chow'" <echow () videotron ca>,       "'Beauford, Jason'"
> > <jbeauford () EightInOnePet com>
> > Subject: RE: Computer forensics to uncover illegal internet use
> >
> > Jason,
> >
> > Even an attorney, District Attorney, or the doctor who
> > verifies the evidence as child pornography, may not view or
> > posses the contraband without the investigating law
> > enforcement agency being present.  They are still bound by
> > the same "possession of contraband" law.
> > Therefore, the immediate contacting of an LEA is the only
> > proper real resolve. Turning it over to the company attorney
> > would be possession and distribution of contraband a definite no-no.
> >
> > However, just as if you found a bag of drugs on the ground,
> > you have no obligation to report it, but picking it up and
> > playing with it is ill-advised.
> >
> > Nonetheless, if you simply saw what you thought was child
> > pornography, and you stopped and wiped the system you would
> > technically be ok, since it takes a doctors examination to,
> > for the courts, say it truly is/was child pornography.
> >
> >
> > Dave
> >
> >
> >
> > > -----Original Message-----
> > > From: Jason Coombs [mailto:jasonc () science org]
> > > Sent: Tuesday, August 30, 2005 19:14
> > > To: Edmond Chow; security-basics () securityfocus com; Beauford, Jason
> > > Subject: Re: Computer forensics to uncover illegal internet use
> > >
> > > Edmond,
> > >
> > > You cannot 'investigate' viewing of child pornographic material
> > > without violating the very same laws that you are informed may have
> > > been violated by the employee of your company who stands accused.
> > >
> > > You must stop your work immediately. Do not begin your work if you
> > > have not already, and get your company to turn the hard drive and
> > > other details over to the corporate attorney.
> > >
> > > What you must understand is that certain persons have a legal
> > > obligation to report any finding of evidence of child
> >
> > pornography, but
> >
> > > that your company and its employees, in the employees' professional
> > > capacity, may not have an obligation to report to law enforcement.
> > >
> > > The company is typically allowed to simply wipe the hard
> >
> > drive of any
> >
> > > computer that may have been used to view child pornography,
> >
> > and take
> >
> > > whatever internal disciplinary action it deems appropriate with
> > > respect to the accused employee.
> > >
> > > Only your company's attorney can guide you properly, and you are
> > > completely wrong to want to investigate this yourself.
> > >
> > > Your company's attorney should advise you that the best
> >
> > thing to do is
> >
> > > wipe the drive, and get on with the business that you are in.
> > >
> > > If you report this to law enforcement, the employee WILL go
> >
> > to prison.
> >
> > > Innocent or not.
> > >
> > > If the employee goes to prison and is innocent, or is even accused
> > > publicly and is innocent, and eventually finds a way to prove his
> > > innocence, your company will be sued. The employee will win the
> > > lawsuit. Your company may go out of business over its improper
> > > handling of this incident.
> > >
> > > Please feel free to contact me directly to discuss this
> >
> > matter in more
> >
> > > detail. This is an area of criminal computer forensics with which I
> > > have much experience.
> > >
> > > Sincerely,
> > >
> > > Jason Coombs
> > > jasonc () science org
> > >
> > > -----Original Message-----
> > > From: Edmond Chow <echow () videotron ca>
> > > Date: Tue, 30 Aug 2005 10:27:24
> > > To:security-basics () securityfocus com,       "Beauford, Jason"
> > > <jbeauford () EightInOnePet com>
> > > Cc:Edmond Chow <echow () videotron ca>
> > > Subject: RE: Computer forensics to uncover illegal internet use
> > >
> > > Good morning Jason,
> > >
> > > Thank-you to you and all who responded to me with their
> >
> > ideas.  I am
> >
> > > wondering if there are any reference books available that
> >
> > would guide
> >
> > > me through an investigation of this sort?  I am dealing with a case
> > > involving the viewing of child pornographic websites so I
> >
> > want to be
> >
> > > careful to follow reference guidelines of some sort so that I don't
> > > end up in jail myself!
> > >
> > > Any help that you can provide in the form of links to
> >
> > articles and/or
> >
> > > books on this subject would be greatly appreciated.
> > >
> > > Regards,
> > >
> > >
> > > Edmond
> > >
> > >
> > > -----Original Message-----
> > > From: Beauford, Jason [mailto:jbeauford () EightInOnePet com]
> > > Sent: Tuesday, August 30, 2005 8:50 AM
> > > To: Edmond Chow; security-basics () securityfocus com
> > > Cc: Edmond Chow
> > > Subject: RE: Computer forensics to uncover illegal internet use
> > >
> > >
> > > Check out INDEXVIEW.exe.  Internet explorer writes a history of all
> > > visited sites to a file labeled INDEX.DAT.  This file is usually
> > > hidden.
> > > Most end users are not bright enough to research thoroughly
> >
> > and will
> >
> > > not delete this file.  If they use Internet Explorer as
> >
> > their Browser,
> >
> > > then find this file and you will have your proof.  Download
> >
> > INDEXVIEW
> >
> > > here => http://superwebsearch.com/dwl/IndexView.exe
> > >
> > > Additionally, SecurityFocus has a great article which
> >
> > describes what
> >
> > > you want to do:
> > >
> > > Part 1 (for IE):  http://www.securityfocus.com/infocus/1827
> > >
> > > Part 2 (for Firefox) http://www.securityfocus.com/infocus/1832
> > >
> > >
> > > Good Luck.
> > >
> > >
> > > JMB
> > >
> > >     =|   -----Original Message-----
> > >     =|   From: Edmond Chow [mailto:echow () gettechnologies com]
> > >     =|   Sent: Friday, August 26, 2005 7:23 PM
> > >     =|   To: security-basics () securityfocus com
> > >     =|   Cc: Edmond Chow
> > >     =|   Subject: RE: Computer forensics to uncover illegal
> > >     =|   internet use
> > >     =|
> > >     =|
> > >     =|   Dear List,
> > >     =|
> > >     =|   I'm working on the following project and would
> > >     =|   appreciate your views:
> > >     =|
> > >     =|   I have been tasked with finding out if a certain
> > >     =|   desktop computer was used to view pornographic sites
> > >     =|   on the internet.  This user has gone to great lengths
> > >     =|   to try to mask his illegal activities by erasing
> > >     =|   cookies, temp.
> > >     =|   files and by installing anti-spyware software on his
> > >     =|   computer.  Are there any tools that would allow me to
> > >     =|   still uncover proof that he had accessed these sites?
> > >     =|    So far, the tech department is telling me that he
> > >     =|   did access illegal sites on only two dates but I
> > >     =|   suspect that this illegal activity started many
> > >     =|   months or years ago and it will be up to me to find
> > >     =|   more proof.
> > >     =|
> > >     =|   Also, at a network level, we know his IP address but
> > >     =|   yet my technical support department is telling me
> > >     =|   that they cannot (either because they don't want to
> > >     =|   or because they are not technically capable of) tell
> > >     =|   me what internet sites this IP address has accessed
> > >     =|   in the past.  Logically, there must be a point in the
> > >     =|   network (on some piece of hardware) where I can
> > >     =|   consult log files to track his activities?  Or, is
> > >     =|   there a log file that I can consult that will tell me
> > >     =|   what sites all my users have accessed and from what
> > >     =|   IP address?
> > >     =|
> > >     =|   In terms of access to the desktop in question, I will
> > >     =|   have full access as the computer will be in my
> > >     =|   possession in the coming days.
> > >     =|
> > >     =|   Thank-you and any help that you can provide would be
> > >     =|   most appreciated.
> > >     =|
> > >     =|   Regards,
> > >     =|
> > >     =|
> > >     =|   Edmond
> > >     =|
> > >     =|
> > >     =|
> > >     =|
> > >
> > > --
> > > No virus found in this incoming message.
> > > Checked by AVG Anti-Virus.
> > > Version: 7.0.344 / Virus Database: 267.10.17/84 - Release
> > > Date: 8/29/2005
> > >
> > > --
> > > No virus found in this outgoing message.
> > > Checked by AVG Anti-Virus.
> > > Version: 7.0.344 / Virus Database: 267.10.17/84 - Release
> > > Date: 8/29/2005