RE: Computer forensics to uncover illegal internet use

["Subscription" <subscription () ftlindia com>]

Hi Edmond 

I have faced the same issue in past, what I did and helped me is here,
please select what suits your requirement in best manner:

1. I installed a gateway of Linux with Squid running in Transparent Proxy
2. I configured few ACLs to block certain porno keywords and URLs so that
user can not access the known porno/game/p2p/hacking sites
3. I configured squint and sarg to read and analyze the logs of Squid, this
gives me date wise, time wise, IP wise list of sites which are accessed
3.a By using squint, I was able to sort the Internet usage on Downloaded
Size, Time Spent on a site, No. of Pages surfed, No. of Sites surfed but I
still had one issue that I was not getting the list of most visited sites
and Denied sites
3.b This problem was overcome by using sarg, sarg gives me the list of top
sites and sites which were denied to the user (since it is blocked in Squid
ACL)
4. Now I read those logs on a weekly basis and it takes me maximum 30 to 45
minutes to find out who all are surfing unwanted things.
The logs are authentic and no user can control them as they are maintained
at server/gateway level thus let them try anti-spywares etc., it wont help.

I shall be more than happy if you wish to implement the same solution, I can
walk you through the configuration steps if you need.

Take Care
Vivek Khare


-----Original Message-----
From: Edmond Chow [mailto:echow () gettechnologies com] 
Sent: Saturday, August 27, 2005 04:53 AM
To: security-basics () securityfocus com
Cc: Edmond Chow
Subject: RE: Computer forensics to uncover illegal internet use


Dear List,

I'm working on the following project and would appreciate your views:

I have been tasked with finding out if a certain desktop computer was used
to view pornographic sites on the internet.  This user has gone to great
lengths to try to mask his illegal activities by erasing cookies, temp.
files and by installing anti-spyware software on his computer.  Are there
any tools that would allow me to still uncover proof that he had accessed
these sites?  So far, the tech department is telling me that he did access
illegal sites on only two dates but I suspect that this illegal activity
started many months or years ago and it will be up to me to find more proof.

Also, at a network level, we know his IP address but yet my technical
support department is telling me that they cannot (either because they don't
want to or because they are not technically capable of) tell me what
internet sites this IP address has accessed in the past.  Logically, there
must be a point in the network (on some piece of hardware) where I can
consult log files to track his activities?  Or, is there a log file that I
can consult that will tell me what sites all my users have accessed and from
what IP address?

In terms of access to the desktop in question, I will have full access as
the computer will be in my possession in the coming days.

Thank-you and any help that you can provide would be most appreciated.

Regards,


Edmond