Security Basics mailing list archives
Re: Computer forensics to uncover illegal internet use
From: James Leighe <jamesleighe () gmail com>
Date: Tue, 30 Aug 2005 00:51:03 -0500
This sure is allot of trouble to bust someone for looking at porn
however to each his own... You could use drive imaging software and
then data recovery software to get all the files on the hard drive
that have not been written over as of yet, like cookies and the tmp
files n' all that noise... Other than that, advanced routers have
logging capabilities, if you have an IDS that would be a place too
look... you know your network better than we do, check around.
Also, here is a list of some interesting registry and file locations,
taken from a scanlog from adaware:
--------------------------------------------------------------------------------------
MRU List Object Recognized!
Location: : C:\Documents and Settings\****\recent
Description : list of recently opened documents
MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d
MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X
MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw
MRU List Object Recognized!
Location: :
S-1-5-21-1417001333-725345543-1003229946-1003\software\microsoft\mediaplayer\medialibraryui
Description : last selected node in the microsoft windows
media player media library
MRU List Object Recognized!
Location: :
S-1-5-21-1417001333-725345543-1003229946-1003\software\microsoft\mediaplayer\preferences
Description : last playlist index loaded in microsoft
windows media player
MRU List Object Recognized!
Location: :
S-1-5-21-1417001333-725345543-1003229946-1003\software\microsoft\mediaplayer\preferences
Description : last playlist loaded in microsoft windows media player
MRU List Object Recognized!
Location: :
S-1-5-21-1417001333-725345543-1003229946-1003\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened
MRU List Object Recognized!
Location: :
S-1-5-21-1417001333-725345543-1003229946-1003\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored
according to file extension
MRU List Object Recognized!
Location: :
S-1-5-21-1417001333-725345543-1003229946-1003\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened
MRU List Object Recognized!
Location: :
S-1-5-21-1417001333-725345543-1003229946-1003\software\microsoft\windows
media\wmsdk\general
Description : windows media sdk
--------------------------------------------------------------------------------------
On 26/08/05, Edmond Chow <echow () gettechnologies com> wrote:
Dear List, I'm working on the following project and would appreciate your views: I have been tasked with finding out if a certain desktop computer was used to view pornographic sites on the internet. This user has gone to great lengths to try to mask his illegal activities by erasing cookies, temp. files and by installing anti-spyware software on his computer. Are there any tools that would allow me to still uncover proof that he had accessed these sites? So far, the tech department is telling me that he did access illegal sites on only two dates but I suspect that this illegal activity started many months or years ago and it will be up to me to find more proof. Also, at a network level, we know his IP address but yet my technical support department is telling me that they cannot (either because they don't want to or because they are not technically capable of) tell me what internet sites this IP address has accessed in the past. Logically, there must be a point in the network (on some piece of hardware) where I can consult log files to track his activities? Or, is there a log file that I can consult that will tell me what sites all my users have accessed and from what IP address? In terms of access to the desktop in question, I will have full access as the computer will be in my possession in the coming days. Thank-you and any help that you can provide would be most appreciated. Regards, Edmond
Current thread:
- Re: Outlook Security, (continued)
- Re: Outlook Security Micheal Espinola Jr (Aug 26)
- Re: Outlook Security Jacob Bresciani (Aug 26)
- RE: Computer forensics to uncover illegal internet use Edmond Chow (Aug 29)
- RE: Computer forensics to uncover illegal internet use Keenan Smith (Aug 30)
- RE: Computer forensics to uncover illegal internet use dave kleiman (Aug 30)
- RE: Computer forensics to uncover illegal internet use Joel A. Folkerts (Aug 30)
- RE: Computer forensics to uncover illegal internet use Edmond Chow (Aug 30)
- RE: Computer forensics to uncover illegal internet use Joel A. Folkerts (Aug 30)
- RE: Computer forensics to uncover illegal internet use Subscription (Aug 30)
- Re: Computer forensics to uncover illegal internet use Frankie Li (Aug 30)
- Re: Computer forensics to uncover illegal internet use James Leighe (Aug 30)
- Re: Computer forensics to uncover illegal internet use dallas jordan (Aug 30)
- RE: Computer forensics to uncover illegal internet use Eduardo Suzuki (Aug 30)
- RE: Computer forensics to uncover illegal internet use Jonathan Loh (Aug 30)
- Re: Computer forensics to uncover illegal internet use Steve Hillier (Aug 30)
- Re: Computer forensics to uncover illegal internet use Steven Kalcevich (Aug 30)
- RE: Computer forensics to uncover illegal internet use George Lantz (Aug 30)
- RE: Computer forensics to uncover illegal internet use David Gillett (Aug 30)