RE: Computer forensics to uncover illegal internet use

["Craig, Tobin (OIG)" <tobin.craig () va gov>]

Edmond:

What browser was used during this activity?  There are limited history
files associated with browsers that are often overlooked by the user,
though these files won't under normal circumstances extend back to
several months or years.  It might be worthwhile using something like
NetAnalysis to review the history.

Keep in mind that there may well be additional information in
unallocated file space that may have been deleted long ago but has not
yet been written to with valid files.

You need to be careful, the internet sites you are looking for may no
longer exist, or may be completely different compared to what they would
have looked like during the time frame you are considering.

Whatever way you choose to proceed with your investigation, I would
advise you to work off a forensically sound image of the data instead of
the actual drive itself, in the event that your case should require
criminal investigation.

Best of luck,

Tobin

___________________________
Tobin Craig, MRSC, CISSP, SCERS, EnCE, CCE
IT Forensic Director, Computer Crimes and Forensics
Department of Veterans Affairs
Office of Inspector General
___________________________
-----Original Message-----
From: McHenry, Glenn CTO1 [mailto:gmchenry () princeton navy mil] 
Sent: Tuesday, August 30, 2005 1:40 AM
To: 'Edmond Chow'; security-basics () securityfocus com
Subject: RE: Computer forensics to uncover illegal internet use

Are you running a proxy server?  If so, and it's windows based, you can
go
to the \winnt\msplogs directory and review the logs there.  That's what
we
do here.

Good Luck!

Glenn

-----Original Message-----
From: Edmond Chow [mailto:echow () gettechnologies com]
Sent: Saturday, August 27, 2005 2:23 AM
To: security-basics () securityfocus com
Cc: Edmond Chow
Subject: RE: Computer forensics to uncover illegal internet use



Dear List,

I'm working on the following project and would appreciate your views:

I have been tasked with finding out if a certain desktop computer was
used
to view pornographic sites on the internet.  This user has gone to great
lengths to try to mask his illegal activities by erasing cookies, temp.
files and by installing anti-spyware software on his computer.  Are
there
any tools that would allow me to still uncover proof that he had
accessed
these sites?  So far, the tech department is telling me that he did
access
illegal sites on only two dates but I suspect that this illegal activity
started many months or years ago and it will be up to me to find more
proof.

Also, at a network level, we know his IP address but yet my technical
support department is telling me that they cannot (either because they
don't
want to or because they are not technically capable of) tell me what
internet sites this IP address has accessed in the past.  Logically,
there
must be a point in the network (on some piece of hardware) where I can
consult log files to track his activities?  Or, is there a log file that
I
can consult that will tell me what sites all my users have accessed and
from
what IP address?

In terms of access to the desktop in question, I will have full access
as
the computer will be in my possession in the coming days.

Thank-you and any help that you can provide would be most appreciated.

Regards,


Edmond