RE: Computer forensics to uncover illegal internet use

["David Gillett" <gillettdavid () fhda edu>]

> Also, at a network level, we know his IP address but yet my technical
> support department is telling me that they cannot (either because they
> don't want to or because they are not technically capable of) tell me
> what internet sites this IP address has accessed in the past.

> Logically, there must be a point in the network (on some piece of
> hardware) where I can consult log files to track his activities?  Or,
> is there a log file that I can consult that will tell me what sites
> all my users have accessed and from what IP address?

  Uh, no.  Ask your city Traffic Department how many times a car has
made a trip to a specific store, given its license number.  "Logically,
there must be a traffic signal that the car will have driven past to
get there."  But Traffic Departments do not have equipment installed
at every traffic signal, logging all of the cars that pass through and
where they are going, on the off chance that some later investigator
will want to ask this question.

  At best, most network groups I've worked in have logged attempts to
violate policy by visiting specific *known* bad sites (and other
violations).
It would be really quite unusual to come in after the fact and be able to
get a list of violations that were not known to be such at the time.  (By
analogy -- a "red light camera" doesn't photograph every car that passes
through an intersection, only those who are detected to be doing so when
they should not.)

  You may turn up something on the machine itself.  But if the network
team says they don't routinely log everything that crosses the network,
I see no good reason not to believe them.

David Gillett