RE: Computer forensics to uncover illegal internet use

[Jonathan Loh <kj6loh () yahoo com>]

I too use r-studio (first link below) and can vouch for it's effectiveness. 
But as Jason Coombs has said.  Give this to the proper authorities.  Or at
least let  an outside party do your forensics.

I can just see it now you vs the suspect.

Defense Attorney:  Well (you) are a pornographer too!  Why else would he scour
my client's disk looking for pornography?


--- Eduardo Suzuki <eduardo.ac.suzuki () gmail com> wrote:

>       Edmond,
>
>       On the desktop side there are several tools you can use to recover
> the deleted files. One of them is OnTrack EasyRecovery. It's a commercial
> software, but is very good on its job. Depending on the situation it can
> recover most of the files and, if they are damaged in some way, it can fix
> them.
>       On the following site you'll find some other tools to accomplish
> this:
>
>       http://www.data-recovery-software.net/
>
>       If you want to find freeware, try to google for "undelete software".
>       Just an advice... Before doing that, it's important to plug the HD
> as slave and back it up completely using Symantec Ghost or some other
> imaging software.
>       On the network side it really depends on your network topology. If
> it employs some kind of proxy firewall (even transparent proxies) you may
> find useful information in the proxy logs. It's not 100% guaranteed since it
> depends on the log configuration (retention, rotation and so on).
>       Just my $0.02.
>       Best regards,
>
>       Eduardo Suzuki
>       esuzuki_br () pop com br
>       Eduardo.AC.Suzuki () gmail com
>  
> "The essential is invisible to the eyes."
>
>
> -----Original Message-----
> From: Edmond Chow [mailto:echow () gettechnologies com] 
> Sent: Friday, August 26, 2005 8:23 PM
> To: security-basics () securityfocus com
> Cc: Edmond Chow
> Subject: RE: Computer forensics to uncover illegal internet use
>
>
> Dear List,
>
> I'm working on the following project and would appreciate your views:
>
> I have been tasked with finding out if a certain desktop computer was used
> to view pornographic sites on the internet.  This user has gone to great
> lengths to try to mask his illegal activities by erasing cookies, temp.
> files and by installing anti-spyware software on his computer.  Are there
> any tools that would allow me to still uncover proof that he had accessed
> these sites?  So far, the tech department is telling me that he did access
> illegal sites on only two dates but I suspect that this illegal activity
> started many months or years ago and it will be up to me to find more proof.
>
> Also, at a network level, we know his IP address but yet my technical
> support department is telling me that they cannot (either because they don't
> want to or because they are not technically capable of) tell me what
> internet sites this IP address has accessed in the past.  Logically, there
> must be a point in the network (on some piece of hardware) where I can
> consult log files to track his activities?  Or, is there a log file that I
> can consult that will tell me what sites all my users have accessed and from
> what IP address?
>
> In terms of access to the desktop in question, I will have full access as
> the computer will be in my possession in the coming days.
>
> Thank-you and any help that you can provide would be most appreciated.
>
> Regards,
>
>
> Edmond


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com