RE: Computer forensics to uncover illegal internet use

["Robinson, Sonja" <SRobinson () HIPUSA com>]

Only use ghost if you know the switch for a physical copy. Only use
forensics tools to examine in a forensic mode and using forensic
procedures otherwise you may corrupt your evidence. 

Sonja L. Robinson, CISSP, CIFI, CISA, CISM
Forensic Specialist, Digital Investigations
HIP Information Security Group
Tel: 212-806-4125
srobinson () hipusa com
 

-----Original Message-----
From: Mike Sweeney [mailto:mikesweeney () packetattack com] 
Sent: Tuesday, August 30, 2005 12:41 AM
To: Edmond Chow
Cc: security-basics () securityfocus com; Edmond Chow
Subject: Re: Computer forensics to uncover illegal internet use

Before anything.. make a copy of the disk and lock the original away
with a chain of evidence. Use Ghost or DD. Work only on a copy.

Examine the disk using something like Knoppix STD or Audit or other
bootable CD.

swap file..
history files for IE
Alternative Browser history files
use a undelete tool to see what might be recovered for cookies etc check
for firewall logs or proxy server logs

If he is really that clever, look for alternative data streams and
hidden files..
Look for a hidden partition

Some history and last URLs can be found in the registry

I'm sure other will toss in their 3 cents too :)

MikeS
____________________________________

mikesweeney () packetattack com
www.packetattack.com
Home of "Network Security using Linux"

Office 714.637.4235



On Aug 29, 2005, at 8:45 PM, Edmond Chow wrote:

> Dear List,
>
> I'm working on the following project and would appreciate your views:
>
> I have been tasked with finding out if a certain desktop computer was 
> used to view pornographic sites on the internet.  This user has gone 
> to great lengths to try to mask his illegal activities by erasing 
> cookies, temp.
> files and by installing anti-spyware software on his computer.  Are 
> there any tools that would allow me to still uncover proof that he had

> accessed these sites?  So far, the tech department is telling me that 
> he did access illegal sites on only two dates but I suspect that this 
> illegal activity started many months or years ago and it will be up to

> me to find more proof.
>
> Also, at a network level, we know his IP address but yet my technical 
> support department is telling me that they cannot (either because they

> don't want to or because they are not technically capable of) tell me 
> what
> internet sites this IP address has accessed in the past.   
> Logically, there
> must be a point in the network (on some piece of hardware) where I can

> consult log files to track his activities?  Or, is there a log file 
> that I can consult that will tell me what sites all my users have 
> accessed and from what IP address?
>
> In terms of access to the desktop in question, I will have full access

> as the computer will be in my possession in the coming days.
>
> Thank-you and any help that you can provide would be most appreciated.
>
> Regards,
>
>
> Edmond