RE: Computer forensics to uncover illegal internet use

["Robinson, Sonja" <SRobinson () HIPUSA com>]

Assuming that he's not running DHCP.  If he is, then he needs to
correlate the event logs from the domain controller to prove that the
workstation name/IP address and user add up. 


Sonja L. Robinson, CISSP, CIFI, CISA, CISM
Forensic Specialist, Digital Investigations
HIP Information Security Group
Tel: 212-806-4125
srobinson () hipusa com
 

-----Original Message-----
From: James McEachern [mailto:james.mceachern.qa5a () statefarm com] 
Sent: Tuesday, August 30, 2005 8:47 AM
To: echow () gettechnologies com
Cc: security-basics () securityfocus com
Subject: RE: Computer forensics to uncover illegal internet use

You don't even need access to his computer just check the ip for his
computer in proxy logs and if its logging feature is turned on then you
can find every web site he went to  even ad sites that pop up in
browsers. If your tech cant figure this out I would strongly consider
finding new employees for this "staff".

James McEachern


-----Original Message-----
From: echow () gettechnologies com [mailto:echow () gettechnologies com]
Sent: Friday, August 26, 2005 6:23 PM
To: security-basics () securityfocus com
Cc: echow () videotron ca
Subject: RE: Computer forensics to uncover illegal internet use



Dear List,

I'm working on the following project and would appreciate your views:

I have been tasked with finding out if a certain desktop computer was
used to view pornographic sites on the internet.  This user has gone to
great lengths to try to mask his illegal activities by erasing cookies,
temp. files and by installing anti-spyware software on his computer.
Are there any tools that would allow me to still uncover proof that he
had accessed these sites?  So far, the tech department is telling me
that he did access illegal sites on only two dates but I suspect that
this illegal activity started many months or years ago and it will be up
to me to find more proof.

Also, at a network level, we know his IP address but yet my technical
support department is telling me that they cannot (either because they
don't want to or because they are not technically capable of) tell me
what internet sites this IP address has accessed in the past.
Logically, there must be a point in the network (on some piece of
hardware) where I can consult log files to track his activities?  Or, is
there a log file that I can consult that will tell me what sites all my
users have accessed and from what IP address?

In terms of access to the desktop in question, I will have full access
as the computer will be in my possession in the coming days.

Thank-you and any help that you can provide would be most appreciated.

Regards,


Edmond