Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Computer forensics to uncover illegal internet use

From: "dave kleiman" <dave () isecureu com>
Date: Fri, 2 Sep 2005 11:11:44 -0400
Jason,

Contraband is contraband end of story.  It does not matter if it is
substance or chil p***. If you come across it the only thing to do is back
off an report it. Picking it up or making copies of it, and then
distributing it to someone else, even an attorney, is not legal PERIOD.

Can you cite a case that you, or anyone, has worked where any of your
methodology has been used?

As far as not having to report a crime, or finding contraband, that may very
well be, although I have not been able to find anything to back your point..
However, it would seriously undermine the ethics of a person who is forensic
investigator. Further, it would violate the ethics of most forensic and
security certifications.

Jason, now that you have publicly announced your ideas of, destroying
evidence, covering up logs and not reporting crimes, how will this affect
you credibility as an expert witness.

I am sure an opposing council in a case would do an internet and background
investigation before deposing you, they always do me.....if the come across
this...well I think you get the point.

Regards,



________________________________________________________
Dave Kleiman, CAS, CIFI, CISM, CISSP, ISSAP, ISSMP, MCSE

www.SecurityBreachResponse.com www.ComputerForensicInvestigations.com
 






-----Original Message-----
From: Jason Coombs [mailto:jasonc () science org]
Sent: Wednesday, August 31, 2005 20:38
To: dave kleiman; security-basics () securityfocus com
Cc: 'Sadler, Connie'; 'James Leighe'
Subject: Re: Computer forensics to uncover illegal internet use

Dave,

You're substantially oversimplifying and producing rhetoric
rather than teaching the issues as a result... Not that
rhetoric is a bad thing, I like rhetoric.

First of all, finding a bag of white powder on the ground
isn't sufficient for a lay-person to conclude that they are
in possession of drugs.

Finding a bag, testing it for contraband, and then leaving it
there can be reckless endangerment, and the proper thing to
do is to call authorities immediately upon suspicion of a
dangerous substance, but the first thought you should have is
for safety and health, and that means you call the fire
department. Immediately presuming a crime has occurred and
calling the police is not necessarily the right action.

I have seen people harmed by other people's panic reaction to
what they believe is evidence of a crime. The vigilante
emotion and the opportunity to do something exciting (play
cops and robbers) is completely inappropriate and can rise to
the level of a crime itself -- though most often it results
only in civil liability (i.e. you can be sued for improperly
handling such an incident, where your actions and
finger-pointing harm others)

The suggestion that every person who picks up such a bag is
guilty of possession is just wrong, even though the best
advice is to not touch the bag.

Neither of us are attorneys, but you're arguing from your
experience with casework on the law enforcement side while my
experience and detailed conversations on these matters with
capable defense attorneys makes this issue look very
different from the defense side.

You're excluding from your consideration all of the exception
scenarios where no crime occurs.

Generally-speaking, intent matters. A person who innocently
ends up in possession of contraband but does not
intentionally possess it is not guilty of the crime of
possession. Perhaps you were unaware of that? Most law
enforcement computer forensics professionals I have
encountered seem also to lack this understanding.

Regards,

Jason Coombs
jasonc () science org

-----Original Message-----
From: "dave kleiman" <dave () isecureu com>
Date: Tue, 30 Aug 2005 20:42:01
To:<security-basics () securityfocus com>
Cc:"'Sadler, Connie'" <Connie_Sadler () Brown edu>,
"'James Leighe'" <jamesleighe () gmail com>
Subject: RE: Computer forensics to uncover illegal internet use

Connie,

Actually, if any "illegal" items are discovered, at least in
the US, you must stop and contact Law Enforcement immediately.
Forget making anything stick, you would be in possession of
contraband, no different than finding a bag of drugs on the
ground, you pick it up you are in possession of it.  The
felony is on you...

Dave



-----Original Message-----
From: Sadler, Connie [mailto:Connie_Sadler () Brown edu]
Sent: Tuesday, August 30, 2005 12:24
To: James Leighe; security-basics () securityfocus com
Subject: RE: Computer forensics to uncover illegal internet use


I think the individual below referred to "illegal porn" -

which is an

entirely different matter. Now you're talking about serious

criminal

activity, and if this is suspected, you're better off getting Law
Enforcement involved early. If you don't, and you end up

not handling

the "evidence" in a matter consistent with "chain of

custody", etc.,

you could let a criminal "off the hook". If this user is accessing
child porn, law enforcement and legal folks must be

involved to make

anything you do really "stick".

Connie

-----Original Message-----
From: James Leighe [mailto:jamesleighe () gmail com]
Sent: Tuesday, August 30, 2005 1:51 AM
To: security-basics () securityfocus com
Subject: Re: Computer forensics to uncover illegal internet use

This sure is allot of trouble to bust someone for looking at porn
however to each his own... You could use drive imaging software and
then data recovery software to get all the files on the hard drive
that have not been written over as of yet, like cookies and the tmp
files n' all that noise... Other than that, advanced routers have
logging capabilities, if you have an IDS that would be a place too
look... you know your network better than we do, check around.

Also, here is a list of some interesting registry and file

locations,

taken from a scanlog from adaware:
--------------------------------------------------------------
----------
--------------
  MRU List Object Recognized!
    Location:          : C:\Documents and Settings\****\recent
    Description        : list of recently opened documents


  MRU List Object Recognized!
    Location:          :
software\microsoft\direct3d\mostrecentapplication
    Description        : most recent application to use microsoft
direct3d


  MRU List Object Recognized!
    Location:          :
software\microsoft\direct3d\mostrecentapplication
    Description        : most recent application to use
microsoft direct
X


  MRU List Object Recognized!
    Location:          :
software\microsoft\directdraw\mostrecentapplication
    Description        : most recent application to use microsoft
directdraw


  MRU List Object Recognized!
    Location:          :
S-1-5-21-1417001333-725345543-1003229946-1003\software\microso
ft\mediapl
ayer\medialibraryui
    Description        : last selected node in the microsoft windows
media player media library


  MRU List Object Recognized!
    Location:          :
S-1-5-21-1417001333-725345543-1003229946-1003\software\microso
ft\mediapl
ayer\preferences
    Description        : last playlist index loaded in microsoft
windows media player


  MRU List Object Recognized!
    Location:          :
S-1-5-21-1417001333-725345543-1003229946-1003\software\microso
ft\mediapl
ayer\preferences
    Description        : last playlist loaded in microsoft
windows media
player


  MRU List Object Recognized!
    Location:          :
S-1-5-21-1417001333-725345543-1003229946-1003\software\microso
ft\windows
\currentversion\explorer\comdlg32\lastvisitedmru
    Description        : list of recent programs opened


  MRU List Object Recognized!
    Location:          :
S-1-5-21-1417001333-725345543-1003229946-1003\software\microso
ft\windows
\currentversion\explorer\comdlg32\opensavemru
    Description        : list of recently saved files, stored
according to file extension


  MRU List Object Recognized!
    Location:          :
S-1-5-21-1417001333-725345543-1003229946-1003\software\microso
ft\windows
\currentversion\explorer\recentdocs
    Description        : list of recent documents opened


  MRU List Object Recognized!
    Location:          :
S-1-5-21-1417001333-725345543-1003229946-1003\software\microso
ft\windows
media\wmsdk\general
    Description        : windows media sdk
--------------------------------------------------------------
----------
--------------

On 26/08/05, Edmond Chow <echow () gettechnologies com> wrote:


Dear List,

I'm working on the following project and would appreciate

your views:


I have been tasked with finding out if a certain desktop

computer was
used

to view pornographic sites on the internet.  This user has gone to

great

lengths to try to mask his illegal activities by erasing cookies,

temp.

files and by installing anti-spyware software on his

computer.  Are

there

any tools that would allow me to still uncover proof that he had

accessed

these sites?  So far, the tech department is telling me

that he did

access

illegal sites on only two dates but I suspect that this illegal

activity

started many months or years ago and it will be up to me to

find more
proof.


Also, at a network level, we know his IP address but yet my

technical

support department is telling me that they cannot (either

because they
don't

want to or because they are not technically capable of)

tell me what

internet sites this IP address has accessed in the past.

Logically,

there

must be a point in the network (on some piece of hardware)

where I can

consult log files to track his activities?  Or, is there

a log file

that I

can consult that will tell me what sites all my users

have accessed

and from

what IP address?

In terms of access to the desktop in question, I will have

full access
as

the computer will be in my possession in the coming days.

Thank-you and any help that you can provide would be most

appreciated.


Regards,


Edmond
Previous By Date Next
Previous By Thread Next

Current thread: