RE: Computer forensics to uncover illegal internet use

["McKinley, Jackson" <Jackson.McKinley () team telstra com>]

 Micheal Cottingham wrote:
> The point of an investigation is to obtain evidence. Only to obtain
evidence. Furthermore, law enforcement would perform the exact same
techniques to uncover the evidence, > but by your definition, they too
would be breaking the law. 

I'm not sure about within the US but there are laws in place within
Australia that allow for law enforcement to do thing that would normally
be breaking the law if it is deemed to be required for the purpose of
investigation or apprehension of a crime / criminal.

Micheal Cottingham wrote:
> If an investigation finds that the accused employee is not guilty,
that's the end of that investigation. 

I wouldn't attempt to do any investigation without legal advise.. When I
comes to something like underage p*** then you are painting the
defendant with a very messy mark, and should it turnout that they where
in fact not guilty or "framed" by some third party you have brand them
with a stigma that will not go away.

When looking at this "kind" of issue we must handle with the greatest of
care.. Better still when dealing with any employee / personnel utmost
care must be take so as to not create the chance of being hit with a
defamation case or worse...  This is not just a compromised system /
server that some scriptkiddie has "owned" its lives, the suspect,
family, children, parents... The list goes on...


-----Original Message-----
From: Micheal Cottingham [mailto:security () michealcottingham com] 
Sent: Thursday, 1 September 2005 8:01 AM
To: security-basics () securityfocus com
Subject: Re: Computer forensics to uncover illegal internet use

I disagree. The point of an investigation is to obtain evidence. Only to
obtain evidence. Furthermore, law enforcement would perform the exact
same techniques to uncover the evidence, but by your definition, they
too would be breaking the law. To add, law enforcement will not send an
employee to prison without first obtaining evidence, then the motions of
a trial must be followed. (indictment, hearing, sentencing, etc.). I do
agree that legal advice needs to be sought after for a case like this,
but in the end, someone, somewhere must investigate. The definition of
prison is a sentence to incarceration for a period of 12 months or more.

At most, you can be held in jail for 48 hours without an official
charge.

I further disagree with your assessment that the "best thing to do is
wipe the drive, and get on with the business that you are in." That
negates the criminal justice system.

You further state that the company would be improperly handling an
incident should they decide to investigate. As I said above, this is
simply incorrect. Once again, this negates the point of the criminal
justice system in the US, at least. If an investigation finds that the
accused employee is not guilty, that's the end of that investigation. 
However, you cannot simply ignore an alleged illegal act. There are
reasons these laws are in place, as well as company policies. If all you
do wipe the drive without an investigation, on what grounds does a
company have for internal action? That could be the start for a wrongful
termination lawsuit. You need evidence to prove you have a valid reason
for termination or other action against an employee, the whole reason
for investigations.

Jason Coombs wrote:

> Edmond,
>
> You cannot 'investigate' viewing of child pornographic material without
violating the very same laws that you are informed may have been
violated by the employee of your company who stands accused.
> You must stop your work immediately. Do not begin your work if you have
not already, and get your company to turn the hard drive and other
details over to the corporate attorney.
> What you must understand is that certain persons have a legal
obligation to report any finding of evidence of child pornography, but
that your company and its employees, in the employees' professional
capacity, may not have an obligation to report to law enforcement.
> The company is typically allowed to simply wipe the hard drive of any
computer that may have been used to view child pornography, and take
whatever internal disciplinary action it deems appropriate with respect
to the accused employee.
> Only your company's attorney can guide you properly, and you are
completely wrong to want to investigate this yourself.
> Your company's attorney should advise you that the best thing to do is
wipe the drive, and get on with the business that you are in.
> If you report this to law enforcement, the employee WILL go to prison.
Innocent or not.
> If the employee goes to prison and is innocent, or is even accused
publicly and is innocent, and eventually finds a way to prove his
innocence, your company will be sued. The employee will win the lawsuit.
Your company may go out of business over its improper handling of this
incident.
> Please feel free to contact me directly to discuss this matter in more
detail. This is an area of criminal computer forensics with which I have
much experience.
> Sincerely,
>
> Jason Coombs
> jasonc () science org
>
> -----Original Message-----
> From: Edmond Chow <echow () videotron ca>
> Date: Tue, 30 Aug 2005 10:27:24 
> To:security-basics () securityfocus com,       "Beauford, Jason"
<jbeauford () EightInOnePet com>
> Cc:Edmond Chow <echow () videotron ca>
> Subject: RE: Computer forensics to uncover illegal internet use
>
> Good morning Jason,
>
> Thank-you to you and all who responded to me with their ideas.  I am 
> wondering if there are any reference books available that would guide 
> me through an investigation of this sort?  I am dealing with a case 
> involving the viewing of child pornographic websites so I want to be 
> careful to follow reference guidelines of some sort so that I don't end
up in jail myself!
> Any help that you can provide in the form of links to articles and/or 
> books on this subject would be greatly appreciated.
>
> Regards,
>
>
> Edmond
>
>
> -----Original Message-----
> From: Beauford, Jason [mailto:jbeauford () EightInOnePet com]
> Sent: Tuesday, August 30, 2005 8:50 AM
> To: Edmond Chow; security-basics () securityfocus com
> Cc: Edmond Chow
> Subject: RE: Computer forensics to uncover illegal internet use
>
>
> Check out INDEXVIEW.exe.  Internet explorer writes a history of all 
> visited sites to a file labeled INDEX.DAT.  This file is usually
hidden.
> Most end users are not bright enough to research thoroughly and will 
> not delete this file.  If they use Internet Explorer as their Browser, 
> then find this file and you will have your proof.  Download INDEXVIEW 
> here => http://superwebsearch.com/dwl/IndexView.exe
>
> Additionally, SecurityFocus has a great article which describes what 
> you want to do:
>
> Part 1 (for IE):  http://www.securityfocus.com/infocus/1827
>
> Part 2 (for Firefox) http://www.securityfocus.com/infocus/1832
>
>
> Good Luck.
>
>
> JMB
>
>     =|   -----Original Message-----
>     =|   From: Edmond Chow [mailto:echow () gettechnologies com]
>     =|   Sent: Friday, August 26, 2005 7:23 PM
>     =|   To: security-basics () securityfocus com
>     =|   Cc: Edmond Chow
>     =|   Subject: RE: Computer forensics to uncover illegal
>     =|   internet use
>     =|
>     =|
>     =|   Dear List,
>     =|
>     =|   I'm working on the following project and would
>     =|   appreciate your views:
>     =|
>     =|   I have been tasked with finding out if a certain
>     =|   desktop computer was used to view pornographic sites
>     =|   on the internet.  This user has gone to great lengths
>     =|   to try to mask his illegal activities by erasing
>     =|   cookies, temp.
>     =|   files and by installing anti-spyware software on his
>     =|   computer.  Are there any tools that would allow me to
>     =|   still uncover proof that he had accessed these sites?
>     =|    So far, the tech department is telling me that he
>     =|   did access illegal sites on only two dates but I
>     =|   suspect that this illegal activity started many
>     =|   months or years ago and it will be up to me to find
>     =|   more proof.
>     =|
>     =|   Also, at a network level, we know his IP address but
>     =|   yet my technical support department is telling me
>     =|   that they cannot (either because they don't want to
>     =|   or because they are not technically capable of) tell
>     =|   me what internet sites this IP address has accessed
>     =|   in the past.  Logically, there must be a point in the
>     =|   network (on some piece of hardware) where I can
>     =|   consult log files to track his activities?  Or, is
>     =|   there a log file that I can consult that will tell me
>     =|   what sites all my users have accessed and from what
>     =|   IP address?
>     =|
>     =|   In terms of access to the desktop in question, I will
>     =|   have full access as the computer will be in my
>     =|   possession in the coming days.
>     =|
>     =|   Thank-you and any help that you can provide would be
>     =|   most appreciated.
>     =|
>     =|   Regards,
>     =|
>     =|
>     =|   Edmond
>     =|
>     =|
>     =|
>     =|
>
> --
> No virus found in this incoming message.
> Checked by AVG Anti-Virus.
> Version: 7.0.344 / Virus Database: 267.10.17/84 - Release Date: 
> 8/29/2005
>
> --
> No virus found in this outgoing message.
> Checked by AVG Anti-Virus.
> Version: 7.0.344 / Virus Database: 267.10.17/84 - Release Date: 
> 8/29/2005
>
>
>
>