PaulDotCom mailing list archives

A question about browser history

From: dorne.mabais at googlemail.com (Dorne Mabais)
Date: Wed, 16 Dec 2009 09:52:21 -0500

I figured that after all the good advice I owed an update. For this
particular case, the best piece of advice was to not just rely on the
browser logs. After expanding the search to include the network logs, I
found that there seemed to be other machines accessing the same sites. While
it was not infeasible to assume the multiple people viewed the same bad
sites, it did warrant further investigation. To cut i long story short it
ended up being malware using iframes. It seems to have been caused by a bad
password recovery program the people had been trying to use (which is
another story).

But two things things this incident showed me, which I hope I remember;
1. Never assume that what you assume to be the 'smoking gun' is all there is
2. That it is nice to sometimes prove a person innocent after all the bad
stuff seen

Thanks again to all for all the help.

D.M.

On Tue, Nov 10, 2009 at 10:17 PM, David A. Gershman <
dagershman_dgt at dagertech.net> wrote:

anyone knows of a way this could have happened which backs up the

employee's

story or do I just go ahead and assume guilt?


First (IMHO)
Don't assume guilt or innocence.  Stick to what you were asked...find
evidence if its there.  If its not there, fine.  Start assuming anything
or taking the employee's "nature" into account and you're doing the
manager's/company's job.  If this employee gets fired for an
'assumption', you'll feel it.  Provide the best evidence you can and let
the verdict reside with the company.

I know it sounds cold, but when doing forensics its important to remain
as objective as possible.

Second
As for how their history could have been populated, I really have no
idea.  I do know this, don't just look within the browser.  A good piece
of malware coming from a thumbdrive could screw with browser files just
as easily.  Be sure to scour the big picture.

----------------------------------------
David A. Gershman
gershman at dagertech.net
http://dagertech.net/gershman/
"It's all about the path!" --d. gershman
_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20091216/e099ad2d/attachment.htm

Current thread:

A question about browser history Dorne Mabais (Nov 03)
- A question about browser history PJ McGarvey (Nov 03)
- A question about browser history Karl Schuttler (Nov 03)
- A question about browser history Joel Folkerts (Nov 03)
- A question about browser history Michael Miller (Nov 10)
- <Possible follow-ups>
- A question about browser history David A. Gershman (Nov 10)
  - A question about browser history Butturini, Russell (Nov 11)
  - A question about browser history Dorne Mabais (Dec 16)