PaulDotCom mailing list archives

A question about browser history

From: pj_mcgarvey at hotmail.com (PJ McGarvey)
Date: Tue, 3 Nov 2009 12:57:04 -0500


As users get redirected to malicious sites all the time, I'm sure it's well within the possibility that they could also 
be redirected to a porn site as well via iframes, etc.  

 

Looking through lots of IE related browser history myself, it's hard to know the user's exact intentions, though 
sometimes it's pretty obvious once you see google search queries, the typed urls registry key, and such that don't 
appear work related.

 

Might be an opportunity to repeat whatever legit browsing he said he was doing and examine your own cache. ;-)

 

-PJ
 


Date: Tue, 3 Nov 2009 12:38:44 -0500
From: dorne.mabais at googlemail.com
To: pauldotcom at mail.pauldotcom.com
Subject: [Pauldotcom] A question about browser history

I have a situation at a client's that I would appreciate some help with. An employee was flagged as visiting "adult" 
sites (which is surprising since their proxy is not exactly current or well setup), and a quick look at the browser 
history showed traces of this (firefox 3.5). But in my brief exposure to forensics I have been told, "do not look for 
evidence of guilt or innocence, just look for evidence". This employee seems honestly shocked about this and swears 
that he did not do it (even has suggested taking a lie-detector test to prove it!) and some of the sites do seem like 
those that are ad funded and I know those can be more then meets the eye. So I have been trying to find out if it is 
possible that he is actually innocent. I have done some reading and hidden iframes would explain the proxy traffic but 
as far as I know, those do not show in the browser history (?). I am sure that a pop-up window would not have been it 
either. I admit my web-security-fu is not at a very high level, so I would like to ask if anyone knows of a way this 
could have happened which backs up the employee's story or do I just go ahead and assume guilt?

Thanks 
 Dorne
                                          
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20091103/d75e6591/attachment.htm

Current thread:

A question about browser history Dorne Mabais (Nov 03)
- A question about browser history PJ McGarvey (Nov 03)
- A question about browser history Karl Schuttler (Nov 03)
- A question about browser history Joel Folkerts (Nov 03)
- A question about browser history Michael Miller (Nov 10)
- <Possible follow-ups>
- A question about browser history David A. Gershman (Nov 10)
  - A question about browser history Butturini, Russell (Nov 11)
  - A question about browser history Dorne Mabais (Dec 16)