Home page logo

basics logo Security Basics mailing list archives

RE: Computer forensics to uncover illegal internet use
From: "George Lantz" <glantz () mostlymemories com>
Date: Tue, 30 Aug 2005 10:18:18 -0500

The easiest way, if you have access, is to view the logs of your proxy
server. They can tell you exactly where the user visited and at what

The second step I would take is to do some digging on the user's
computer. Assuming this is a windows machine and the user is using IE, a
good place to start would be to view the index.dat files and find a list
of sites the user has visited. Index.dat files store information on file
access, cookies and visited sites and are somewhat complicated to
clear/remove for the average user. However, if you are not using IE it
does not log to the index.dat. Use an index.dat viewer such as Index Dat
Spy, or search for one on google, there are many. If that does not work
there are some other techniques and programs to investigate this type of
thing. Look to the forums or search online.

We went through this before at our company a few years ago. Make sure
you consider whether the visitations where accidental or not. Does the
user share the computer with others (Multi-user login)? Was the illegal
activity caused by accident, such as spam, malware (spyware/adware) or
popups? Just consider everything before making any accusations. Be sure
you have adequate proof. We almost had legal problems.

George Lantz

-----Original Message-----
From: Edmond Chow [mailto:echow () gettechnologies com] 
Sent: Friday, August 26, 2005 6:23 PM
To: security-basics () securityfocus com
Cc: Edmond Chow
Subject: RE: Computer forensics to uncover illegal internet use

Dear List,

I'm working on the following project and would appreciate your views:

I have been tasked with finding out if a certain desktop computer was
to view pornographic sites on the internet.  This user has gone to great
lengths to try to mask his illegal activities by erasing cookies, temp.
files and by installing anti-spyware software on his computer.  Are
any tools that would allow me to still uncover proof that he had
these sites?  So far, the tech department is telling me that he did
illegal sites on only two dates but I suspect that this illegal activity
started many months or years ago and it will be up to me to find more

Also, at a network level, we know his IP address but yet my technical
support department is telling me that they cannot (either because they
want to or because they are not technically capable of) tell me what
internet sites this IP address has accessed in the past.  Logically,
must be a point in the network (on some piece of hardware) where I can
consult log files to track his activities?  Or, is there a log file that
can consult that will tell me what sites all my users have accessed and
what IP address?

In terms of access to the desktop in question, I will have full access
the computer will be in my possession in the coming days.

Thank-you and any help that you can provide would be most appreciated.



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]