Home page logo

pen-test logo Penetration Testing mailing list archives

Re: Internet Explorer History
From: Max Ashton <maxashton () eml cc>
Date: Mon, 17 Jul 2006 10:23:11 +0000

On Monday 17 July 2006 00:13, kruptos wrote:
Hello All,

I have been tasked with recovering the recent history of an individual
laptop. It is suspected that the individual may have gone to a "escort"
site and attempted to make a purchase via company credit card.

First rule of forensics is not to compromise your 'scene.

Take an image of the hard disk. I reccomend using DD or simmilar to take an 
image of your suspect's hard disk (at the most basic level " dd if=/dev/hda 
of /home/you/noobhdd.img" .. bear in mind using dd you will need as much free 
space as the original hd contains).  Other tools are fine, but bear in mind 
it needs to be a known documented tool. And take an MD5 hash of the image 
while you're at it.

Only then do any analysis of the hard disk. Most of the forensics livecd's 
contain tools for examining IE's index.dat... backtrack has one, helix has 

But whatever you do, don't ever examine a live environment. A halfway 
competent defence lawyer would just say you put the evidence there yourself. 
At the very best, they'd throw the evidence out and your suspect would claim 
no knowledge of the CC's use, at worst, you could be up for fraud or who 
knows what.

IANAL, check your local laws regarding computer forensics.

Max Ashton
No ammount of network security is as good as a wood chipper.
0x7951CF83  http://www.maxashton.com/pgpkeys/maxashton.asc

Attachment: _bin

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]