mailing list archives
Re: Internet Explorer History
From: Max Ashton <maxashton () eml cc>
Date: Mon, 17 Jul 2006 10:23:11 +0000
On Monday 17 July 2006 00:13, kruptos wrote:
I have been tasked with recovering the recent history of an individual
laptop. It is suspected that the individual may have gone to a "escort"
site and attempted to make a purchase via company credit card.
First rule of forensics is not to compromise your 'scene.
Take an image of the hard disk. I reccomend using DD or simmilar to take an
image of your suspect's hard disk (at the most basic level " dd if=/dev/hda
of /home/you/noobhdd.img" .. bear in mind using dd you will need as much free
space as the original hd contains). Other tools are fine, but bear in mind
it needs to be a known documented tool. And take an MD5 hash of the image
while you're at it.
Only then do any analysis of the hard disk. Most of the forensics livecd's
contain tools for examining IE's index.dat... backtrack has one, helix has
But whatever you do, don't ever examine a live environment. A halfway
competent defence lawyer would just say you put the evidence there yourself.
At the very best, they'd throw the evidence out and your suspect would claim
no knowledge of the CC's use, at worst, you could be up for fraud or who
IANAL, check your local laws regarding computer forensics.
No ammount of network security is as good as a wood chipper.