RE: Computer forensics to uncover illegal internet use

[<Steve.Cummings () barclayscapital com>]

Not sure I know any of your infra

But you could look in proxy logs, dns logs, maybe your isp might be able
to assist

But other than that not a lot you will be able to do 


Regards

Steve Cummings
Barclays Capital
DDI 0207 773 4245

-----Original Message-----
From: Keenan Smith [mailto:kc_smith () clark net] 
Sent: 30 August 2005 14:28
To: 'Edmond Chow'; security-basics () securityfocus com
Cc: 'Edmond Chow'
Subject: RE: Computer forensics to uncover illegal internet use

Edmond,

Assuming you have a firewall and the logs are kept for the period in
question, there should be a history of all traffic both to and from the
offending IP.

There are even apps that scan the logs and build reports based on
specified parameters.

Other than that, unless something was installed to specifically track
that traffic, you may be out of luck.

If cookies, temp files, etc. were deleted they may be recoverable with
simple admin tools (check out the recent thread in this newsgroup about
recovery of deleted files and formatted disks)

Keenan


-----Original Message-----
From: Edmond Chow [mailto:echow () gettechnologies com]
Sent: Friday, August 26, 2005 7:23 PM
To: security-basics () securityfocus com
Cc: Edmond Chow
Subject: RE: Computer forensics to uncover illegal internet use



Dear List,

I'm working on the following project and would appreciate your views:

I have been tasked with finding out if a certain desktop computer was
used to view pornographic sites on the internet.  This user has gone to
great lengths to try to mask his illegal activities by erasing cookies,
temp. files and by installing anti-spyware software on his computer.
Are there any tools that would allow me to still uncover proof that he
had accessed these sites?  So far, the tech department is telling me
that he did access illegal sites on only two dates but I suspect that
this illegal activity started many months or years ago and it will be up
to me to find more proof.

Also, at a network level, we know his IP address but yet my technical
support department is telling me that they cannot (either because they
don't want to or because they are not technically capable of) tell me
what internet sites this IP address has accessed in the past.
Logically, there must be a point in the network (on some piece of
hardware) where I can consult log files to track his activities?  Or, is
there a log file that I can consult that will tell me what sites all my
users have accessed and from what IP address?

In terms of access to the desktop in question, I will have full access
as the computer will be in my possession in the coming days.

Thank-you and any help that you can provide would be most appreciated.

Regards,


Edmond






------------------------------------------------------------------------
For more information about Barclays Capital, please
visit our web site at http://www.barcap.com.


Internet communications are not secure and therefore the Barclays 
Group does not accept legal responsibility for the contents of this 
message.  Although the Barclays Group operates anti-virus programmes, 
it does not accept responsibility for any damage whatsoever that is 
caused by viruses being passed.  Any views or opinions presented are 
solely those of the author and do not necessarily represent those of the 
Barclays Group.  Replies to this email may be monitored by the Barclays 
Group for operational or business reasons.

------------------------------------------------------------------------