Re: Computer forensics to uncover illegal internet use

[spyros <sninos () ee duth gr>]

hello again,
 I misread one e-mail.

>From: Edmond Chow <echow () videotron ca>
>Date: Tue, 30 Aug 2005 10:27:24
[...]
> me through an investigation of this sort?  I am dealing with a case
> involving the viewing of child pornographic websites so I

Edmond said clearly that it concenrs child porn. Sorry about that :)

spyros

spyros wrote:
> hello listmates,
>  I'm new to security field and I'm particularly intrested in this topic. 
> Even though I have no personal experience or involment (direct or 
> indirect) in such cases, I do have some observations to make (more to be 
> considered as questions to be answered).
>
> 1) I do assume that Edmond is a network admin. In any case he noticed 
> illegal internet use. If we are to accept his claims (illegal use) then 
> he must have some specification or policy according to which he 
> concluded that internet was being used illegally. As a network admin he 
> has the right to investigate things further, right? I mean, even if it's 
> about child porn or just spyware, he has a company-policy to 
> investigate, because he *is* after all the guy responsible for the 
> company's network.
> In this case, would I be naive if I suggested that Edmond preserved a 
> low profile and started monitoring the network? In other terms, after 
> having the appropriate permission (from his supervisor or whatever) 
> couldn't he just start logging verbosely the network traffic in order to 
> reduce the possibility of a wrong-assumption?
>
> 2) In either case (child porn or spyware) Edmond is oblidged to 
> investigate the indications. The fact is this: he has clues that illegal 
>  internet traffic is going through the company's network (for which he 
> is responsible). He's not the one to make accusations against an 
> employee, he just follows some clues. He should find out what this 
> illegal use is about. Thus, if it concerns child porn he reports it to 
> whomever he's supposed to. If it concerns just spyware, then one 
> computer is infected with malware and it must be fixed. In either case, 
> Edmond is not making any assumptions about the employee, he just 
> investigates "evidence" (which may have been created by someone else, 
> like an intruder).
>
> 3) I don't know exactly, but I do have in mind that some formal 
> procedures must be followed for a digital evidence to be accepted in a 
> legal case. It's what we call a "chain of evidence". The way I have 
> figured it out, one must make a replica of the hard-disk-evidence, and 
> he must assure that the replica can not be modified in any case -using 
> legally accepted tools. And of course he must have some witnesses that 
> will reassure that he did a legal replica and he didn't modify the data. 
> How will he be able to prove that he didn't tamper with the data, 
> without making a copy in front of law enforcement people, and having 
> those law enforcement people sign a paper? That should involve the 
> police in the first place, right? And of course wiping the hard disk I 
> suppose is not part of the procedure!
>
> 4) Let's suppose that Edmond snoops into the "illegal" employees 
> computer without someone seeing him, and finds some child porn material 
> (just a few pics for example) but also finds out that the employee has a 
> lot of spyware installed (highly unlike since Edmond knows that the 
> employee erases cookies, temp etc - that is he is basically consious of 
> what a trace is and what is security or/and privacy invasion). So he 
> decides that he is not the one to play with other people's lifes/careers 
> and wipes the disk, and re-installs the OS. After a period of time he 
> re-notices the illegal traffic which directs him again to the same 
> computer or/and employee. So he manages to snoop once more in to the 
> employee's computer and finds new pics but again some spyware installed 
> (again cookies erased, temp etc). What would he do then? He can't go to 
> the police because he has little evidence (the other was wiped) and he 
> knows for certain that those pics aren't there by accident. So, what 
> would be his position?
>
> 5) Even if Edmond finds tons of spyware in the "illegal" employee's 
> computer, how does he know that the spyware wasn't intentionally planted 
> there by the employee, so in case of a "compromise" he would claim that 
> it was not him but the spyware?
>
> 6) How many spywares does anybody in the list know that download child 
> porn in someones' computer and save them there? I always thought that 
> spyware was "invented" in order to do a sort of traffic analysis 
> (customer habbits logging) and not spreading child porn..
>
> 7) Why does everybody in this list assume that it concerns child porn 
> and not simply porn? As far as Edmond says at his email (which is 
> purposely attached below, at the end of all replied mails) it's just 
> porn. That means that probably it is a company-policy violation and 
> nothing more. Am I wrong?
>
> 8) Edmond, "This user has gone to great lengths to try to mask his 
> illegal activities by erasing cookies, temp" that means (to me at least) 
> that he is a little security concious. Which means (to me again) that he 
> could be subscribed to security-basics_at_securityfocus.com, which means 
> that he might have read this thread. Don't you think that by now he must 
> have wiped the whole disk?
>
> Sorry for the long message, and sorry for my english :)
>
> spyros