Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Computer forensics to uncover illegal internet use

from [Mike Sweeney] Network Security [Permanent Link]
Subject: Re: Computer forensics to uncover illegal internet use
Date: Mon, 29 Aug 2005 21:40:30 -0700
Before anything.. make a copy of the disk and lock the original away with a chain of evidence. Use Ghost or DD. Work only on a copy.

Examine the disk using something like Knoppix STD or Audit or other bootable CD.

swap file..
history files for IE
Alternative Browser history files
use a undelete tool to see what might be recovered for cookies etc
check for firewall logs or proxy server logs

If he is really that clever, look for alternative data streams and hidden files..
Look for a hidden partition

Some history and last URLs can be found in the registry

I'm sure other will toss in their 3 cents too :)

MikeS
____________________________________

mikesweeney@packetattack.com
www.packetattack.com
Home of "Network Security using Linux"

Office 714.637.4235



On Aug 29, 2005, at 8:45 PM, Edmond Chow wrote:


Dear List,

I'm working on the following project and would appreciate your views:

I have been tasked with finding out if a certain desktop computer was used
to view pornographic sites on the internet. This user has gone to great
lengths to try to mask his illegal activities by erasing cookies, temp.
files and by installing anti-spyware software on his computer. Are there
any tools that would allow me to still uncover proof that he had accessed
these sites? So far, the tech department is telling me that he did access
illegal sites on only two dates but I suspect that this illegal activity
started many months or years ago and it will be up to me to find more proof.

Also, at a network level, we know his IP address but yet my technical
support department is telling me that they cannot (either because they don't
want to or because they are not technically capable of) tell me what
internet sites this IP address has accessed in the past. Logically, there
must be a point in the network (on some piece of hardware) where I can
consult log files to track his activities? Or, is there a log file that I
can consult that will tell me what sites all my users have accessed and from
what IP address?

In terms of access to the desktop in question, I will have full access as
the computer will be in my possession in the coming days.

Thank-you and any help that you can provide would be most appreciated.

Regards,


Edmond








[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  CIA checklist, Toto A Atmojo
Next by Date:  RE: Computer forensics to uncover illegal internet use, Keenan Smith
Previous by Thread:  Re: Computer forensics to uncover illegal internet use, Greg Stiavetti
Next by Thread:  RE: Computer forensics to uncover illegal internet use, James McEachern
Indexes:  [Date] [Thread] [Top] [All Lists]