Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Computer forensics to uncover illegal internet use

from [James Leighe] Network Security [Permanent Link]
Subject: Re: Computer forensics to uncover illegal internet use
Date: Tue, 30 Aug 2005 00:51:03 -0500 
This sure is allot of trouble to bust someone for looking at porn
however to each his own... You could use drive imaging software and
then data recovery software to get all the files on the hard drive
that have not been written over as of yet, like cookies and the tmp
files n' all that noise... Other than that, advanced routers have
logging capabilities, if you have an IDS that would be a place too
look... you know your network better than we do, check around.

Also, here is a list of some interesting registry and file locations,
taken from a scanlog from adaware:
--------------------------------------------------------------------------------------
  MRU List Object Recognized!
    Location:          : C:\Documents and Settings\****\recent
    Description        : list of recently opened documents


  MRU List Object Recognized!
    Location:          : software\microsoft\direct3d\mostrecentapplication
    Description        : most recent application to use microsoft direct3d


  MRU List Object Recognized!
    Location:          : software\microsoft\direct3d\mostrecentapplication
    Description        : most recent application to use microsoft direct X


  MRU List Object Recognized!
    Location:          : software\microsoft\directdraw\mostrecentapplication
    Description        : most recent application to use microsoft directdraw


  MRU List Object Recognized!
    Location:          :
S-1-5-21-1417001333-725345543-1003229946-1003\software\microsoft\mediaplayer\medialibraryui
    Description        : last selected node in the microsoft windows
media player media library


  MRU List Object Recognized!
    Location:          :
S-1-5-21-1417001333-725345543-1003229946-1003\software\microsoft\mediaplayer\preferences
    Description        : last playlist index loaded in microsoft
windows media player


  MRU List Object Recognized!
    Location:          :
S-1-5-21-1417001333-725345543-1003229946-1003\software\microsoft\mediaplayer\preferences
    Description        : last playlist loaded in microsoft windows media player


  MRU List Object Recognized!
    Location:          :
S-1-5-21-1417001333-725345543-1003229946-1003\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
    Description        : list of recent programs opened


  MRU List Object Recognized!
    Location:          :
S-1-5-21-1417001333-725345543-1003229946-1003\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
    Description        : list of recently saved files, stored
according to file extension


  MRU List Object Recognized!
    Location:          :
S-1-5-21-1417001333-725345543-1003229946-1003\software\microsoft\windows\currentversion\explorer\recentdocs
    Description        : list of recent documents opened


  MRU List Object Recognized!
    Location:          :
S-1-5-21-1417001333-725345543-1003229946-1003\software\microsoft\windows
media\wmsdk\general
    Description        : windows media sdk 
--------------------------------------------------------------------------------------

On 26/08/05, Edmond Chow <echow@gettechnologies.com> wrote:


Dear List,

I'm working on the following project and would appreciate your views:

I have been tasked with finding out if a certain desktop computer was used
to view pornographic sites on the internet.  This user has gone to great
lengths to try to mask his illegal activities by erasing cookies, temp.
files and by installing anti-spyware software on his computer.  Are there
any tools that would allow me to still uncover proof that he had accessed
these sites?  So far, the tech department is telling me that he did access
illegal sites on only two dates but I suspect that this illegal activity
started many months or years ago and it will be up to me to find more proof.

Also, at a network level, we know his IP address but yet my technical
support department is telling me that they cannot (either because they don't
want to or because they are not technically capable of) tell me what
internet sites this IP address has accessed in the past.  Logically, there
must be a point in the network (on some piece of hardware) where I can
consult log files to track his activities?  Or, is there a log file that I
can consult that will tell me what sites all my users have accessed and from
what IP address?

In terms of access to the desktop in question, I will have full access as
the computer will be in my possession in the coming days.

Thank-you and any help that you can provide would be most appreciated.

Regards,


Edmond
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  GPL version of WiKID Strong Authentication released, Nick Owen
Next by Date:  RE: Computer forensics to uncover illegal internet use, Eduardo Suzuki
Previous by Thread:  Re: Computer forensics to uncover illegal internet use, Frankie Li
Next by Thread:  Re: Computer forensics to uncover illegal internet use, dallas jordan
Indexes:  [Date] [Thread] [Top] [All Lists]