Edmond Chow [echow@gettechnologies.com] writes:
I have been tasked with finding out if a certain desktop computer was used
to view pornographic sites on the internet. This user has gone to great
lengths to try to mask his illegal activities by erasing cookies,
So examine the deleted filespace too. Sure, the blocks used by the cookies and
other temp files may have been overwritten by now, but probably not. I doubt
he would have gone to the trouble to ensure that by hand.
Sorry, I am not personally familiar with the latest tools to do that. Mount
the drive as a second HD (NOT THE FIRST ONE, you don't want to run anything on
it, don't even swap to it) under Linux, and it should be easy to look at it
exactly bit by bit, and thereby search the deleted space for things like
cookies, jpgs, etc.
Also, at a network level, we know his IP address but yet my technical
support department is telling me that they cannot (either because they
don't want to or because they are not technically capable of) tell me
what internet sites this IP address has accessed in the past.
Logically, there must be a point in the network (on some piece of
hardware) where I can consult log files to track his activities? Or,
is there a log file that I can consult that will tell me what sites
all my users have accessed and from what IP address?
It all depends on what tools your network uses, how they are arranged, how
verbose the logs are, how soon they are purged, etc. It is very possible that
there is no such log, but any company would be well-served to at least log what
URLs are accessed from which IPs, "for, uh, just such an emergency".
-Dave
