RE: Computer forensics to uncover illegal internet use

I think the individual below referred to "illegal porn" - which is an
entirely different matter. Now you're talking about serious criminal
activity, and if this is suspected, you're better off getting Law
Enforcement involved early. If you don't, and you end up not handling
the "evidence" in a matter consistent with "chain of custody", etc., you
could let a criminal "off the hook". If this user is accessing child
porn, law enforcement and legal folks must be involved to make anything
you do really "stick".

Connie

-----Original Message-----
From: James Leighe [mailto:jamesleighe@gmail.com] 
Sent: Tuesday, August 30, 2005 1:51 AM
To: security-basics@securityfocus.com
Subject: Re: Computer forensics to uncover illegal internet use

This sure is allot of trouble to bust someone for looking at porn
however to each his own... You could use drive imaging software and
then data recovery software to get all the files on the hard drive
that have not been written over as of yet, like cookies and the tmp
files n' all that noise... Other than that, advanced routers have
logging capabilities, if you have an IDS that would be a place too
look... you know your network better than we do, check around.

Also, here is a list of some interesting registry and file locations,
taken from a scanlog from adaware:
------------------------------------------------------------------------
--------------
  MRU List Object Recognized!
    Location:          : C:\Documents and Settings\****\recent
    Description        : list of recently opened documents


  MRU List Object Recognized!
    Location:          :
software\microsoft\direct3d\mostrecentapplication
    Description        : most recent application to use microsoft
direct3d


  MRU List Object Recognized!
    Location:          :
software\microsoft\direct3d\mostrecentapplication
    Description        : most recent application to use microsoft direct
X


  MRU List Object Recognized!
    Location:          :
software\microsoft\directdraw\mostrecentapplication
    Description        : most recent application to use microsoft
directdraw


  MRU List Object Recognized!
    Location:          :
S-1-5-21-1417001333-725345543-1003229946-1003\software\microsoft\mediapl
ayer\medialibraryui
    Description        : last selected node in the microsoft windows
media player media library


  MRU List Object Recognized!
    Location:          :
S-1-5-21-1417001333-725345543-1003229946-1003\software\microsoft\mediapl
ayer\preferences
    Description        : last playlist index loaded in microsoft
windows media player


  MRU List Object Recognized!
    Location:          :
S-1-5-21-1417001333-725345543-1003229946-1003\software\microsoft\mediapl
ayer\preferences
    Description        : last playlist loaded in microsoft windows media
player


  MRU List Object Recognized!
    Location:          :
S-1-5-21-1417001333-725345543-1003229946-1003\software\microsoft\windows
\currentversion\explorer\comdlg32\lastvisitedmru
    Description        : list of recent programs opened


  MRU List Object Recognized!
    Location:          :
S-1-5-21-1417001333-725345543-1003229946-1003\software\microsoft\windows
\currentversion\explorer\comdlg32\opensavemru
    Description        : list of recently saved files, stored
according to file extension


  MRU List Object Recognized!
    Location:          :
S-1-5-21-1417001333-725345543-1003229946-1003\software\microsoft\windows
\currentversion\explorer\recentdocs
    Description        : list of recent documents opened


  MRU List Object Recognized!
    Location:          :
S-1-5-21-1417001333-725345543-1003229946-1003\software\microsoft\windows
media\wmsdk\general
    Description        : windows media sdk 
------------------------------------------------------------------------
--------------

On 26/08/05, Edmond Chow <echow@gettechnologies.com> wrote:
> Dear List,
>
> I'm working on the following project and would appreciate your views:
>
> I have been tasked with finding out if a certain desktop computer was
used
> to view pornographic sites on the internet.  This user has gone to
great
> lengths to try to mask his illegal activities by erasing cookies,
temp.
> files and by installing anti-spyware software on his computer.  Are
there
> any tools that would allow me to still uncover proof that he had
accessed
> these sites?  So far, the tech department is telling me that he did
access
> illegal sites on only two dates but I suspect that this illegal
activity
> started many months or years ago and it will be up to me to find more
proof.
> Also, at a network level, we know his IP address but yet my technical
> support department is telling me that they cannot (either because they
don't
> want to or because they are not technically capable of) tell me what
> internet sites this IP address has accessed in the past.  Logically,
there
> must be a point in the network (on some piece of hardware) where I can
> consult log files to track his activities?  Or, is there a log file
that I
> can consult that will tell me what sites all my users have accessed
and from
> what IP address?
>
> In terms of access to the desktop in question, I will have full access
as
> the computer will be in my possession in the coming days.
>
> Thank-you and any help that you can provide would be most appreciated.
>
> Regards,
>
>
> Edmond