Re: Computer forensics to uncover illegal internet use

You could install a vnc server on his computer and have it running in
the background so it doesnt show in his systray.  then you could
initiate a session to his computer from another and watch what he's
doing and take screen shots of any pr0n he's looking at.  Not sure of
the legality of that, though.

On 8/30/05, James Leighe <jamesleighe@gmail.com> wrote:
> This sure is allot of trouble to bust someone for looking at porn
> however to each his own... You could use drive imaging software and
> then data recovery software to get all the files on the hard drive
> that have not been written over as of yet, like cookies and the tmp
> files n' all that noise... Other than that, advanced routers have
> logging capabilities, if you have an IDS that would be a place too
> look... you know your network better than we do, check around.
>
> Also, here is a list of some interesting registry and file locations,
> taken from a scanlog from adaware:
> --------------------------------------------------------------------------------------
>   MRU List Object Recognized!
>     Location:          : C:\Documents and Settings\****\recent
>     Description        : list of recently opened documents
>
>
>   MRU List Object Recognized!
>     Location:          : software\microsoft\direct3d\mostrecentapplication
>     Description        : most recent application to use microsoft direct3d
>
>
>   MRU List Object Recognized!
>     Location:          : software\microsoft\direct3d\mostrecentapplication
>     Description        : most recent application to use microsoft direct X
>
>
>   MRU List Object Recognized!
>     Location:          : software\microsoft\directdraw\mostrecentapplication
>     Description        : most recent application to use microsoft directdraw
>
>
>   MRU List Object Recognized!
>     Location:          :
> S-1-5-21-1417001333-725345543-1003229946-1003\software\microsoft\mediaplayer\medialibraryui
>     Description        : last selected node in the microsoft windows
> media player media library
>
>
>   MRU List Object Recognized!
>     Location:          :
> S-1-5-21-1417001333-725345543-1003229946-1003\software\microsoft\mediaplayer\preferences
>     Description        : last playlist index loaded in microsoft
> windows media player
>
>
>   MRU List Object Recognized!
>     Location:          :
> S-1-5-21-1417001333-725345543-1003229946-1003\software\microsoft\mediaplayer\preferences
>     Description        : last playlist loaded in microsoft windows media 
> player
>
>
>   MRU List Object Recognized!
>     Location:          :
> S-1-5-21-1417001333-725345543-1003229946-1003\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
>     Description        : list of recent programs opened
>
>
>   MRU List Object Recognized!
>     Location:          :
> S-1-5-21-1417001333-725345543-1003229946-1003\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
>     Description        : list of recently saved files, stored
> according to file extension
>
>
>   MRU List Object Recognized!
>     Location:          :
> S-1-5-21-1417001333-725345543-1003229946-1003\software\microsoft\windows\currentversion\explorer\recentdocs
>     Description        : list of recent documents opened
>
>
>   MRU List Object Recognized!
>     Location:          :
> S-1-5-21-1417001333-725345543-1003229946-1003\software\microsoft\windows
> media\wmsdk\general
>     Description        : windows media sdk
> --------------------------------------------------------------------------------------
>
> On 26/08/05, Edmond Chow <echow@gettechnologies.com> wrote:
> > Dear List,
> >
> > I'm working on the following project and would appreciate your views:
> >
> > I have been tasked with finding out if a certain desktop computer was used
> > to view pornographic sites on the internet.  This user has gone to great
> > lengths to try to mask his illegal activities by erasing cookies, temp.
> > files and by installing anti-spyware software on his computer.  Are there
> > any tools that would allow me to still uncover proof that he had accessed
> > these sites?  So far, the tech department is telling me that he did access
> > illegal sites on only two dates but I suspect that this illegal activity
> > started many months or years ago and it will be up to me to find more proof.
> >
> > Also, at a network level, we know his IP address but yet my technical
> > support department is telling me that they cannot (either because they don't
> > want to or because they are not technically capable of) tell me what
> > internet sites this IP address has accessed in the past.  Logically, there
> > must be a point in the network (on some piece of hardware) where I can
> > consult log files to track his activities?  Or, is there a log file that I
> > can consult that will tell me what sites all my users have accessed and from
> > what IP address?
> >
> > In terms of access to the desktop in question, I will have full access as
> > the computer will be in my possession in the coming days.
> >
> > Thank-you and any help that you can provide would be most appreciated.
> >
> > Regards,
> >
> >
> > Edmond


-- 
Dallas Jordan CCNA, CISSP