I think we need to suggest that the original poster should contact a
professional in the field. I'm all for learning and such but the moment
he mentioned "legal" action it was time to put learning aside and
contact a professional. This is no longer just a manager wanting to
call in an employee and give them a slap on the wrist. It should be
given to a professional and if in fact illegal 'porn' is involved law
enforcement should be contacted ASAP.
The smallest mistake, moved file, wrong command, installed software and
chain of custody that needs to be maintained. Any of this done wrong
and your case is over and worse you your self may be open to legal
action.
Contact law enforcement in your area, contact a computer forensic
company (one with law enforcement contacts is my recommendation) and
contact your lawyer(s).
Regards,
Jackson.
-----Original Message-----
From: Robinson, Sonja [mailto:SRobinson@HIPUSA.com]
Sent: Wednesday, 31 August 2005 7:45 AM
To: James McEachern; echow@gettechnologies.com
Cc: security-basics@securityfocus.com
Subject: RE: Computer forensics to uncover illegal internet use
Assuming that he's not running DHCP. If he is, then he needs to
correlate the event logs from the domain controller to prove that the
workstation name/IP address and user add up.
Sonja L. Robinson, CISSP, CIFI, CISA, CISM Forensic Specialist, Digital
Investigations HIP Information Security Group
Tel: 212-806-4125
srobinson@hipusa.com
-----Original Message-----
From: James McEachern [mailto:james.mceachern.qa5a@statefarm.com]
Sent: Tuesday, August 30, 2005 8:47 AM
To: echow@gettechnologies.com
Cc: security-basics@securityfocus.com
Subject: RE: Computer forensics to uncover illegal internet use
You don't even need access to his computer just check the ip for his
computer in proxy logs and if its logging feature is turned on then you
can find every web site he went to even ad sites that pop up in
browsers. If your tech cant figure this out I would strongly consider
finding new employees for this "staff".
James McEachern
-----Original Message-----
From: echow@gettechnologies.com [mailto:echow@gettechnologies.com]
Sent: Friday, August 26, 2005 6:23 PM
To: security-basics@securityfocus.com
Cc: echow@videotron.ca
Subject: RE: Computer forensics to uncover illegal internet use
Dear List,
I'm working on the following project and would appreciate your views:
I have been tasked with finding out if a certain desktop computer was
used to view pornographic sites on the internet. This user has gone to
great lengths to try to mask his illegal activities by erasing cookies,
temp. files and by installing anti-spyware software on his computer.
Are there any tools that would allow me to still uncover proof that he
had accessed these sites? So far, the tech department is telling me
that he did access illegal sites on only two dates but I suspect that
this illegal activity started many months or years ago and it will be up
to me to find more proof.
Also, at a network level, we know his IP address but yet my technical
support department is telling me that they cannot (either because they
don't want to or because they are not technically capable of) tell me
what internet sites this IP address has accessed in the past.
Logically, there must be a point in the network (on some piece of
hardware) where I can consult log files to track his activities? Or, is
there a log file that I can consult that will tell me what sites all my
users have accessed and from what IP address?
In terms of access to the desktop in question, I will have full access
as the computer will be in my possession in the coming days.
Thank-you and any help that you can provide would be most appreciated.
Regards,
Edmond
