Hi Guys,
I need a hand. My boss has approached me to have a look at one of the computers at work because someone has been searching some pretty obscene and disgusting things on google. They still appear in the google toolbar in Internet Explorer when you press down to see the recent searches.
my questions is, is there a way of finding out the date and time of these searches as to narrow down to who it could possibly be.

I was thinking it should be stored in cookies, but they may have deleted them.

Any help or input would be awesome!

Regards

Craig

Mambo,

First you need to tell your boss depending on your situation  to get the approval to do so from the legal authority in your company, that is if you do have such a thing, or at least HR department if you do have this department too.

As by doing so you might be violating the employee privacy even if its against company policy to do so.  and i do hope that you do have a policy in place that states so, and defines what is obscene or not obscene.

now technically if you are running a proxy which you should have, then these will be in the proxy logs anyhow, and I hope if you are runing a proxy that people do authenticate to it so you can narrow it down to a person, and place (ip) and date.

A bit more info then;

I'm currently studying I.T at college and off to study Computer security at uni in september. I work part time for an estate agents when im not at college.
This therefore makes me the 'I.T Guy'.

I have to show them everything they don't know how to do.

So our office is only small. None of the computers are passworded or anything of such so it would be easy for someone to search such content on someone elses computer. Because the boss regularly checks the history to see what everyone is looking at, everyone deletes their history.
This give me the problem of the history being deleted, but the google searchs still there

This person has blamed a former employee for the searches, but the former employee left 10 months ago. my first reaction was...well it wont store 10 months of searches. And secondly the hard drive was reformatted when he left...defiantly no data left.

So i have been asked to look into weather i can date the searches.

Which is when i turn to you rather useful and friendly fountains of knowledge for my help.


Thank you very much for your help so far. I am not working again until Saturday, when i will be looking into this, so anymore input up until then would be fantastic.

Thanks again!

Craig

you can still recover deleted history files even if the hard drive was formated  but if The files were overwritten by some wiping algorithm  (Like Dod-5200.28 or Gutmann_method) then you can't recover them.

I am not a lawyer.

If there are no passwords on the systems, I seriously doubt you have any chance of proving who was responsible. There is a world of difference between suspecting and proving in a court of law.

If the material was of an illegal nature you should call in the police. Failure to do so makes you and your company complicit. The more the information is examined, the more the evidence is corrupted. If the material is illegal, call the police immediately. I'm sure if your perpetrator is still working at the company, having the police take a computer away for forensic examnination will, at least, stop them from viewing such material.

This would also be an ideal opportunity to suggest to your company that they need to take the security of their systems seriously. I'm sure they have customer data on these computers and I doubt they would continue to be happy customers if they were aware of how their information was being handled.

I do not know which country you are from and the laws concerning indecent material vary from county to country as do the laws concerning computer misuse and investigation.

I am not a lawyer but if you are in England or Wales, I can provide you with the advice you need from a legal perspective. If not, consult a lawyer and probably even if you are in England or Wales!

Did I mention I am not a lawyer?

You could always install an Anonymous Proxy and track usage via the IP Address.

What about your policies at work/school, do you have any policies in place that employees are forced to sign it terms of company equipment usage?
What I'm getting at is it might be fine to state that the material the employee is viewing might be inappropriate, it's whether the employee has had fair warning and has agreed to the terms of company equipment usage that has been signed and agreed to.