|
mambo
|
 |
« on: March 31, 2008, 07:31:09 AM » |
|
Hi Guys,
I need a hand. My boss has approached me to have a look at one of the computers at work because someone has been searching some pretty obscene and disgusting things on google. They still appear in the google toolbar in Internet Explorer when you press down to see the recent searches.
my questions is, is there a way of finding out the date and time of these searches as to narrow down to who it could possibly be.
I was thinking it should be stored in cookies, but they may have deleted them.
Any help or input would be awesome!
Regards
Craig
|
|
|
|
|
Logged
|
|
|
|
_Marshel_
Jr. Member
 Offline
Posts: 61
Life Is too short to be someone else.
|
|
« Reply #1 on: March 31, 2008, 08:00:20 AM » |
|
go to the following path:
C:\Documents and Settings\<UserName>\Local Settings\History
and search there for the "pretty obscene and disgusting things" and you'll find them and there Date.
If they were already deleted try to use a program (EnCase for instance) to see what has been deleted lately.
|
|
|
|
|
Logged
|
|
|
|
|
shawal
|
|
« Reply #2 on: March 31, 2008, 08:44:13 AM » |
|
Mambo,
First you need to tell your boss depending on your situation to get the approval to do so from the legal authority in your company, that is if you do have such a thing, or at least HR department if you do have this department too.
As by doing so you might be violating the employee privacy even if its against company policy to do so. and i do hope that you do have a policy in place that states so, and defines what is obscene or not obscene.
now technically if you are running a proxy which you should have, then these will be in the proxy logs anyhow, and I hope if you are runing a proxy that people do authenticate to it so you can narrow it down to a person, and place (ip) and date.
|
|
|
|
|
Logged
|
RHCE, GIAC GCIH.
|
|
|
|
iSmith
|
|
« Reply #3 on: March 31, 2008, 08:50:00 AM » |
|
if you need to, there is freeundelete by office recovery. it is an essential tool and you should have it.
|
|
|
|
|
Logged
|
In my eyes, your operating system is as solid as swiss cheese.
|
|
|
|
mambo
|
|
« Reply #4 on: March 31, 2008, 10:33:58 AM » |
|
A bit more info then;
I'm currently studying I.T at college and off to study Computer security at uni in september. I work part time for an estate agents when im not at college.
This therefore makes me the 'I.T Guy'.
I have to show them everything they don't know how to do.
So our office is only small. None of the computers are passworded or anything of such so it would be easy for someone to search such content on someone elses computer. Because the boss regularly checks the history to see what everyone is looking at, everyone deletes their history.
This give me the problem of the history being deleted, but the google searchs still there
This person has blamed a former employee for the searches, but the former employee left 10 months ago. my first reaction was...well it wont store 10 months of searches. And secondly the hard drive was reformatted when he left...defiantly no data left.
So i have been asked to look into weather i can date the searches.
Which is when i turn to you rather useful and friendly fountains of knowledge for my help.
Thank you very much for your help so far. I am not working again until Saturday, when i will be looking into this, so anymore input up until then would be fantastic.
Thanks again!
Craig
|
|
|
|
« Last Edit: March 31, 2008, 10:37:31 AM by mambo »
|
Logged
|
|
|
|
|
eth3real
|
|
« Reply #5 on: March 31, 2008, 10:44:49 AM » |
|
If the user has an iGoogle account, you can try to check the Web History in iGoogle.
|
|
|
|
|
Logged
|
Put that in your pipe and grep it!
|
|
|
_Marshel_
Jr. Member
Offline
Posts: 61
Life Is too short to be someone else.
|
|
« Reply #6 on: March 31, 2008, 11:10:19 AM » |
|
you can still recover deleted history files even if the hard drive was formated but if The files were overwritten by some wiping algorithm (Like Dod-5200.28 or Gutmann_method) then you can't recover them.
|
|
|
|
|
Logged
|
|
|
|
|
shawal
|
|
« Reply #7 on: March 31, 2008, 12:16:47 PM » |
|
what you are refering to above is the autocomplete enteries not the history. I do not know how ie stores this, or where it stores this. most likley google would know that. however I stumbled upon this program to import and export these enteries among IE passwords that might prove useful, i have not tried it, nor do i have a use of it at least yet. use with caution, and research it first http://www.rixler.com/internet_explorer_password_revealer.htmHTH W. |
|
|
|
|
Logged
|
RHCE, GIAC GCIH.
|
|
|
Bogwitch
Jr. Member
Offline
Posts: 51
Senno Ekto Gamat
|
|
« Reply #8 on: March 31, 2008, 02:38:30 PM » |
|
I am not a lawyer.
If there are no passwords on the systems, I seriously doubt you have any chance of proving who was responsible. There is a world of difference between suspecting and proving in a court of law.
If the material was of an illegal nature you should call in the police. Failure to do so makes you and your company complicit. The more the information is examined, the more the evidence is corrupted. If the material is illegal, call the police immediately. I'm sure if your perpetrator is still working at the company, having the police take a computer away for forensic examnination will, at least, stop them from viewing such material.
This would also be an ideal opportunity to suggest to your company that they need to take the security of their systems seriously. I'm sure they have customer data on these computers and I doubt they would continue to be happy customers if they were aware of how their information was being handled.
I do not know which country you are from and the laws concerning indecent material vary from county to country as do the laws concerning computer misuse and investigation.
I am not a lawyer but if you are in England or Wales, I can provide you with the advice you need from a legal perspective. If not, consult a lawyer and probably even if you are in England or Wales!
Did I mention I am not a lawyer?
|
|
|
|
|
Logged
|
CISSP, C|EH, C|HFI
|
|
|
|
mambo
|
|
« Reply #9 on: April 02, 2008, 11:58:06 AM » |
|
Cheers for the help so far!
In regards to the content, I don't believe it is illegal, i just guess some people like certain things others dont.
its not a legal issue, just something people should really not be looking at at work
In regards to narrowing it down to the people involved, if the date is closer than 9 months, it will narrow it down substantially.
To Shawal:
Cheers for the link! i will check it out when im on the office!
Thanks again guys
|
|
|
|
|
Logged
|
|
|
|
|
Data_Raid
|
|
« Reply #10 on: April 04, 2008, 11:45:45 AM » |
|
You could always install an Anonymous Proxy and track usage via the IP Address.
What about your policies at work/school, do you have any policies in place that employees are forced to sign it terms of company equipment usage?
What I'm getting at is it might be fine to state that the material the employee is viewing might be inappropriate, it's whether the employee has had fair warning and has agreed to the terms of company equipment usage that has been signed and agreed to.
|
|
|
|
|
Logged
|
All men by nature desire knowledge.
Aristotle
|
|
|
|
SynJunkie
|
|
« Reply #11 on: April 18, 2008, 04:49:30 PM » |
|
are there any proxy server logs or web filter logs that you can cross reference the sites through. that may help you place the individual at the PC at the time.
Whats also useful if you do have logs is looking at what else the IP did at about the same time. did the IP visit a myspace page or a gmail account at the same time? if so can you tie some activity to an individual.
One tool I would like to suggest is RegRipper by Harlan Carvey. Its a brand new tool and I'm yet to give it a good run-through yet, but it might help with the visited Urls. Look on sourceforge for it. And please give Harlan feedback on bugs etc...
Regards
SynJunkie
|
|
|
|
|
Logged
|
|
|
|
|
