.

Google History

<<

mambo

Newbie
Newbie

Posts: 14

Joined: Sat Mar 31, 2007 8:11 am

Post Mon Mar 31, 2008 7:31 am

Google History

Hi Guys,
I need a hand. My boss has approached me to have a look at one of the computers at work because someone has been searching some pretty obscene and disgusting things on google. They still appear in the google toolbar in Internet Explorer when you press down to see the recent searches.
my questions is, is there a way of finding out the date and time of these searches as to narrow down to who it could possibly be.

I was thinking it should be stored in cookies, but they may have deleted them.

Any help or input would be awesome!

Regards

Craig
<<

Marshel007

Jr. Member
Jr. Member

Posts: 61

Joined: Mon Oct 15, 2007 9:20 pm

Location: Kingdom of Saudi Arabia

Post Mon Mar 31, 2008 8:00 am

Re: Google History

go to the following path:

C:\Documents and Settings\<UserName>\Local Settings\History

and search there for the "pretty obscene and disgusting things" and you'll find them and there Date.

If they were already deleted try to use a program (EnCase for instance)  to see what has been deleted lately.
<<

shawal

Jr. Member
Jr. Member

Posts: 88

Joined: Mon Mar 10, 2008 1:24 pm

Post Mon Mar 31, 2008 8:44 am

Re: Google History

Mambo,

First you need to tell your boss depending on your situation  to get the approval to do so from the legal authority in your company, that is if you do have such a thing, or at least HR department if you do have this department too.

As by doing so you might be violating the employee privacy even if its against company policy to do so.  and i do hope that you do have a policy in place that states so, and defines what is obscene or not obscene.

now technically if you are running a proxy which you should have, then these will be in the proxy logs anyhow, and I hope if you are runing a proxy that people do authenticate to it so you can narrow it down to a person, and place (ip) and date.
RHCE, GIAC GCIH.
<<

iSmith

User avatar

Full Member
Full Member

Posts: 157

Joined: Sun Jan 20, 2008 12:01 pm

Post Mon Mar 31, 2008 8:50 am

Re: Google History

if you need to, there is freeundelete by office recovery. it is an essential tool and you should have it.
In my eyes, your operating system is as solid as swiss cheese.
<<

mambo

Newbie
Newbie

Posts: 14

Joined: Sat Mar 31, 2007 8:11 am

Post Mon Mar 31, 2008 10:33 am

Re: Google History

A bit more info then;

I'm currently studying I.T at college and off to study Computer security at uni in september. I work part time for an estate agents when im not at college.
This therefore makes me the 'I.T Guy'.

I have to show them everything they don't know how to do.

So our office is only small. None of the computers are passworded or anything of such so it would be easy for someone to search such content on someone elses computer. Because the boss regularly checks the history to see what everyone is looking at, everyone deletes their history.
This give me the problem of the history being deleted, but the google searchs still there

This person has blamed a former employee for the searches, but the former employee left 10 months ago. my first reaction was...well it wont store 10 months of searches. And secondly the hard drive was reformatted when he left...defiantly no data left.

So i have been asked to look into weather i can date the searches.

Which is when i turn to you rather useful and friendly fountains of knowledge for my help.


Thank you very much for your help so far. I am not working again until Saturday, when i will be looking into this, so anymore input up until then would be fantastic.

Thanks again!

Craig
Last edited by mambo on Mon Mar 31, 2008 10:37 am, edited 1 time in total.
<<

eth3real

User avatar

Sr. Member
Sr. Member

Posts: 309

Joined: Wed Feb 27, 2008 10:35 am

Location: US

Post Mon Mar 31, 2008 10:44 am

Re: Google History

If the user has an iGoogle account, you can try to check the Web History in iGoogle.
Put that in your pipe and grep it!
<<

Marshel007

Jr. Member
Jr. Member

Posts: 61

Joined: Mon Oct 15, 2007 9:20 pm

Location: Kingdom of Saudi Arabia

Post Mon Mar 31, 2008 11:10 am

Re: Google History

you can still recover deleted history files even if the hard drive was formated  but if The files were overwritten by some wiping algorithm  (Like Dod-5200.28 or Gutmann_method) then you can't recover them.
<<

shawal

Jr. Member
Jr. Member

Posts: 88

Joined: Mon Mar 10, 2008 1:24 pm

Post Mon Mar 31, 2008 12:16 pm

Re: Google History

what you are refering to above is the autocomplete enteries not the history.
I do not know how ie stores this, or where it stores this. most likley google would know that. however  I stumbled upon this program to import and export these enteries among IE passwords that might prove useful, i have not tried it, nor do i have a use of it at least yet. use with caution, and research it first

http://www.rixler.com/internet_explorer_password_revealer.htm

HTH

W.
RHCE, GIAC GCIH.
<<

Bogwitch

Jr. Member
Jr. Member

Posts: 51

Joined: Wed Aug 16, 2006 3:29 am

Post Mon Mar 31, 2008 2:38 pm

Re: Google History

I am not a lawyer.

If there are no passwords on the systems, I seriously doubt you have any chance of proving who was responsible. There is a world of difference between suspecting and proving in a court of law.

If the material was of an illegal nature you should call in the police. Failure to do so makes you and your company complicit. The more the information is examined, the more the evidence is corrupted. If the material is illegal, call the police immediately. I'm sure if your perpetrator is still working at the company, having the police take a computer away for forensic examnination will, at least, stop them from viewing such material.

This would also be an ideal opportunity to suggest to your company that they need to take the security of their systems seriously. I'm sure they have customer data on these computers and I doubt they would continue to be happy customers if they were aware of how their information was being handled.

I do not know which country you are from and the laws concerning indecent material vary from county to country as do the laws concerning computer misuse and investigation.

I am not a lawyer but if you are in England or Wales, I can provide you with the advice you need from a legal perspective. If not, consult a lawyer and probably even if you are in England or Wales!

Did I mention I am not a lawyer?
CISSP, C|EH, C|HFI
<<

mambo

Newbie
Newbie

Posts: 14

Joined: Sat Mar 31, 2007 8:11 am

Post Wed Apr 02, 2008 11:58 am

Re: Google History

Cheers for the help so far!

In regards to the content, I don't believe it is illegal, i just guess some people like certain things others dont.

its not a legal issue, just something people should really not be looking at at work

In regards to narrowing it down to the people involved, if the date is closer than 9 months, it will narrow it down substantially.

To Shawal:

Cheers for the link! i will check it out when im on the office!

Thanks again guys
<<

Data_Raid

User avatar

Full Member
Full Member

Posts: 165

Joined: Fri Nov 09, 2007 5:55 am

Post Fri Apr 04, 2008 11:45 am

Re: Google History

You could always install an Anonymous Proxy and track usage via the IP Address.

What about your policies at work/school, do you have any policies in place that employees are forced to sign it terms of company equipment usage?
What I'm getting at is it might be fine to state that the material the employee is viewing might be inappropriate, it's whether the employee has had fair warning and has agreed to the terms of company equipment usage that has been signed and agreed to.
All men by nature desire knowledge.

Aristotle
<<

SynJunkie

Jr. Member
Jr. Member

Posts: 71

Joined: Thu Apr 17, 2008 2:41 pm

Location: UK

Post Fri Apr 18, 2008 4:49 pm

Re: Google History

are there any proxy server logs or web filter logs that you can cross reference the sites through. that may help you place the individual at the PC at the time.

Whats also useful if you do have logs is looking at what else the  IP did at about the same time.  did the IP visit a myspace page or a gmail account at the same time? if so can you tie some activity to an individual.

One tool I would like to suggest is RegRipper by Harlan Carvey. Its a brand new tool and I'm yet to give it a good run-through yet, but it might help with the visited Urls. Look on sourceforge for it.  And please give Harlan feedback on bugs etc...

Regards

SynJunkie
----------------------------------
http://synjunkie.blogspot.com

Return to Forensics

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software