[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [SAGE] Internet History tool

To: SAGE Members <sage-members@usenix.org>
Subject: Re: [SAGE] Internet History tool
From: Etaoin Shrdlu <shrdlu@deaddrop.org>
Date: Fri, 05 Jan 2007 19:35:24 -0800
In-Reply-To: <459F14B8.10008@insightbb.com>
Organization: dig @localhost TXT CHAOS version.bind
References: <459EDC88.7070706@insightbb.com> <bb075cdf0701051912t304cf34dk372952d14e55daf9@mail.gmail.com> <459F14B8.10008@insightbb.com>
Sender: owner-sage-members@usenix.org
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.11) Gecko/20050728

Aaron Bridge wrote:

> Rodrick Brown wrote:
>
>> On 1/5/07, Aaron Bridge <a.bridge@insightbb.com> wrote:
>>
>>> I will going to a company who wants me to look on all their users
>>> computers see what websites they have been accessing on the Internet.
>>> Yes, I could do this by looking in History and Temporary Internet
>>> Files.  Does anyone now of any "tools" or other ideas that will make
>>> this task easier and more thorough?
>>>
>>> I should mention these are Windows XP SP2 workstations.
>>
[clip]

> This would be ok for long term, but I only have four hours.  This is a 
> very confidential assignment.  Nobody in the office is to know what I 
> am doing.

Four hours!?!?!? Either you vastly underestimated the difficulty of this 
task, or else someone else did. Do you at least have administrative 
access to the machines? I don't see how people are not going to know 
that things have been touched, and looked at. Is it supposed to take 
place in the middle of the night, or perhaps this weekend?

You are attempting to do simple forensics on precisely *how many* 
machines? If it's just a couple or so, this might not be so bad, but if 
it's (say) twenty, or more, you've got a problem. Large.

Personally, given the time constraints, I have the feeling that this may 
all be too little, too late, but I'd go in with Knoppix or Backtrack or 
similar, and reboot using those, to more easily view the "history" that 
IE keeps, if, and this is *very* important, they only have access to IE, 
and not Mozilla, or some variant thereof.

When is all this supposed to take place, do you have administrator's 
access, and (please note, this is IMPORTANT), do you have something in 
writing, and does the person asking you to do this really and truly have 
the right to do it? Dang, this is a nasty squirmy bag of worms you could 
potentially be opening, especially because you say "some company" and 
not "the company I work at." Oy.

-- 
I will put Chaos into fourteen lines
    And keep him there; and let him thence escape
         If he be lucky...
Edna St. Vincent Millay

Follow-Ups:
- Re: [SAGE] Internet History tool
  - From: Ruth Milner <rmilner@nmt.edu>

References:
- [SAGE] Internet History tool
  - From: Aaron Bridge <a.bridge@insightbb.com>
- Re: [SAGE] Internet History tool
  - From: "Rodrick Brown" <rodrick.brown@gmail.com>
- Re: [SAGE] Internet History tool
  - From: Aaron Bridge <a.bridge@insightbb.com>

Prev by Date: Re: [SAGE] Internet History tool
Next by Date: Re: [SAGE] Internet History tool
Prev by thread: Re: [SAGE] Internet History tool
Next by thread: Re: [SAGE] Internet History tool
Index(es):
- Date
- Thread