You are the product of 4 billion years of evolution. Start acting like it.
If you are running an investigation, don't post it on MyBB. The person is clearly tech savvy and will most probably be using this site. Good luck though.
Really depends on how everything is setup and what access you have vs what your suspects have. You could hack a script to make copies of logs to a secure and/or undisclosed place so that any changes to logs can't be edited on the duplicates. If you want to be really sneaky and skirt on the border of illegality then attack and log the actions on the terminals your suspects use.
Otherwise, get a proxy server running as already suggested or do a quick and dirty wireshark setup if the proxy will take too long.
This is not going to be easy. I would start with the terminal he uses, start with the obvious. Check for temporary internet files, cookies etc. If those are missing for that period, get an index.dat reader and check that (if it still exists).
Once you have exhausted those options things can get messy, but start checking the registry for any MRU (most recently used) for common applications like IE (or other browser), adobe, whatever the default picture viewer is.
Of course the easist method would be if you have an external proxy server you can request the missing logs from.
+1 on wireshark
index.dat reader recommendation please?
Again, it depends on topology and how they break out, what they use for filtering etc.
there are a few methods i would use to find out how he is bypassing, but it depends on the setup.
He gets the ball, he takes the piss
He wears the shirt of Matt Le Tiss
Rickie Lambert Southampton goal machine
SSH tunnel or VPN perhaps?
“I believe Ayn Rand's first love poem went: Roses are red, violets are blue, finish this poem yourself you dependent parasite".”
Do you have physical access to his computer?
Is it work sanctioned to do the investigation?
Get a key logger dongle, and monitor what he types, especially when he disappears from the network.
Bare in mind you cant use one of those in a court of law, but it will point out if he doing anything dodgy, and give you enough of a lead to find other evidence against him, ex: how he is hiding himself.
PS you dont have to go for a key ghost, you do get cheaper ones if you look a bit.
guys, Im still waiting on the official topology
will post once I have that
From what I see here what ever was done has already been done, the log removal is a cleanup.
I think it might be pointless to try and see what he is currently doing, it more than likely wont happen again.
I will suggest you look at other ways of finding out what happened. I know some one who was caught out by his skype logs, everyone forgets about them and they are very revealing. Take a look at those kind of things... MSN, Gtalk... even deleted emails.
This person has cleaned up everything... you need to have an idea of what it is to really know how to catch them.
wireshark = haystack
"What can be asserted without proof can be dismissed without proof." ~ Christopher Hitchens
Of course there are plenty of variables to take into account which we don't know yet on this forum so one would need to assume a few things. But seriously, there are lots of places to install wireshark, of course some places better than others.
Edit: Nerfherder has a point, if the suspicious activity was ages ago and seems to be a one time event then looking now will yield a very low chance of success. I disagree that wireshark would be a haystack, unless you plant it right at the point of entry for external traffic with the whole company's traffic flowing through it, a proxy server would serve much better.
Last edited by Mystic Twilight; 03-07-2012 at 05:20 PM.