Originally Posted by Agent_Smith
LOL. Love the hair man, LOVE IT!!
If you are running an investigation, don't post it on MyBB. The person is clearly tech savvy and will most probably be using this site. Good luck though.
Really depends on how everything is setup and what access you have vs what your suspects have. You could hack a script to make copies of logs to a secure and/or undisclosed place so that any changes to logs can't be edited on the duplicates. If you want to be really sneaky and skirt on the border of illegality then attack and log the actions on the terminals your suspects use.
Otherwise, get a proxy server running as already suggested or do a quick and dirty wireshark setup if the proxy will take too long.
This is not going to be easy. I would start with the terminal he uses, start with the obvious. Check for temporary internet files, cookies etc. If those are missing for that period, get an index.dat reader and check that (if it still exists).
Once you have exhausted those options things can get messy, but start checking the registry for any MRU (most recently used) for common applications like IE (or other browser), adobe, whatever the default picture viewer is.
Of course the easist method would be if you have an external proxy server you can request the missing logs from.
Good Luck.
+1 on wireshark
index.dat reader recommendation please?
the new rules for love, sex & dating ----> click here
Where exactly are you going to install wireshark? Unless you have filters running, you are going to be sifting through data till next century.
Again, it depends on topology and how they break out, what they use for filtering etc.
there are a few methods i would use to find out how he is bypassing, but it depends on the setup.
He gets the ball, he takes the piss
He wears the shirt of Matt Le Tiss
Rickie Lambert Southampton goal machine
SSH tunnel or VPN perhaps?
“I believe Ayn Rand's first love poem went: Roses are red, violets are blue, finish this poem yourself you dependent parasite".”
Colbert
Do you have physical access to his computer?
Is it work sanctioned to do the investigation?
Get a key logger dongle, and monitor what he types, especially when he disappears from the network.
Bare in mind you cant use one of those in a court of law, but it will point out if he doing anything dodgy, and give you enough of a lead to find other evidence against him, ex: how he is hiding himself.
PS you dont have to go for a key ghost, you do get cheaper ones if you look a bit.
guys, Im still waiting on the official topology
will post once I have that
the new rules for love, sex & dating ----> click here
TOR / Vidalia / ultrasurf. Good luck!
index.dat viewer => http://www.nirsoft.net/utils/iehv.html
From what I see here what ever was done has already been done, the log removal is a cleanup.
I think it might be pointless to try and see what he is currently doing, it more than likely wont happen again.
I will suggest you look at other ways of finding out what happened. I know some one who was caught out by his skype logs, everyone forgets about them and they are very revealing. Take a look at those kind of things... MSN, Gtalk... even deleted emails.
This person has cleaned up everything... you need to have an idea of what it is to really know how to catch them.
wireshark = haystack
"What can be asserted without proof can be dismissed without proof." ~ Christopher Hitchens
Are you seriously asking me such a question?
Of course there are plenty of variables to take into account which we don't know yet on this forum so one would need to assume a few things. But seriously, there are lots of places to install wireshark, of course some places better than others.
Edit: Nerfherder has a point, if the suspicious activity was ages ago and seems to be a one time event then looking now will yield a very low chance of success. I disagree that wireshark would be a haystack, unless you plant it right at the point of entry for external traffic with the whole company's traffic flowing through it, a proxy server would serve much better.
Last edited by Mystic Twilight; 03-07-2012 at 05:20 PM.
Posting Permissions
Reply With Quote
Bookmarks