Windows Thread, Check history as administrator in Technical; Hi,
Without going into too much detail I need to check on the internet history of a staff member. We ...
18th October 2011, 09:27 PM #1
- Rep Power
Check history as administrator
Without going into too much detail I need to check on the internet history of a staff member. We don't have an internal proxy in school / monitoring solution.
I could log in as the member of staff and go to history in internet explorer but not sure of their password.
Is it possible to log on as administrator and go to the history and temporary internet files of a staff member (more so the history).
IDG Tech News
18th October 2011, 09:29 PM #2
Grab the index.dat file from their laptop, inside there is the entire history (even if it has been "erased" or "deleted") and can be opened using a certain utility (which the name escapes me at the min)
18th October 2011, 09:36 PM #3
- Rep Power
Thanks. The index.dat been located in c:/documents and settings / user.
Let me know if the name comes to you of the program.
18th October 2011, 09:42 PM #4
The program is called encase forensic (or something like that). It is used by police and government agencies to extract timestamps and URLs of the machines Internet history. Only way around this is using something like CCleaner on a daily basis after internet usage which will leave no trace of the index.dat file until it is recreated by the machine when an internet browser is opened.
18th October 2011, 09:43 PM #5
Watch your forensic trail.
Are you using a Tableau write-blocker or working off a binary copy of the disk? If you're analysing live data, especially on your own, a good defence will have this thrown out. Files can be planted, dates adjusted, etc.
To quote Denzil Washington in Training Day - it's not what you know, it's what you can prove.
Last edited by jinnantonnixx; 18th October 2011 at 09:47 PM.
18th October 2011, 09:48 PM #6
- Rep Power
Thanks. I need to do it tomorrow so haven't really got chance to purchase that software.
I won't be doing it on my own
18th October 2011, 09:49 PM #7
If using forensic it keeps a back up of the original to prevent tampering. Only way to tamper with the file is to use a hex editor and know all of the hex code there is (hex translators do not help one bit as it is still jumbled up). Add or remove 1 digit and the whole file goes corrupt unless you know exactly what to replace. Not an easy task to forge an index.dat file - even if you copy one across from another machine as it binds by MAC address, guid and HDD internal number to the machine
18th October 2011, 10:12 PM #8
All the same, don't do anything on your own.
18th October 2011, 10:27 PM #9
No need to buy any software, when Pasco will do what you need for free. Almost all of the Linux forensics discs use it, including PlainSight and CAINE. There is a Windows version too.
19th October 2011, 09:43 AM #10
19th October 2011, 11:49 AM #11
I'd second Pasco, booting from read-only media and using a read-only (not the original) copy of the hard disk. Using dd to take the image gets a bit-for-bit copy.
But make it very clear to SLT that if you (or you and member of SLT) investigate it yourselves, it probably won't be much use in a tribunal / court room.
You don't need to forge it. You merely need to cast doubt on the evidence and raise the spectre of tampering / corruption. If you fail to maintain a clear chain of custody, a decent solicitor will get your evidence a) ignored b) ruled as inadmissable. Remember - trial by peers and peers are the people who download comet cursors and click on malware links.
Originally Posted by nephilim
i.e (nicked from internal wiki)
- The date and time you were asked to remove machine
- The date and time you did remove the machine
- Explain any significant difference between the times eg person did not have laptop in school
- was the machine in use when it was removed?
- how was it in use?
How you isolate the machine is also important. somebody will have to sign a police statement documenting its isolation and who could have had access to it. The police will need to be sure the trail of evidence is maintained. so if it is in a safe in an office. The key to the safe and the office should not be in the possession of one individual.
19th October 2011, 12:03 PM #12
- Rep Power
Managed to download an index.dat reader and looked at it with SLT.
Nothing untoward at all so all positive there.
By Stuart_C in forum Office Software
Last Post: 4th October 2010, 12:53 PM
By mrbios in forum Scripts
Last Post: 23rd September 2010, 03:20 PM
By OverWorked in forum Web Development
Last Post: 8th May 2009, 11:23 AM
By SYSMAN_MK in forum Educational Software
Last Post: 8th November 2008, 12:49 AM
By TSCNUK in forum Windows
Last Post: 20th November 2006, 05:20 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)