+ Post New Thread
Results 1 to 12 of 12
Windows Thread, Check history as administrator in Technical; Hi, Without going into too much detail I need to check on the internet history of a staff member. We ...
  1. #1

    Join Date
    Apr 2007
    Location
    York
    Posts
    558
    Thank Post
    10
    Thanked 4 Times in 4 Posts
    Rep Power
    19

    Check history as administrator

    Hi,
    Without going into too much detail I need to check on the internet history of a staff member. We don't have an internal proxy in school / monitoring solution.

    I could log in as the member of staff and go to history in internet explorer but not sure of their password.

    Is it possible to log on as administrator and go to the history and temporary internet files of a staff member (more so the history).

    Thanks

  2. #2

    nephilim's Avatar
    Join Date
    Nov 2008
    Location
    Dunstable
    Posts
    11,925
    Thank Post
    1,626
    Thanked 1,893 Times in 1,407 Posts
    Blog Entries
    2
    Rep Power
    429
    Grab the index.dat file from their laptop, inside there is the entire history (even if it has been "erased" or "deleted") and can be opened using a certain utility (which the name escapes me at the min)

  3. #3

    Join Date
    Apr 2007
    Location
    York
    Posts
    558
    Thank Post
    10
    Thanked 4 Times in 4 Posts
    Rep Power
    19
    Thanks. The index.dat been located in c:/documents and settings / user.

    Let me know if the name comes to you of the program.

  4. #4

    nephilim's Avatar
    Join Date
    Nov 2008
    Location
    Dunstable
    Posts
    11,925
    Thank Post
    1,626
    Thanked 1,893 Times in 1,407 Posts
    Blog Entries
    2
    Rep Power
    429
    The program is called encase forensic (or something like that). It is used by police and government agencies to extract timestamps and URLs of the machines Internet history. Only way around this is using something like CCleaner on a daily basis after internet usage which will leave no trace of the index.dat file until it is recreated by the machine when an internet browser is opened.

  5. #5

    jinnantonnixx's Avatar
    Join Date
    Mar 2011
    Location
    In the Calamatorium.
    Posts
    1,970
    Thank Post
    113
    Thanked 490 Times in 336 Posts
    Blog Entries
    2
    Rep Power
    283
    Watch your forensic trail.

    Are you using a Tableau write-blocker or working off a binary copy of the disk? If you're analysing live data, especially on your own, a good defence will have this thrown out. Files can be planted, dates adjusted, etc.

    To quote Denzil Washington in Training Day - it's not what you know, it's what you can prove.
    Last edited by jinnantonnixx; 18th October 2011 at 08:47 PM.

  6. #6

    Join Date
    Apr 2007
    Location
    York
    Posts
    558
    Thank Post
    10
    Thanked 4 Times in 4 Posts
    Rep Power
    19
    Hi
    Thanks. I need to do it tomorrow so haven't really got chance to purchase that software.
    I won't be doing it on my own

  7. #7

    nephilim's Avatar
    Join Date
    Nov 2008
    Location
    Dunstable
    Posts
    11,925
    Thank Post
    1,626
    Thanked 1,893 Times in 1,407 Posts
    Blog Entries
    2
    Rep Power
    429
    If using forensic it keeps a back up of the original to prevent tampering. Only way to tamper with the file is to use a hex editor and know all of the hex code there is (hex translators do not help one bit as it is still jumbled up). Add or remove 1 digit and the whole file goes corrupt unless you know exactly what to replace. Not an easy task to forge an index.dat file - even if you copy one across from another machine as it binds by MAC address, guid and HDD internal number to the machine

  8. #8

    jinnantonnixx's Avatar
    Join Date
    Mar 2011
    Location
    In the Calamatorium.
    Posts
    1,970
    Thank Post
    113
    Thanked 490 Times in 336 Posts
    Blog Entries
    2
    Rep Power
    283
    All the same, don't do anything on your own.

  9. #9


    Join Date
    Feb 2007
    Location
    51.403651, -0.515458
    Posts
    8,893
    Thank Post
    226
    Thanked 2,674 Times in 1,971 Posts
    Rep Power
    786
    No need to buy any software, when Pasco will do what you need for free. Almost all of the Linux forensics discs use it, including PlainSight and CAINE. There is a Windows version too.

  10. #10
    tommej's Avatar
    Join Date
    Oct 2009
    Location
    Lincolnshire
    Posts
    697
    Thank Post
    38
    Thanked 130 Times in 99 Posts
    Rep Power
    77
    IE HistoryView: Freeware Internet Explorer History Viewer

    Produces a nice html report of all their history.

  11. #11


    Join Date
    Dec 2005
    Location
    In the server room, with the lead pipe.
    Posts
    4,638
    Thank Post
    275
    Thanked 778 Times in 605 Posts
    Rep Power
    223
    I'd second Pasco, booting from read-only media and using a read-only (not the original) copy of the hard disk. Using dd to take the image gets a bit-for-bit copy.

    But make it very clear to SLT that if you (or you and member of SLT) investigate it yourselves, it probably won't be much use in a tribunal / court room.

    Quote Originally Posted by nephilim View Post
    Not an easy task to forge an index.dat file - even if you copy one across from another machine as it binds by MAC address, guid and HDD internal number to the machine
    You don't need to forge it. You merely need to cast doubt on the evidence and raise the spectre of tampering / corruption. If you fail to maintain a clear chain of custody, a decent solicitor will get your evidence a) ignored b) ruled as inadmissable. Remember - trial by peers and peers are the people who download comet cursors and click on malware links.

    i.e (nicked from internal wiki)
    Document:
    • The date and time you were asked to remove machine
    • The date and time you did remove the machine
    • Explain any significant difference between the times eg person did not have laptop in school
    • was the machine in use when it was removed?
    • how was it in use?

    How you isolate the machine is also important. somebody will have to sign a police statement documenting its isolation and who could have had access to it. The police will need to be sure the trail of evidence is maintained. so if it is in a safe in an office. The key to the safe and the office should not be in the possession of one individual.

  12. #12

    Join Date
    Apr 2007
    Location
    York
    Posts
    558
    Thank Post
    10
    Thanked 4 Times in 4 Posts
    Rep Power
    19
    Thanks everyone.
    Managed to download an index.dat reader and looked at it with SLT.
    Nothing untoward at all so all positive there.

SHARE:
+ Post New Thread

Similar Threads

  1. [MS Office - 2007] Check Spelling as you type not working.
    By Stuart_C in forum Office Software
    Replies: 1
    Last Post: 4th October 2010, 11:53 AM
  2. Running a script as administrator
    By mrbios in forum Scripts
    Replies: 5
    Last Post: 23rd September 2010, 02:20 PM
  3. Liberum - only logs on as administrator
    By OverWorked in forum Web Development
    Replies: 0
    Last Post: 8th May 2009, 10:23 AM
  4. Tizzy's First Tools - Only Runs As Administrator
    By SYSMAN_MK in forum Educational Software
    Replies: 2
    Last Post: 7th November 2008, 11:49 PM
  5. Run Script as Administrator
    By TSCNUK in forum Windows
    Replies: 8
    Last Post: 20th November 2006, 04:20 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •