Do you have any access to any network logs? If possible, I'd start there and try to correlate any timestamps with your user's file system. Regarding the Firefox history, check out http://www.forensicswiki.org/wiki/Mozilla_Firefox_3_History_File_Format in order to correctly parse the history file.
As a quick aside, your attitude towards looking for evidence is correct. Don't put weight into the user's boisterous claims of innocence and his willingness to take a poly. I've seen a lot of guilty people take (and subsequently fail) a poly. :) -Joel "The path to hell is paved with good intentions." On Tue, Nov 3, 2009 at 11:38 AM, Dorne Mabais <[email protected]>wrote: > I have a situation at a client's that I would appreciate some help with. An > employee was flagged as visiting "adult" sites (which is surprising since > their proxy is not exactly current or well setup), and a quick look at the > browser history showed traces of this (firefox 3.5). But in my brief > exposure to forensics I have been told, "do not look for evidence of guilt > or innocence, just look for evidence". This employee seems honestly shocked > about this and swears that he did not do it (even has suggested taking a > lie-detector test to prove it!) and some of the sites do seem like those > that are ad funded and I know those can be more then meets the eye. So I > have been trying to find out if it is possible that he is actually innocent. > I have done some reading and hidden iframes would explain the proxy traffic > but as far as I know, those do not show in the browser history (?). I am > sure that a pop-up window would not have been it either. I admit my > web-security-fu is not at a very high level, so I would like to ask if > anyone knows of a way this could have happened which backs up the employee's > story or do I just go ahead and assume guilt? > > Thanks > Dorne > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com >
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
