I figured that after all the good advice I owed an update. For this particular case, the best piece of advice was to not just rely on the browser logs. After expanding the search to include the network logs, I found that there seemed to be other machines accessing the same sites. While it was not infeasible to assume the multiple people viewed the same bad sites, it did warrant further investigation. To cut i long story short it ended up being malware using iframes. It seems to have been caused by a bad password recovery program the people had been trying to use (which is another story).
But two things things this incident showed me, which I hope I remember; 1. Never assume that what you assume to be the 'smoking gun' is all there is 2. That it is nice to sometimes prove a person innocent after all the bad stuff seen Thanks again to all for all the help. D.M. On Tue, Nov 10, 2009 at 10:17 PM, David A. Gershman < [email protected]> wrote: > > > > > anyone knows of a way this could have happened which backs up the > employee's > > > story or do I just go ahead and assume guilt? > > First (IMHO) > Don't assume guilt or innocence. Stick to what you were asked...find > evidence if its there. If its not there, fine. Start assuming anything > or taking the employee's "nature" into account and you're doing the > manager's/company's job. If this employee gets fired for an > 'assumption', you'll feel it. Provide the best evidence you can and let > the verdict reside with the company. > > I know it sounds cold, but when doing forensics its important to remain > as objective as possible. > > Second > As for how their history could have been populated, I really have no > idea. I do know this, don't just look within the browser. A good piece > of malware coming from a thumbdrive could screw with browser files just > as easily. Be sure to scour the big picture. > > ---------------------------------------- > David A. Gershman > [email protected] > http://dagertech.net/gershman/ > "It's all about the path!" --d. gershman > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com >
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
