How To Secure/Export Windows XP Temprary Internet Files?

[Fahid Shehzad]

How To Secure/Export Windows XP Temprary Internet Files?


Hello All,

an official of our office was suspected to use office computer to view nude
contents from the internet, while internet usage is not permitted on office
computers. More specifically, any kind of nude/Porn contents are strictly
prohibited, respect to the nature of office/work (it is a Girls High
School).

A few day ago, I checked the "Temprary Internet Files" of his computer, it
contains a lot of nude images/video cips. Now we want to save this
information in such a way that it could be verified/assured that these files
belong to his computer and there isn't any kind of cheating (that none of us
has added modified anything to it) involved in it.

Currently I have copied/saved his "Temprary Internet Files" and "History"
directories on a CD. I have also saved the "Event Log" history from
"Administrative Tools".

This morning I was trying to backup his computer's System Drive through
"Norton Ghost", so everything can stay intact for any kind of verification.
But somehow I failed to do so. Further more, it is difficult to backup the
entire system drive on CD, as it has about 3.85GB data.

Now we want to save this information in such a way that we can show it our
Head (Principle), who is on a family tour/vocation these days. The principle
may want to get these information examined to be un-modified.

What I wnat to know is:
-- How can I backup the data of his computer, so that it will have the
"Temprary Internet Files", which could be verified to be un-modified and
belonging to his computer ?

-- Is it OK to just copy his computer's "Temprary Internet Files", "History
Folder" and system event logs ?

-- Is it a good idea to use Norton Ghost, as far as verification of data is
concern ?

-- What other (if any) options are available to get this job done ?

 

[Malke]

How To Secure/Export Windows XP Temprary Internet Files?


Hello All,

an official of our office was suspected to use office computer to view nude
contents from the internet, while internet usage is not permitted on office
computers. More specifically, any kind of nude/Porn contents are strictly
prohibited, respect to the nature of office/work (it is a Girls High
School).

A few day ago, I checked the "Temprary Internet Files" of his computer, it
contains a lot of nude images/video cips. Now we want to save this
information in such a way that it could be verified/assured that these files
belong to his computer and there isn't any kind of cheating (that none of us
has added modified anything to it) involved in it.

Currently I have copied/saved his "Temprary Internet Files" and "History"
directories on a CD. I have also saved the "Event Log" history from
"Administrative Tools".

This morning I was trying to backup his computer's System Drive through
"Norton Ghost", so everything can stay intact for any kind of verification.
But somehow I failed to do so. Further more, it is difficult to backup the
entire system drive on CD, as it has about 3.85GB data.

Now we want to save this information in such a way that we can show it our
Head (Principle), who is on a family tour/vocation these days. The principle
may want to get these information examined to be un-modified.

What I wnat to know is:
-- How can I backup the data of his computer, so that it will have the
"Temprary Internet Files", which could be verified to be un-modified and
belonging to his computer ?

-- Is it OK to just copy his computer's "Temprary Internet Files", "History
Folder" and system event logs ?

-- Is it a good idea to use Norton Ghost, as far as verification of data is
concern ?

-- What other (if any) options are available to get this job done ?

No, none of what you've done or are planning to do is OK for your purposes.

Computer forensics techniques and procedures are very specialized and
precise. IANAL but generally speaking you will not be able to use
anything you have found in a court of law - the evidence has been
compromised because you have already worked on the computer. Your next
step (and it should have been your first step after turning off the
computer and putting it in a locked closet in front of witnesses) is to
contact your school district's attorney. The attorney will know if you
need to contact local law enforcement and what your next step should be
since you've already contaminated the evidence.


Malke

 

[Poprivet]

Stop! You may have already messed up anything that can be considered for
evidence legally. Even if you had witnesses to everything you did, anyone
can now claim that you put things onto the computer, changed the dates on
the files and thus created evidence on your own.
Turn off that computer, put every disk and piece of paper you have with
it, and lock it up securely, with witnesses, IF you ever plan to do anythnig
legally with it. Do NOT discuss it again, EVER, anywhere, openly as you
have just done! This is a public forum and for all you know, your perp may
be reading it.
Then discuss with your attorney what to do next, which should have been
your first step, AFTER powering off and locking up the computer. There are
still usable possibilities for evidence, but you have NO power over it.
Talk to your attorney. And if he agrees with what you've done, and you plan
legal action, which you might need to, then find another attorney and get
another opinion.

For gosh sake, quit discussing it PUBLICLY!!!!! This post alone could be
very damaging to your school.

Pop`

 

[Fahid Shehzad]

Thanks A Lot for Response Mr. Poprivet

Yours and Mr. Malke's information may still be useful, as I am very sure
that my partner is never coming here to see this, and he may repeat such
stupid/shameful action.

As far as contaminating the prrof is concern, I hope it will not take longer
to get more proof again. And next time I can follow your (and Mr. Malke's )
advice.

Thanks a lot to both of you guys.

 

[VanguardLH]

in message

How To Secure/Export Windows XP Temprary Internet Files?

Hello All,

an official of our office was suspected to use office computer to
view nude contents from the internet, while internet usage is not
permitted on office computers. More specifically, any kind of
nude/Porn contents are strictly prohibited, respect to the nature of
office/work (it is a Girls High School).

A few day ago, I checked the "Temprary Internet Files" of his
computer, it contains a lot of nude images/video cips. Now we want
to save this information in such a way that it could be
verified/assured that these files belong to his computer and there
isn't any kind of cheating (that none of us has added modified
anything to it) involved in it.

Currently I have copied/saved his "Temprary Internet Files" and
"History" directories on a CD. I have also saved the "Event Log"
history from "Administrative Tools".

This morning I was trying to backup his computer's System Drive
through "Norton Ghost", so everything can stay intact for any kind
of verification. But somehow I failed to do so. Further more, it is
difficult to backup the entire system drive on CD, as it has about
3.85GB data.

Now we want to save this information in such a way that we can show
it our Head (Principle), who is on a family tour/vocation these
days. The principle may want to get these information examined to be
un-modified.

What I wnat to know is:
-- How can I backup the data of his computer, so that it will have
the "Temprary Internet Files", which could be verified to be
un-modified and belonging to his computer ?

-- Is it OK to just copy his computer's "Temprary Internet Files",
"History Folder" and system event logs ?

-- Is it a good idea to use Norton Ghost, as far as verification of
data is concern ?

-- What other (if any) options are available to get this job done ?

Do what the police and FBI do: confiscate the entire computer. You
can't be guaranteed that anything you do to save the state of the
computer can be used as evidence since it is no longer direct
evidence. It doesn't take the principle to confiscate misused school
equipment, does it? If so, call the police and ask if this lewd
behavior and a public law violation and let them handle it. The user
obviously had to agree to terms of use established by the school
(otherwise there would be no such violation that you speak of) which
means someone other than that user has authority of the use and access
of the computer.

You've found only one source for inappropriate content on a school
resource. There might be other traces of porn on that computer that
you haven't found yet. Having a ghost or image of the computer's
drives is not direct proof of what is on the drives. Confiscate it.

If you are not the one with authority for enforcement of school
policies then stop behaving like the police that you are not. Report
it to the proper admin folks at the school and let them handle it. It
is the school's property and someone there should have the authority
besides just the principal to confiscate the school's property to
prevent further abuse or destruction of evidence.

Note that this evidence is circumstantial. It can be used for
reinforcement of other evidence of the same violation. However, it is
quite possible that someone else used that computer while the owner
walked away from it but left his session logged on. There are also
ways to get around the file permissions supposedly enforced by NTFS as
to which users can save files where. The hardware and OS constitute a
"general purpose" computer and that itself obviates absolute security,
even for ownership of files. I doubt you can use this computer as the
only evidence of the abuse. If the user doesn't know he is under
suspicion, install a packet sniffer to watch the traffic to and from
his computer (and make sure it is him on the computer when that porn
traffic occurs to his computer).

We had an employee that would retrieve porn on his work computer. A
web cam was connected to another computer across the wall and pointed
into his cubicle (to ensure at the time of the porn traffic that it
was him at that computer). Packet sniffing was used to monitor his
network traffic. Big Brother software was installed to log his
keystrokes and also create a hidden mirror image of changes to his
disks. We also setup the network printer to issue copies of whatever
was sent to it to another file server to record that printer traffic
as we found out he was also using up paper and toner at night to print
out the crap. When confronted with all the evidence, he buckled and
admitted to his violation of company policies (not only of
inappropriate Internet and e-mail usage but also of illegal content
[in our area] that was stored on company property). He got fired and
was gone after 3 days but after his computer got confiscated. I got
the dirty job of retrieving any company data off the drives before
wiping them and letting the IT folks reimaged them. I did have to
save an image of the disks in case he filed a wrongful termination
lawsuit but the company's lawyers pointed out that the image may be
considered indirect evidence and hence inadmissible. We never heard
from this joker again.