Adult content links...
 
Notifications
Clear all

Adult content links - Geocities URL's

16 Posts
6 Users
0 Likes
926 Views
(@jprowe)
Posts: 19
Active Member
Topic starter
 

I'm working on a case where I've located a number of Geocities URL's in free space that are of an adult nature. They don't appear in the index.dat's even after carving with NetAnalysis and XWays trace.

Also, when trying to get to the links I'm prompted to login to a Yahoo account.

My questions are
1) Is there a way to determine if the sites were visited?
2) Is there a way to know if the links are from spam or possibly all listed on a single web page?
3) Does the fact the URL require a login suggest they wouldn't have been links sent in a spam email and more likely someone was logged in to their account when the URL's were visible?
4) Do Geocities website links, in general, suggest intent or a high likelyhood the sites were visited?

I've also restore more than 20K images and videos and thought if I could tie any of the restored items to the websites this may also show they were visited.

Thanks in advance,
Jon Rowe

 
Posted : 21/05/2007 11:21 pm
(@bithead)
Posts: 1206
Noble Member
 

Per Yahoo! GeoCities AUP

Adult-oriented content is permitted only in areas marked as "adult content" areas. You must be 18 years old or over to access these areas (for example, adult chat and adult groups). Note Yahoo! GeoCities does not have an "adult content" area.

See also Yahoo Terms of Service
So if you found GeoCities adult content, the user would need an account to log-in to access those areas.
Have you examined NTUSER.DAT \Software\Yahoo\* to see if they have a Yahoo! Messenger account?

If the links were spam links they would not take you to a login page, they would certainly "entice" you in with some free adult content.

 
Posted : 22/05/2007 1:28 am
(@jprowe)
Posts: 19
Active Member
Topic starter
 

I checked the NTUSER entries but couldn't find any Yahoo accounts. It doesn't surprise me because a user cleared quite a bit of information and the regsitry entries probably went with it.

I appreciate the heads up on the Geocities policies. It sounds like if adult related URL's within Geocities were cached (for whatever reason) there was a high likelyhood they were visited and that it wasn't because somebody clicked a popup or a link from a spam email.

I need to get to a few of the pages within Geocities to confirm the content. Does anyone know if certain pages can be 'private' and only viewed by those who are invited?

Thanks,
Jon

 
Posted : 22/05/2007 4:04 am
finbarr
(@finbarr)
Posts: 26
Eminent Member
 

Jon,
If your suspects registry is looking a bit too bare - try pulling back older copies from restore points (assuming XP).

Always some nice evidence lurking in there!

Kind regards,
john.

 
Posted : 22/05/2007 4:17 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Jon,

From reading your post, there seem to be a couple of things to consider…

1. If the user's NTUSER.DAT file seems to be a bit sparse of information, take a look at the number of entries beneath the UserAssist\<GUID>\Count keys. Now, the values are ROT-13 "encrypted", but just look at the number of entries beneath each (there are usually two GUIDs, three if IE7 was installed). If there aren't many beneath either, then you should definitely note the LastWrite times on the keys.

There are other places to look for evidence of wiping, as well, but as few users know about this one, it's usually the first place I go. On XP systems, check the contents of the Prefetch folder, as well.

2. Is there any Internet History for the "Default User"? Sometimes malware that gets on the system runs as SYSTEM and will use the WinInet APIs to download other software, etc. When this happens, the "Default User" ends up with an Internet history.

HTH,

Harlan

 
Posted : 22/05/2007 4:26 pm
rcw8892
(@rcw8892)
Posts: 27
Eminent Member
 

If you can see URL recods in unallocated clusters and HstEx has not recovered them then it is likely that they are not from IE.

If you would like to extract a small block of the data and email it to me I will have a look at the URLS to make sure.

 
Posted : 22/05/2007 8:23 pm
(@jprowe)
Posts: 19
Active Member
Topic starter
 

What I've done so far
1) Reviewed Prefetch folder - Many app entries
2) Review Userassist Keys - There are 3 and two of them have quite a few entries. I've located an ahk script for decrypting (thought it would be useful to review entries) and compiled it but I don't know how to rewrite to use with an attached evidence drive (it automatically uses my current system files). I've also installed Dieder Stevens application which appears to work well but you can't select the NTUSER.DAT from the suspect drive to decrypt, it needs the .reg file. I'm probably just not getting it…I could also have my programmer recode so I could point the utilities at an NTUSER.DAT to process but he is pretty busy right now.

Any other thoughts on what processes (other than directly accessing) related to the Geocities sites would store the links?

Craig
I'll send you some blocks from the freespace and the hiber file. I've ran into these entries in other investigation using Winhex and thought it would be useful if NetAnalysis could give us a list from these other areas. THANKS! we love the application and recommend it often.

Thanks to everyone for your responses!
Jon

 
Posted : 22/05/2007 9:01 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

> 1) Reviewed Prefetch folder - Many app entries

You have to be careful when analyzing these…for one, they apply to the entire system. See that entry for defrag.exe? That's usually run by the Prefetcher ever three calendar days…not by a user. I had a case where the client wanted to know if the user burned any files to CD/DVD…I found an entry for IMAPI.EXE but the Unicode strings embedded in the file indicated that it was most likely loaded when iTunes was launched.

> 2) Review Userassist Keys - There are 3 and two of them have quite a
> few entries. I've located an ahk script for decrypting

You know, there are tools on the DVD that ships with my book that'll make this MUCH easier for you. I even take all the values that 16 bytes of data, strip out the last 8 bytes b/c they're a timestamp, and then sort based on the most recent time.

> I could also have my programmer recode so I could point the utilities at
> an NTUSER.DAT to process but he is pretty busy right now.

There's code on the DVD with my book already…Perl scripts along with the associated standalone EXEs.

 
Posted : 23/05/2007 1:34 am
(@jprowe)
Posts: 19
Active Member
Topic starter
 

Harlan
I've been meaning to get a copy of your book so I'll purchase one. Do you have anything that I can use until the DVD arrives? I need to wrap this case us in the next couple days. Thanks for all your help.

MORE INFO ON THE GEOCITIES LINKS
The structure of the URL's in free space is as follows
<Identifier><URL>http//geocities.com/something_adult_here</URL><Identifier&gt;

This pattern is repeated as if its listing dozens (maybe hundreds) of links. This is different than when you find URL's in a hiberfil.sys. The hiberfil.sys is what I refer to as 'dumpster diving' and random chunks of information.

It appears to match the format of some deleted Symantec files I've located. They appear to be related to be sync process. We are also thinking the weblinks info was formatted to pass information between apps.

Has anyone seen this XML pattern before? Any thoughts on where the contents would be pulled from or passed to?

Thanks,
Jon

 
Posted : 23/05/2007 4:10 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Jon,

I sent the scripts…did you receive them?

Harlan

 
Posted : 24/05/2007 1:49 am
Page 1 / 2
Share: