I am not a forensic computer person but have a need to learn some details. If one is trying to verify if another person posted on a blog from a website, how much of this information can be retrieved? This occured in a school system so I assume the computer was networked or was done on a laptop hooked into the network. I am trying to prove the authorship of some posts. I have the time and date of the post and feel certain of where it originated. Thanks for any help.
Do you have the computer that he/she posted from? If so, there may be evidence in the browser history files, deleted history files, browser cache, deleted cache entries, etc. There is really too much detail for a simple answer.
Assuming that you want to be thorough, for the time that it would take you you could probably retain the services of a good forensics investigator who could get you the answer faster, so think about the opportunity costs for you to do this, yourself, especially if it is important that you be right.
If you want to proceed, some clues
Do you have logs from the router/gateway that provided Internet access? There may be logs on this. How about a Web Proxy server? These usually have logs which can be searched.
If you have the text of the postings, you could try a search of the drive for fragments of matching text. This may not be definitive proof of authorship but it could be proof that the site was visited.
Finally, many blogs record the IP address of the poster even if this isn't displayed. You may or may not be able to get this information depending upon the policies of the ISP. If the blog does not report the IP, does it associate a name, avatar, e-mail address, geo-location, etc, with the posting? You could look for these in unallocated space, physical memory, etc.
"prove the authorship of some posts"
Try to think of the process as clues (what Sean stated) that can lead to a timeline of events.
You need to look at what you have access to and what does record events.
Suspect computer - reg files, browser history, event logs. The MAC address of network interface cards (NIC) can be a very important if correlated with other pieces of evidence.
Network equipment - log files. This however would need to be enabled on the device(s) and you would need admin access to such devices (routers, managed switches, etc)
Proxy Server - if the network has a gatekeeper of Internet traffic it can record inbound/outbound traffic.
Public IP address of the post. There is a common misconception that if the IP address recorded leads you to the computer. Yes, no and maybe. If a router or gateway is in use this will be only part of the "home address". IP addresses recorded by most blog sites will be the public IP address. Think of it as an apartment building. You have the street address but not the unit number. A general outward address - but inside there is an additional number. See network equipment.
The actual text the person posts is usually not recorded by the browser activity. There can be portions of the PHP that can be from entries that have date and timestamps but in my experience the body of the text is not.
Most of these investigations you would need levels of administrator rights for each of these areas to retrieve logs and records.
And look at the post itself. Is there wording., phrases, language that can help you narrow down the suspects?