I have a case in which the client has been accused by a competitor of posting false and damaging reviews on the Internet about the competitor. The competitor, using a John Doe subpeona, has traced the posted reviews back to the client's public IP address. The client has a domain network behind that single address. They have numerous private IP addresses. I dont know the exact configuration of their network yet, however, I understand that the router/gateway is not a server but a physical LAN device.
My question is this is there any historical data, such as logs, that can be recovered from routers, a domain controller, messaging server and firewalls, or any other device or server, that will point back into the private network in order to identify a user or workstation that accessed a particular website on a particular day. Or, am I going to have to examine each workstation for Internet History?
Thanks in advance for any help,
i guess you can't examine the client?
consider checking out dns name resolutions, if logging is enabled.
if a client is in a domain network, it's likely to use the internal network DNS server.
My question is this is there any historical data, such as logs, that can be recovered from routers, a domain controller, messaging server and firewalls, or any other device or server, that will point back into the private network in order to identify a user or workstation that accessed a particular website on a particular day.
That is a question best asked the network/domain people at the site – they know what there is in their network. So you need to understand all ways user-produced traffic can exit that particular network, and what kind of logging occurs along those routes.
Corporate sites may, for example, have web proxies installed, intended to prevent employees from visiting sites disapproved by management. If there are, they probably have some kind of logging enabled, and you may be able to get what you are looking for there.
Depending on the size of the client, and their IT policies, it may be impractical for them to log everything (which may be of use to you).
We do not log DNS requests, keep firewall logs, DHCP lease history or anything like that. Used to years ago, but someone asked "Why do we keep them? Have we ever used them? Do we have any legal requirement to do so?" Short answer was, "No"
You would need to examine every PC/Laptop/mobile device on our network individually.
We also have 2 internet routes - IPv4 (from our ISP) and IPv6 (tunneled through to another ISP - in a different country).
Not good news - sorry!