Internet Artifacts
 
Notifications
Clear all

Internet Artifacts

3 Posts
3 Users
0 Likes
546 Views
jmrose
(@jmrose)
Posts: 5
Active Member
Topic starter
 

I am trying to figure out who was using the PC at a specific time. I know the user logged into Facebook and classmate, while on the PC. So, I am hoping to find a user name or email address to tie back to them.

I am using EnCase 7.07 and the image is Windows XP SP 2.

I'm in the process of analyzing the internet history/cache/temp files. Not sure if anyone had any other advice as to where to look.

 
Posted : 26/02/2014 8:44 pm
twjolson
(@twjolson)
Posts: 417
Honorable Member
 

Within the confines of the digital forensics, determining who was using a computer at any given time is pretty much impossible.

The thing is, even if you find that someone logged into Facebook, Hotmail, or something like that, can you really say that that user was at the keyboard?

It is compelling, but not beyond reasonable doubt. Passwords get shared, stolen, or guessed. On top of that, auto-login can mean that someone can sit at the computer, type in facebook.com (for instance), and be logged in as someone else. You, of course, will have to test to eliminate the auto-login defense.

Which is why I go to facebook.com everytime I go to an Apple store. Hilarity ensues!

Putting someone at the keyboard really is more of a investigator thing. Your intel is invaluable, but until someone goes to the various users and asks them what their passwords are (you should already know), and asks if anyone else has their passwords, you will never be able to definitively determine who was at the keyboard.

That said

You are on the right track. Internet history can give you important insights to who was at the keyboard. Not just in web services like facebook and webmail, but businesses frequented. If, for instance, the suspect has Verizon Wireless, but none of the others do, that is telling. If someone has a particular affinity for a certain celebrity or sports team, and so on.

In addition, I would recommend a super-timeline with log2timeline or 4n6time. If the user composed an email, wrote up their resume, or what not, that will be telling as well.

Hope this helps,
Terry

 
Posted : 26/02/2014 11:05 pm
keydet89
(@keydet89)
Posts: 3578
Famed Member
 

I am trying to figure out who was using the PC at a specific time. I know the user logged into Facebook and classmate, while on the PC. So, I am hoping to find a user name or email address to tie back to them.

I am using EnCase 7.07 and the image is Windows XP SP 2.

I'm in the process of analyzing the internet history/cache/temp files. Not sure if anyone had any other advice as to where to look.

You can certainly start with the Internet history; for example, create a timeline of browser activity and see if the user field is populated.

Another approach would be to create a timeline of system activity, using file system and Event Log information. While XP doesn't record user logins by default, you may be able to trace other information.

If you know the user account, I tend to find it very useful to create timelines of user activity from the file system metadata, as well as Registry data for the user. For example, UserAssist information can show that the user account was being used to perform certain activities around a specific time.

However, all this will really only get you the user account used. From there, I've used password cracking tools (as described in "Windows Registry Forensics") to determine if (a) the user account had a password, and (b) if so, if it was difficult to guess.

HTH

 
Posted : 27/02/2014 12:10 am
Share:
Share to...