Hi everyone, I'm new to the board as in I just now signed up for an account but I've been reading this forum off and on for a bit now. I run an ISP and have dealt with computer security and forensics as kind of a hobby now for close to a decade. I have NOWHERE near the experience that 90% of the people on this board have so I'm hoping you guys can tell me what I'm doing wrong.
Here is the situation. My girlfriend has a live in relative with previous prior convictions for credit card fraud and for theft by deception. Basically he steels credit card numbers and or checking information from family members and takes it upon himself to buy whatever.
On July 5th a transaction shows up on my girlfriends checking account for an online credit card billing service. She did not make the purchse. I contacted the company, ccbill.com, and they were very helpful. They told me that the account had been created on July 2nd at 230 PM and paid for with an electronic transaction from my girlfriends checking account. They also mentioned that her brother had other accounts to this site which he'd paid for two months prior and that he had registered the new account at this site with a hotmail account. After doing some snooping, his myspace page, I notice it is deffinatly the brothers addres. I've got him dead to rights to much evidence but the parents want physical proof.
The brother was using my girlfriends laptop the day of July 2nd for a 7 - 8 hour period from 11 in the morning until around 6 to 7 PM.
I got ahold of the laptop on July third becaues in the process of him looking up this porn he infested it with spyware. I immidiatly cleaned the laptop up. Cleared out all cache and tempory content and deleted the profile he had created for himself on the laptop. I then gave it back to my girlfriend.
On July 7th we found out about the purchases made and I told her to bring me the laptop thinking ot myself, "Yeah I'll fix him I'll just recover all the deleted browser cache." The plan was to recover everything from 7-1-07 until 7-7-07. Then I was going to download a graphic from the main page of the site he signed up for, create a hash of that graphic, then search for that hash in the recovered cache to prove he'd been on that site July 2nd.
Thus far I have tried 3 different programs in an attempt to recover his cache or anything left of C\documents and settings\PROFILE NAME and I have been unable to do so. The latest thing I can recover that has been deleted is from the 3rd of July after I did my cleaning.
I have tried three different utilities. I used the backtrack 2 bootable security auditor cd it has a few tools in it. I used a program called active undelete, and I tried another peice of software. They all recovered the same files but none of them are browser cache files from the 2nd.
This person is not smart enough to wipe the slack space on the drive or to do anything other than empty the browsing cache. He doesn't even know where a profile is kept. He couldn't have wiped it so I'm guessing it's something I did when I cleaned it. I also did not do anything to secure the slack space on the drive.
Any suggestions as to how I can recover files or any other way of proving he was on that site that day would be greatly appreciated. I think I'm doing everything right thus far but obviously I'm not getting the results I need.
Thanks in advance
Call the police, give the laptop to them. You are really not helping your girlfriend at this point. Have her check out the ID theft advice at
http//
I realize this guy is a relative, but letting him get away with it isn't doing him any favors either. It will probably be a good learning experience for him.