Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Security > illegal activity on non-networked computer

Reply
Thread Tools

illegal activity on non-networked computer

 
 
ColdFusion
Guest
Posts: n/a
 
      05-12-2009
If anyone has any information that can help me, please feel free to
respond.

I was recently contracted to investigate a
situation..........Someone had tampered with a computer and saved some
pictures of illegal activity on the hard drive. The computer was not
at any time connected to the internet, used the Ubuntu operating
system, had a system admin account with password protection and a
general user account for any other use.
I am trying to figure out how they altered the dates in the file
that they were saved to the hard drive. If I'm not
clear.................Some pictures were saved to the hard drive on
(let's say) January 1, 2009 but yet the file properties say the
file was saved on February 1, 2009 and altered on December 1, 2008. I
have never encountered a situation where there was a discrepency
between the saved date and altered date like this.
Another question is how to track how the files where placed on the
hard drive. Whether by disk, USB, or other media; there should be
some trace of where the pictures came from.
 
Reply With Quote
 
 
 
 
Todd H.
Guest
Posts: n/a
 
      05-12-2009
ColdFusion <(E-Mail Removed)> writes:

> If anyone has any information that can help me, please feel free to
> respond.
>
> I was recently contracted to investigate a
> situation..........Someone had tampered with a computer and saved some
> pictures of illegal activity on the hard drive.


Ugh.

> The computer was not
> at any time connected to the internet, used the Ubuntu operating
> system, had a system admin account with password protection and a
> general user account for any other use.


FYI: None of which prevents a user from booting an alternate operate
system.

> I am trying to figure out how they altered the dates in the file
> that they were saved to the hard drive. If I'm not
> clear.................Some pictures were saved to the hard drive on
> (let's say) January 1, 2009 but yet the file properties say the
> file was saved on February 1, 2009 and altered on December 1, 2008. I
> have never encountered a situation where there was a discrepency
> between the saved date and altered date like this.


There are utilities designed to muck with timestamps to make forensics
nearly impossible. Things like timestomp and I'm sure there are
others.

> Another question is how to track how the files where placed on the
> hard drive. Whether by disk, USB, or other media; there should be
> some trace of where the pictures came from.


You can scrape through the system logs, but this level of logging at
least isn't something I've seen. You can maybe see through logs or
dmesg if there were external devices inserted into the system and then
you can perhaps correlate times and make a good guess. Grok through
the various .*history files in user accounts, but you may not find
anything as I suspect that -- if the attacker didn't have access to
the 2 OS level accounts, they simply threw in a bootable linux CD or
equivalent, and could've written things to the drive directly from
that OS, leaving no traces on the disk other than the files and
(possibly modified) timestamps.

--
Todd H.
http://www.toddh.net/
 
Reply With Quote
 
 
 
 
anders
Guest
Posts: n/a
 
      05-12-2009
Den Tue, 12 May 2009 08:36:46 -0700 skrev ColdFusion:

> If anyone has any information that can help me, please feel free to
> respond.
>
> I was recently contracted to investigate a
> situation..........Someone had tampered with a computer and saved some
> pictures of illegal activity on the hard drive. The computer was not at
> any time connected to the internet, used the Ubuntu operating system,
> had a system admin account with password protection and a general user
> account for any other use.
> I am trying to figure out how they altered the dates in the file
> that they were saved to the hard drive. If I'm not
> clear.................Some pictures were saved to the hard drive on
> (let's say) January 1, 2009 but yet the file properties say the
> file was saved on February 1, 2009 and altered on December 1, 2008. I
> have never encountered a situation where there was a discrepency between
> the saved date and altered date like this.
> Another question is how to track how the files where placed on the
> hard drive. Whether by disk, USB, or other media; there should be some
> trace of where the pictures came from.


I think that someone used a bootable media (eg. live *nix-cd/usb etc)
which almost never leaves any other trace than the files themselves.

Changeing timestamps are trivial:

$ man touch

Make sure to put a password in the BIOS and turn off the feature to boot
from external media so that the machine only boot from it's own hard
drive. It is not foolproof, but makes it harder, at least for the non-
technical.

/Anders
 
Reply With Quote
 
ŠAriŽ
Guest
Posts: n/a
 
      05-12-2009
On Tue, 12 May 2009 08:36:46 -0700 (PDT), ColdFusion wrote:

> If anyone has any information that can help me, please feel free to
> respond.
>
> I was recently contracted to investigate a
> situation..........Someone had tampered with a computer and saved some
> pictures of illegal activity on the hard drive. The computer was not
> at any time connected to the internet, used the Ubuntu operating
> system, had a system admin account with password protection and a
> general user account for any other use.
> I am trying to figure out how they altered the dates in the file
> that they were saved to the hard drive. If I'm not
> clear.................Some pictures were saved to the hard drive on
> (let's say) January 1, 2009 but yet the file properties say the
> file was saved on February 1, 2009 and altered on December 1, 2008. I
> have never encountered a situation where there was a discrepency
> between the saved date and altered date like this.
> Another question is how to track how the files where placed on the
> hard drive. Whether by disk, USB, or other media; there should be
> some trace of where the pictures came from.


Are you sure you have the right (original) HD? Why is it I wonder why
they hired you?
--
A fireside chat not with Ari!
http://tr.im/holj
Motto: Live To Spooge It!
 
Reply With Quote
 
Unruh
Guest
Posts: n/a
 
      05-12-2009
ColdFusion <(E-Mail Removed)> writes:

>If anyone has any information that can help me, please feel free to
>respond.


> I was recently contracted to investigate a
>situation..........Someone had tampered with a computer and saved some
>pictures of illegal activity on the hard drive. The computer was not
>at any time connected to the internet, used the Ubuntu operating
>system, had a system admin account with password protection and a
>general user account for any other use.
> I am trying to figure out how they altered the dates in the file
>that they were saved to the hard drive. If I'm not
>clear.................Some pictures were saved to the hard drive on
>(let's say) January 1, 2009 but yet the file properties say the
>file was saved on February 1, 2009 and altered on December 1, 2008. I
>have never encountered a situation where there was a discrepency
>between the saved date and altered date like this.


man touch

> Another question is how to track how the files where placed on the
>hard drive. Whether by disk, USB, or other media; there should be
>some trace of where the pictures came from.


No. While you might look at the .history files on all users, including
root to see if there are some hints, and run the command last, there is
nothing in a file telling you where it came from.

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Odd continuous activity from my computer ?? Loony Computer Information 6 06-30-2012 01:23 PM
Constant Network Activity JBL ASP .Net 0 09-11-2005 12:44 PM
TabBrowser activity Steve IA Firefox 7 08-21-2005 02:33 PM
Spontaneous Reboot when no activity on computer? Nico Computer Support 3 07-07-2004 06:45 AM
Monitoring wireless activity and logging KMR Wireless Networking 2 07-03-2004 12:14 AM



Advertisments