illegal activity on non-networked computer

Discussion in 'Computer Security' started by ColdFusion, May 12, 2009.

  1. ColdFusion

    ColdFusion Guest

    If anyone has any information that can help me, please feel free to
    respond.

    I was recently contracted to investigate a
    situation..........Someone had tampered with a computer and saved some
    pictures of illegal activity on the hard drive. The computer was not
    at any time connected to the internet, used the Ubuntu operating
    system, had a system admin account with password protection and a
    general user account for any other use.
    I am trying to figure out how they altered the dates in the file
    that they were saved to the hard drive. If I'm not
    clear.................Some pictures were saved to the hard drive on
    (let's say) January 1, 2009 but yet the file properties say the
    file was saved on February 1, 2009 and altered on December 1, 2008. I
    have never encountered a situation where there was a discrepency
    between the saved date and altered date like this.
    Another question is how to track how the files where placed on the
    hard drive. Whether by disk, USB, or other media; there should be
    some trace of where the pictures came from.
     
    ColdFusion, May 12, 2009
    #1
    1. Advertising

  2. ColdFusion

    Todd H. Guest

    ColdFusion <> writes:

    > If anyone has any information that can help me, please feel free to
    > respond.
    >
    > I was recently contracted to investigate a
    > situation..........Someone had tampered with a computer and saved some
    > pictures of illegal activity on the hard drive.


    Ugh.

    > The computer was not
    > at any time connected to the internet, used the Ubuntu operating
    > system, had a system admin account with password protection and a
    > general user account for any other use.


    FYI: None of which prevents a user from booting an alternate operate
    system.

    > I am trying to figure out how they altered the dates in the file
    > that they were saved to the hard drive. If I'm not
    > clear.................Some pictures were saved to the hard drive on
    > (let's say) January 1, 2009 but yet the file properties say the
    > file was saved on February 1, 2009 and altered on December 1, 2008. I
    > have never encountered a situation where there was a discrepency
    > between the saved date and altered date like this.


    There are utilities designed to muck with timestamps to make forensics
    nearly impossible. Things like timestomp and I'm sure there are
    others.

    > Another question is how to track how the files where placed on the
    > hard drive. Whether by disk, USB, or other media; there should be
    > some trace of where the pictures came from.


    You can scrape through the system logs, but this level of logging at
    least isn't something I've seen. You can maybe see through logs or
    dmesg if there were external devices inserted into the system and then
    you can perhaps correlate times and make a good guess. Grok through
    the various .*history files in user accounts, but you may not find
    anything as I suspect that -- if the attacker didn't have access to
    the 2 OS level accounts, they simply threw in a bootable linux CD or
    equivalent, and could've written things to the drive directly from
    that OS, leaving no traces on the disk other than the files and
    (possibly modified) timestamps.

    --
    Todd H.
    http://www.toddh.net/
     
    Todd H., May 12, 2009
    #2
    1. Advertising

  3. ColdFusion

    anders Guest

    Den Tue, 12 May 2009 08:36:46 -0700 skrev ColdFusion:

    > If anyone has any information that can help me, please feel free to
    > respond.
    >
    > I was recently contracted to investigate a
    > situation..........Someone had tampered with a computer and saved some
    > pictures of illegal activity on the hard drive. The computer was not at
    > any time connected to the internet, used the Ubuntu operating system,
    > had a system admin account with password protection and a general user
    > account for any other use.
    > I am trying to figure out how they altered the dates in the file
    > that they were saved to the hard drive. If I'm not
    > clear.................Some pictures were saved to the hard drive on
    > (let's say) January 1, 2009 but yet the file properties say the
    > file was saved on February 1, 2009 and altered on December 1, 2008. I
    > have never encountered a situation where there was a discrepency between
    > the saved date and altered date like this.
    > Another question is how to track how the files where placed on the
    > hard drive. Whether by disk, USB, or other media; there should be some
    > trace of where the pictures came from.


    I think that someone used a bootable media (eg. live *nix-cd/usb etc)
    which almost never leaves any other trace than the files themselves.

    Changeing timestamps are trivial:

    $ man touch

    Make sure to put a password in the BIOS and turn off the feature to boot
    from external media so that the machine only boot from it's own hard
    drive. It is not foolproof, but makes it harder, at least for the non-
    technical.

    /Anders
     
    anders, May 12, 2009
    #3
  4. ColdFusion

    ©Ari® Guest

    On Tue, 12 May 2009 08:36:46 -0700 (PDT), ColdFusion wrote:

    > If anyone has any information that can help me, please feel free to
    > respond.
    >
    > I was recently contracted to investigate a
    > situation..........Someone had tampered with a computer and saved some
    > pictures of illegal activity on the hard drive. The computer was not
    > at any time connected to the internet, used the Ubuntu operating
    > system, had a system admin account with password protection and a
    > general user account for any other use.
    > I am trying to figure out how they altered the dates in the file
    > that they were saved to the hard drive. If I'm not
    > clear.................Some pictures were saved to the hard drive on
    > (let's say) January 1, 2009 but yet the file properties say the
    > file was saved on February 1, 2009 and altered on December 1, 2008. I
    > have never encountered a situation where there was a discrepency
    > between the saved date and altered date like this.
    > Another question is how to track how the files where placed on the
    > hard drive. Whether by disk, USB, or other media; there should be
    > some trace of where the pictures came from.


    Are you sure you have the right (original) HD? Why is it I wonder why
    they hired you?
    --
    A fireside chat not with Ari!
    http://tr.im/holj
    Motto: Live To Spooge It!
     
    ©Ari®, May 12, 2009
    #4
  5. ColdFusion

    Unruh Guest

    ColdFusion <> writes:

    >If anyone has any information that can help me, please feel free to
    >respond.


    > I was recently contracted to investigate a
    >situation..........Someone had tampered with a computer and saved some
    >pictures of illegal activity on the hard drive. The computer was not
    >at any time connected to the internet, used the Ubuntu operating
    >system, had a system admin account with password protection and a
    >general user account for any other use.
    > I am trying to figure out how they altered the dates in the file
    >that they were saved to the hard drive. If I'm not
    >clear.................Some pictures were saved to the hard drive on
    >(let's say) January 1, 2009 but yet the file properties say the
    >file was saved on February 1, 2009 and altered on December 1, 2008. I
    >have never encountered a situation where there was a discrepency
    >between the saved date and altered date like this.


    man touch

    > Another question is how to track how the files where placed on the
    >hard drive. Whether by disk, USB, or other media; there should be
    >some trace of where the pictures came from.


    No. While you might look at the .history files on all users, including
    root to see if there are some hints, and run the command last, there is
    nothing in a file telling you where it came from.
     
    Unruh, May 12, 2009
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?TlJURkppbQ==?=

    Blocking internet access on networked computer

    =?Utf-8?B?TlJURkppbQ==?=, May 26, 2005, in forum: Wireless Networking
    Replies:
    3
    Views:
    591
    Mike Fields
    Jul 2, 2005
  2. Lunaray

    Can't save Word document to networked computer!

    Lunaray, Aug 5, 2005, in forum: Wireless Networking
    Replies:
    4
    Views:
    4,387
    Lunaray
    Aug 5, 2005
  3. =?Utf-8?B?TG96?=

    Cannot access internet with networked computer

    =?Utf-8?B?TG96?=, Apr 22, 2006, in forum: Wireless Networking
    Replies:
    1
    Views:
    473
  4. sue cook

    networked computer cannot run internet explorer

    sue cook, Aug 30, 2004, in forum: Computer Support
    Replies:
    2
    Views:
    489
    sue cook
    Aug 30, 2004
  5. Ned H.
    Replies:
    7
    Views:
    896
    Charlie Russel - MVP
    Aug 5, 2005
Loading...

Share This Page