illegal activity on non-networked computer

If anyone has any information that can help me, please feel free to
respond.

I was recently contracted to investigate a
situation..........Someone had tampered with a computer and saved some
pictures of illegal activity on the hard drive. The computer was not
at any time connected to the internet, used the Ubuntu operating
system, had a system admin account with password protection and a
general user account for any other use.
I am trying to figure out how they altered the dates in the file
that they were saved to the hard drive. If I'm not
clear.................Some pictures were saved to the hard drive on
(let's say) January 1, 2009 but yet the file properties say the
file was saved on February 1, 2009 and altered on December 1, 2008. I
have never encountered a situation where there was a discrepency
between the saved date and altered date like this.
Another question is how to track how the files where placed on the
hard drive. Whether by disk, USB, or other media; there should be
some trace of where the pictures came from.

 

Ugh.

FYI: None of which prevents a user from booting an alternate operate
system.

There are utilities designed to muck with timestamps to make forensics
nearly impossible. Things like timestomp and I'm sure there are
others.

You can scrape through the system logs, but this level of logging at
least isn't something I've seen. You can maybe see through logs or
dmesg if there were external devices inserted into the system and then
you can perhaps correlate times and make a good guess. Grok through
the various .*history files in user accounts, but you may not find
anything as I suspect that -- if the attacker didn't have access to
the 2 OS level accounts, they simply threw in a bootable linux CD or
equivalent, and could've written things to the drive directly from
that OS, leaving no traces on the disk other than the files and
(possibly modified) timestamps.

 

Den Tue, 12 May 2009 08:36:46 -0700 skrev ColdFusion:

I think that someone used a bootable media (eg. live *nix-cd/usb etc)
which almost never leaves any other trace than the files themselves.

Changeing timestamps are trivial:

$ man touch

Make sure to put a password in the BIOS and turn off the feature to boot
from external media so that the machine only boot from it's own hard
drive. It is not foolproof, but makes it harder, at least for the non-
technical.

/Anders

 

Are you sure you have the right (original) HD? Why is it I wonder why
they hired you?

 

man touch

No. While you might look at the .history files on all users, including
root to see if there are some hints, and run the command last, there is
nothing in a file telling you where it came from.