illegal activity on non-networked computer

Discussion in 'Computer Security' started by ColdFusion, May 12, 2009.

  1. ColdFusion

    ColdFusion Guest

    If anyone has any information that can help me, please feel free to
    respond.

    I was recently contracted to investigate a
    situation..........Someone had tampered with a computer and saved some
    pictures of illegal activity on the hard drive. The computer was not
    at any time connected to the internet, used the Ubuntu operating
    system, had a system admin account with password protection and a
    general user account for any other use.
    I am trying to figure out how they altered the dates in the file
    that they were saved to the hard drive. If I'm not
    clear.................Some pictures were saved to the hard drive on
    (let's say) January 1, 2009 but yet the file properties say the
    file was saved on February 1, 2009 and altered on December 1, 2008. I
    have never encountered a situation where there was a discrepency
    between the saved date and altered date like this.
    Another question is how to track how the files where placed on the
    hard drive. Whether by disk, USB, or other media; there should be
    some trace of where the pictures came from.
     
    ColdFusion, May 12, 2009
    #1
    1. Advertisements

  2. ColdFusion

    Todd H. Guest

    Ugh.
    FYI: None of which prevents a user from booting an alternate operate
    system.
    There are utilities designed to muck with timestamps to make forensics
    nearly impossible. Things like timestomp and I'm sure there are
    others.
    You can scrape through the system logs, but this level of logging at
    least isn't something I've seen. You can maybe see through logs or
    dmesg if there were external devices inserted into the system and then
    you can perhaps correlate times and make a good guess. Grok through
    the various .*history files in user accounts, but you may not find
    anything as I suspect that -- if the attacker didn't have access to
    the 2 OS level accounts, they simply threw in a bootable linux CD or
    equivalent, and could've written things to the drive directly from
    that OS, leaving no traces on the disk other than the files and
    (possibly modified) timestamps.
     
    Todd H., May 12, 2009
    #2
    1. Advertisements

  3. ColdFusion

    anders Guest

    Den Tue, 12 May 2009 08:36:46 -0700 skrev ColdFusion:
    I think that someone used a bootable media (eg. live *nix-cd/usb etc)
    which almost never leaves any other trace than the files themselves.

    Changeing timestamps are trivial:

    $ man touch

    Make sure to put a password in the BIOS and turn off the feature to boot
    from external media so that the machine only boot from it's own hard
    drive. It is not foolproof, but makes it harder, at least for the non-
    technical.

    /Anders
     
    anders, May 12, 2009
    #3
  4. ColdFusion

    ©Ari® Guest

    Are you sure you have the right (original) HD? Why is it I wonder why
    they hired you?
     
    ©Ari®, May 12, 2009
    #4
  5. ColdFusion

    Unruh Guest

    man touch
    No. While you might look at the .history files on all users, including
    root to see if there are some hints, and run the command last, there is
    nothing in a file telling you where it came from.
     
    Unruh, May 12, 2009
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.