 sj |
||
|
||
Tech: Checking a computers history
|
|
|
Subject: Tech: Checking a computers history From: Paul Mitchell Date: 13 Nov 02 - 02:42 AM I know this isn't a musc question, but I haven't had any joy from other sources. Where I work (part time) we have been given a couple of computers. I'm keen to make sure that they haven't got loads of porn and the like sat on them some where and so would like to be able to get into the "history" of the system and check / delete any unwanted stuff. I also have a worker who I think has been using a computer for porn surfing. He clears the history and files, so I'm wondering if I can check the computer he's using as well. Any pratical advice (i.e. how to do it) welcomed Paul |
|
Subject: RE: Tech: Checking a computers history From: mack/misophist Date: 13 Nov 02 - 11:02 AM In the case of the new computers, boot into dos, enter the command "format c:\" without quotes, and wait. This is enough for most. If you're still worried, check the maker of the hard drives, go to their web site, and see if they have a low level format tool. Maxtor has one that works on most (powermax0 but it's best to use a brand specific tool if you can. As for the machines in use by others, the person in charge is in charge of that. |
|
Subject: RE: Tech: Checking a computers history From: MMario Date: 13 Nov 02 - 11:10 AM Don't use the "format c:" option unless you have the software available to re-install! If your co-worker is computer savvy he can probably cover his traces pretty well - try checking the temporary internet files |
|
Subject: RE: Tech: Checking a computers history From: Schantieman Date: 13 Nov 02 - 11:29 AM Temporary internet files are sometimes hidden, but doing a search (or find files, depending on your version of Windows) lookig for a suitable word or two might turn something up. S |
|
Subject: RE: Tech: Checking a computers history From: Dave Bryant Date: 13 Nov 02 - 11:45 AM You can also try FINDing any files with Graphic File suffixes ie .JPG .GIF .BMP .TIF etc. It all depends what you're worried about though. If you just don't want your kids finding porno, you should be able to use FIND and EXPLORER to look through the files and delete anything questionable. Obviously check through Favourites, Cookies and Temporary Internet files. If you have the CDs available to reinstall Windows and everything else, you could try reformatting your hard drive (but NEVER attempt low-level formatting unless you REALLY know what you're doing) and reloading everything. I would always recommend having a bootable DOS floppy available with basic utilities ie FORMAT, FDISK on it and working from that if you do. If you're afraid of being raided by the police and them finding deleted paedophilia on it - then perhaps you need to go further - but I doubt if you'd get prosecuted if you could prove that you got the PC secondhand. |
|
Subject: RE: Tech: Checking a computers history From: HuwG Date: 13 Nov 02 - 02:25 PM When you "delete" a file, you don't necessarily remove all its content at once, you merely flag the area of disk it occupied as being available for use by the system. There could be some illegal information left after deleting a file, which you cannot access in the normal course of events. There are several tools available for clearing unwanted information out of these areas (and for recreating files you deleted by accident); NORTON for example. However, running a DEFRAG on the disk will usually clean off 99% of anything unwanted, unless the disk had very little information on it. |
|
Subject: RE: Tech: Checking a computers history From: Bill D Date: 13 Nov 02 - 03:00 PM "... so I'm wondering if I can check the computer he's using as well." it can be pretty tricky to dig deep if you are not an expert, and Windows/Internet Explorer keeps a log in some pretty deeply hidden files (I posted something about it a couple of months ago).....but IF you are authorized to do investigative work for your office, there are ways. (I would not recommend messing with someone else's computer otherwise) There are 'stealth' programs that can be installed that will record almost any level of activity, right down to keystrokes. I don't like the idea much, as it can so easily be abused, but I suppose it can be a tool when there is serious need. If you think your office NEEDS something like this, try Parents Friend |
|
Subject: RE: Tech: Checking a computers history From: Clinton Hammond Date: 13 Nov 02 - 03:06 PM "I'm keen to make sure that they haven't got loads of porn and the like sat on them some where and so would like to be able to get into the "history" of the system and check / delete any unwanted stuff." Well, if yer serious about this then ya, format C: and start from a totaly clean Hard Drive... but ya... you'll have to reinstall EVERYTHING... That included the operating system... " I also have a worker who I think has been using a computer for porn surfing. He clears the history and files" Question.... he works FOR you or WITH you? If he works WITH you, then how is it your business... that's between him and the boss... if you are the boss then ya... cook him... But if he's savvy enough to clear history and cache and such, then you might be SOL unless you're willing to to pull his Hard Drive and have it sent somewhere that does information recovery... If it's that bad, put Net Nanny or some such baby-sititng software on his system... actually... first off ask him straight up... and let him know you'd prefer he surf his porn sites from home... And that if he continues and is caught, he'll lose his job... That alone might be enough, the knowledge that you might be on to him... Hide a web cam in his office that allows you to se his monitor... On the other hand, if it's just porn, and he's getting his job done, and he's not somewhere where others can see him, so what? |
|
Subject: RE: Tech: Checking a computers history From: Rapparee Date: 13 Nov 02 - 03:54 PM There's a gadget called, I think, Key Check, which installs between the PC and keyword. It records every keystroke.... The cost is about US$20. and I've seen it advertised on the Web. There are also "sniffer" programs out there -- for free -- which create a passworded, invisible (to the person being sniffed) file on the PC, in which are recorded all of the keystrokes. You could also check out the PCs cookies...most websites load 'em onto PCs. If you connect through a server to which you have root (administrator for those who are unenlightened enough to use NT or similar) access, you could capture the keystrokes from that PC to a file on the server. Or, if you use the Solaris OS, you can use the snoop command and watch where everyone is going! I know more about this than I care to, which is why I am somewhat paranoid. DON'T do any of the above UNLESS you are the boss or you have the Big Boss direct you to do so in writing! As for making sure data has been completely deleted from a hard drive: either use Norton or similar, or write binary across the HD a couple of times (you'll have to reinstall the OS, mind you). But the only way I know of to be ABSOLUTELY certain that all of the data on a hard drive is destroyed is to pile thermite onto the drive and ignite it (or use a thermite grenade). This WILL destroy the data, but it also destroys the PC...ya know, come to think about it.... |
|
Subject: RE: Tech: Checking a computers history From: JohnInKansas Date: 13 Nov 02 - 04:19 PM Assuming that these are Windows machines, you should already have gone into Windows Explorer and set "Tools - Folder Options" on the View tab to "show all files," and should "uncheck" the "hide file extensions for known file types." When you set the "show all files" you should be able to see any hidden files in Explorer. The reason for NOT hiding file extensions, is the frequent use of "double-dot" filenames (file.doc.exe) in viruses - if you don't show the extensions, you won't see that it's an "abnormal file" before you open it. Unless you are using Win2K or WinXP-Pro, there are few log files that will be kept under ordinary circumstances (i.e. a malfunction may trigger a log in some older Win systems). Even in the "new" Win versions, the logs will consist only of lists of files opened and closed, by their file names. System logs do not keep copies of the files themselves. If you're on one of the operating systems that actually keeps detailed logs, you must be logged on as "Administrator" in order to see them. If you don't have full access, the person who could give it to you is probably in a better position to do this kind of "investigation" for you than you are - even if you could get the "permission" reset. The only place where "downloaded files" are normally kept is in Temporary Internet Files, and these should self-delete when (if) you close your browser. (although they don't always) The normal location is at C:\Windows\Temporary Internet Files\; and, with the Explorer options set as above, you should be able to see everything there. On Win2K or XP-Pro, there will be a separate "Temporary Internet Files" location for each individual user, at something like C:\Documents and Settings\Username\Local Settings\Temporary Internet Files\, with a separate "tree" for each "Username." Cookies will be here, and possibly duplicated in lower "incident" directories. Any actual "pictures" would be in \Temporary Internet Files\Internet Content. If your "suspect" is fairly knowledgeable, he may have deleted the "download" files, but may have left cookies that show where he's been. In these systems there is also a C:\Documents and Settings\Username\Local Settings\History\ folder that keeps a list of links used - usually for the past week, at least. In older systems, there is a usually a similar history file, but it's typically hidden in your browser folder(s) somewhere. In Internet Explorer, the "Tools - Internet Options" lets a user control how far back the history folder will go. If your "suspect" has set the history roller back to something very short, there will be little information on the machine. Conversely, if you set your history back to a short interval, once that time has passed, there is no record on the machine of what sites have been visited except (on Win2K, XP, NT maybe) for the Administrator's log of system activity. If you're interested in a "defensive posture," setting a fairly long time would give you "proof" that your machine hasn't been anywhere since you've had it. As indicated by Dave Bryant above, any pictures from "porn sites" or elsewhere would be downloaded as "files with Graphic File suffixes ie .JPG .GIF .BMP .TIF etc." You can put each of these into a search in Win Explorer, and see if there are any present. If you find anything objectionable, whether to delete or "preserve for evidence" is up to you, although if you decide to "build a case" it is imperative that you have a witness to what you are doing, and a written record (preferably initialed by you and the witness) for each "preserved artifact." Your system administrator, or corporate security is a good choice. A caution: since the graphic file extensions are so obvious, your "suspect" may have used the expedient of pasting the pictures into something like a Word .doc so he/she can delete the original graphic files. A look at whether .doc (and PowerPoint etc) files appear to have business related content would also be in order. In any "corporate sytem" environment (i.e. even if you just use their Internet connection), it is probably unwise to install "snoop software" (or any software) without the support of the "IT" department. And if your suspicions are reasonable, they should "do it for you." John |
|
Subject: RE: Tech: Checking a computers history From: JohnInKansas Date: 13 Nov 02 - 04:42 PM Re the "total cleanup:" Norton Utilities (not Norton AV) used to include a "disk clean" utility. I'd expect that current versions have something like it. This utility would write to "all free space" on a disk, and then delete, so that it "overwrites" any "deleted" files that may have been there. The "Govt" setting should write a 101010 pattern six times, followed by a 111000 111000 pattern six times, followed by a 000111 pattern six times, followed by a 010101 pattern six times - or something like that. This is what US Military standards required to "make sure erased data is not recoverable." Twenty years ago, when we had a "snoop" in the office who liked to do "after hours" playing with our one computer - we suspected that he was "undeleting" stuff to see what we'd been doing. I made a floppy with a single file that was the max size the floppy could hold. I gave it a file extension that did not appear anywhere on the machine. At the end of the day, I'd do a DOS copy a:\fill.gbg C:\afill.gbg, copy a:\fill.gbg c:\bfill.gbg ... etc until the drive was at least 3/4 filled, do a defrag, then Del c:\*.gbg and defrag again. With the old 20MB hard drives, I could do this in about 15 minutes. Not too practical today, since a defrag can take 15 or 20 hours on a moderately sized disk - but if you're really serious, I'd suggest a page in Word, Select All, Paste, Paste, Paste,... to about 700 pages. That should give you at least 3MB. Select all, copy and paste a half dozen more times to get to 20 or 30 MB, save as text and then change the file extension to something that doesn't happen anywhere on the machine. (Do a DOS search for DIR *.gbg /S to make sure, using whatever file extension you picked, before you use it.) DOS copy the file a few times to fill some disk - using a different file name but keeping the dummy extension each time, defrag, delete (DEL *.gb defrag. You should be able to get it clean in not more than a few weeks - if you work at it steady. John |
|
Subject: RE: Tech: Checking a computers history From: JohnInKansas Date: 13 Nov 02 - 04:56 PM </i> would'a worked better than <i/>. Is dislexia o' the fingers a sign of old age? John |
|
Subject: RE: Tech: Checking a computers history From: mack/misophist Date: 14 Nov 02 - 10:59 AM There is also a freeware program called 'eraser' that has worker well for me. |
|
Subject: RE: Tech: Checking a computers history From: Jacob B Date: 14 Nov 02 - 05:21 PM You should check with a lawyer before doing anything that could be interpreted as spying on your employee. I think that kind of thing is legal if the employee has been warned by the employer that it may be done, but doing it without warning is an illegal invasion of privacy. As far as I know, there's no problem with an employer examining a computer for evidence of employee misconduct. After all, the employer owns the computer. |
|
Subject: RE: Tech: Checking a computers history From: JohnInKansas Date: 14 Nov 02 - 11:01 PM I've just been upgrading one of my computers, and note that Norton AntiVirus 2003 Professional includes "undelete" and "filewipe" utilities. The undelete should let you see anything that's been deleted recently enough that it hasn't been overwritten. It should bring up a list of all "recoverable" files on the disk - which probably would include things that have been "emptied" from the "recycle bin." The "filewipe" is not the "full utility" that was in older Norton Utilities, as it doesn't appear to give you the option of "wiping" the disk free space, but it does let you "obliterate" any existing file, by writing random bits over the whole file. Curiosly, it appears that it "wipes" the content from the file, but leaves the file name intact. I'm not sure I've figured out why this would be useful, (bait for the snoops, maybe?) but it certainly would keep anyone from reading your mail. If you used the "undelete" to restore everything that Norton finds to be "recoverable" and then did a "filewipe" on the recovered files, it would appear that you should have a "very clean disk." I don't know if these utilities are in the "standard grade" Norton AV, and they're not obvious in the AV-Pro unless you look for them. It's also possible that they're an "optional installation" so you might have to look at your installation CD. John |
|
Subject: RE: Tech: Checking a computers history From: GUEST,.gargoyle Date: 14 Nov 02 - 11:15 PM It is not illegal!
In the U.S.A>
The employer owns the space you work in.
You appear paranoid. Go to several dozen web-pages, (begin with ZD, 2600, and TwoCows)....educate yourself.
Dave Bryant, HuwG, Clinton, JohninKansas have given you excellent advice.
Play with your machine.....use the simple "find" over night....see what comes up.....Windows is just DOS with a lot more extensions and files....
Norton is FUN - you can find bits of data from three years ago.....cripes .... one man at work took a three week sick-leave when I showed him where his Apple had been THREE YEARS ago.....Cleanup programs are made for PC's ... the fools are caught who use Macs.
Sincerely, |
|
Subject: RE: Tech: Checking a computers history From: Richard Wright Date: 15 Nov 02 - 06:00 PM Gargoyle You mention Macs--- I have a stiuation where a recuring bill was finally spotted on our VISA. After several calls and some web searching (as the 800 numbers given on the VISA bill did not work in Canada) I reached a "biller" who told me the $60 per month was for a porno site. I hasten to add I had not signed on. He kindly removed the billing and put a block on my card number. And he gave me the name and e-mail address of the person who had signed up. It was a friend who had stayed with us for a few weeks. Now, said friend says he did not steal my Credit Card number (though he could have easily as it turns out) and did not sign up. He agreed to pay the $500 bill. I like to give people the benefit of the doubt. Maybe he didn't. I am about to go to another town where the computer he used now resides, in another business we have. I intend checking it as completely as possible through searching for cookies etc. Any suggestions as to where else I might look for usage history? Sure would be nice to think he did not do it, but why else would his email be used for the password return as it seems to me he would then be the only one who could retrieve it. Just when you think the world is a better place .... Richard Wright |
|
Subject: RE: Tech: Checking a computers history From: JohnInKansas Date: 15 Nov 02 - 06:21 PM I can't give any advice about searching Macs - I don't go there; but I will point out that anyone who got your credit card number could probably get your (or his) email address, and it's apparently pretty easy to "fake" a return email address. Virtually all of the "spam" I get (on a Hotmail addy) has false returns, and I wouldn't expect a porn site to be too fussy about checking. Since they put his email addy with your card number, it's likely(?) that he may have used them together (maybe even inadvertently) - but it would only take one use on an insecure or dishonest link to expose it to use by someone else. John |
|
Subject: RE: Tech: Checking a computers history From: GUEST,Davetnova Date: 15 Nov 02 - 06:27 PM If this employee is anything like schoolkids searching for file extensions wont work. They find out eary about this and there is nothing to prevent someone naming files with any extension they like. They only have to rename them to ise them. (Our problem was MP3's not porn, they're good kids). |
|
Subject: RE: Tech: Checking a computers history From: GUEST,.gargoyle Date: 15 Nov 02 - 08:24 PM This is an easy one. I don't have a Mac in front of me at the moment but... Go to Sherlock (Left corner apple) Go to the advanced area (use the arrows)and select all files accessed/modified during a given period....about two/thirds of the way down in the box on the left side. In your case, search a block of months of credit card fraud....the times, dates, programs used will be displayed. Play with it at home first so you are efficent when you arrive at the other machine and so you don't waste your time bumbling around. Peel back layer after layer. You will surprised. Have FUN! Sincerely, Gargoyle |
|
Subject: RE: Tech: Checking a computers history From: GUEST,Cathryn Wellner Date: 16 Nov 02 - 11:35 AM Thanks for the tip, Gargoyle. Unfortunately, Sherlock checks only for "created" or "modified", not "accessed", and it doesn't check cookies. So unless the miscreant downloaded a file with a giveaway name, this approach doesn't ferret out what we're looking for. Any other suggestions? |
|
Subject: RE: Tech: Checking a computers history From: Amos Date: 16 Nov 02 - 11:46 AM Under system (.x or earlier you use File Buddy for this sort of work. It is completely configurable and will build you a file list of any criteria you can imagine. So much for being caught out. Disk scrubbing utilities are readily aailable for Macs. I do not know whether or not File Buddy has a 10.x versionbut if you go to www.versiontracker.com you can find out in a hurry. If not, and the machines you are talking about use 10.x, Apple maintains a very useful directory to all kinds of software for 10.x systems and I am sure you can find all the power you need. As for finding things under 10.x, it is a complete UNIX system under the hood and you can grep any obscure thing your heart desires! A |
|
Subject: RE: Tech: Checking a computers history From: GUEST,.gargoyle Date: 16 Nov 02 - 11:01 PM Dear Ms. Weller - I beg to differ with you
You will find that when the perpetrator downloaded a file they ALSO modified the immediate configuration....they added to an existing file...be it Bonzi Buddy or Netscape. Try it. You will be surprised.
Sincerely, |
| Share Thread: |