7

I have a system that contains highly sensitive data that does not reside on the Internet. However, when I was going through the machine recently, I detected that it had cookies, and temporary internet files stored on it. While I can find the date these were created, I need to be able to obtain the date of last Internet access in a verifiable manner. The machine is Windows XP, and I have full administrative access. I have already looked in the Event Viewer, there was no information there, as such. The last modification date for the Temporary Internet Files folder is a few years ago, so that has not served as an indication either. Is there some resource, or some logs, that Windows has that can tell me when the last connection happened, and if possible, how?

Note: This is not within a corporate network, or any similar internal network.

Gilles 'SO- stop being evil'
  • 50,912
  • 13
  • 120
  • 179
Karthik Rangarajan
  • 840
  • 6
  • 18

4 Answers4

3

A simple (possibly verifiable) way to do this is looking for the index.dat files that are present on the machine. Even if the user deletes all the cookies, and deletes all temporary files, and removes most traces of a connection, the index.dat file gets updated to reflect this behavior - and the latest modification date of the file will tell us when it was last used by IE, and thus give the last date Internet was accessed.

Results from search for index.dat in all files and folders, including system and hidden folders

Karthik Rangarajan
  • 840
  • 6
  • 18
3

Since the inetgrity of the host is in question I would move on from the host and look at other data sources. Figure out where your flow records are; are they netflow, Argus, firewall build/teardowns?

Search the logs for results from that system's MAC, of worst case IP, address. Don't forget to account for all interfaces on the system since the malicious party could have enabled a non-primary NIC.

Scott Pack
  • 15,167
  • 5
  • 61
  • 91
  • Thank you - that's exactly what I would have done if there were any such records. As I said, it wasn't within a controlled network of any sort that I could gather logs from. I HAD to rely on the host, despite its integrity being in question. The index.dat files gave a satisfactory answer though, they did not appear to be tampered with, though that doesn't really mean much. :) – Karthik Rangarajan Jul 29 '12 at 07:09
  • @KarthikRangarajan: Rather unfortunate that. There have been several times that I, or someone on my team, have ended up using flow records to indicate tampering may have occurred. Insanely helpful during an investigation. – Scott Pack Jul 29 '12 at 19:45
2

I'm not sure how much certainty you need to have.. if you are saying that modification date of the file is not reliable - you are probably afraid of date tampering. The only thing that comes to my mind is checking the history in the browser that created the cookies. CTRL+H in IE.

If on this machine browser is not used at all you can check in App Data / Program Data / Local Settings folder for last modification of config files. Or user profile->browser preferences.

you might have some logs in the third party firewall if you have installed such.

It will be hard to trace that kind of events if you did not prepared the machine to trace/log connections beforehand.

mnmnc
  • 370
  • 2
  • 8
  • Thanks for the answer - date tampering is one of the things I was concerned about, but it mostly had to do with deleting the files that were there. Windows doesn't update the directory with last modified time, based on the files under it (like Linux does), so it was hard to track things down based on that. – Karthik Rangarajan Jul 27 '12 at 15:10
1

If someone was trying to cover their tracks they would simply have deleted the cookies and temporary internet files. Much easier and more effective than modifying the creation date! I'd expect you can use the creation date of the newest temporary file as the date of last internet access.

GdD
  • 17,291
  • 2
  • 41
  • 63
  • You're right - which is why I was looking for a verifiable way of finding LAST access, and not determining it based on what was already there. – Karthik Rangarajan Jul 27 '12 at 15:12