RE: Investigating Win-98 Box.

["lsi" <[EMAIL PROTECTED]>]

> The earlier response was correct.  Internet mail often results in items in
> the Internet cache areas.

Accessing a web-based mailbox will result in *INBOUND* mail being 
copied to the browser cache, however this query is regarding 
*OUTBOUND* mail.  As I'm sure you're aware, the purpose of a browser 
cache is to speed up downloads... outbound mail is an upload and 
therefore will not be cached - there's no point.

You can test this by emptying browser cache, accessing webmail and 
sending a message.  Then examine browser cache.  You'll see the pages 
your webmail app displayed to you.  You will NOT see the text you 
typed into a form on one of those pages.

That text is held in memory and the browser has no reason commit it 
to disk.  

I like the swapfile possibility, although it's a long shot.  Even 
longer might be the 'suspend' file that some systems create when they 
hibernate...

There might also be some data in the browser's "auto-completion" and 
URL histories.

This could be tested for by using a tracing program on a clean 
(freshly installed) system.  When you send your test webmail, the 
tracing program is watching registry, disk files etc.  You then turn 
off the trace and see exactly what happens when a mail is sent.  You 
then go and look in those locations on the system being investigated.

>  If the Win98 box was used to send yahoo mail, you
> should be able to find the email as a temporary Internet file, a deleted
> temporary internet file, 

For the reasons outlined above, I doubt this is so.

> or as a stream in unallocated space.

Not sure what you mean here, but W98 doesn't have ADS.  Suggesting 
the text might be held in "unallocated space" is suggesting that it 
was once a file which was then deleted, which as broswers do not 
cache uploads, is unlikely.

> It is not necessary to bring in law enforcement to get log information from
> Yahoo if there is a basis to file a law suit.  If a law suit can be filed,
> then private litigants can subpoena records from Yahoo.  A number of
> businesses have abused third-party subpoena power, so some courts are
> looking more closely at the validity of the underlying lawsuit when the
> subpoena is challenged.

This of course depends on the jurisdiction in question.

Stuart

> -----Original Message-----
> From: John Hebert [mailto:[EMAIL PROTECTED] 
> Sent: Friday, October 31, 2003 8:37 AM
> To: '[EMAIL PROTECTED] '
> Subject: RE: Investigating Win-98 Box.
> 
> Most PC operating systems do not keep logs/records of specific HTTP
> transactions, so I don't think you will be able to retrieve this information
> from the Win98 box. You could only establish that mail.yahoo.com stored a
> cookie on the Win98 box.
> 
> IANAL, but Yahoo would have web server logs showing such transactions, but
> that would require that law enforcement agencies become involved, as Yahoo
> would correctly deny such requests from individuals for that information.
> Corporations are required by law to cooperate with law enforcement for
> private customer information requests, such as web logs.
> 
> In short, I don't think it is possible.
> 
> John Hebert
> 
> -----Original Message-----
> From: Gaurang Pandya
> To: [EMAIL PROTECTED]
> Sent: 10/30/03 10:31 AM
> Subject: Investigating Win-98 Box.
> 
> Hi,
> 
> I am involved in a project where in I have to find out evidence of an e-mail
> that has been sent out from a
> Win-98 box. The sender used a yahoo account to send that. I have never done
> such project with Win-98 machine. Can any one get me clues on how to go
> about it.
> 
> Any comments and suggesions are welcome.
> 
> Thanks in advance.
> 
> Gaurang.
> 
> __________________________________
> Do you Yahoo!?
> Exclusive Video Premiere - Britney Spears
> http://launch.yahoo.com/promos/britneyspears/
> 
> -----------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management and tracking
> system please see: http://aris.securityfocus.com
> 
> -----------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management and tracking
> system please see: http://aris.securityfocus.com
> 
> 
> -----------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management 
> and tracking system please see: http://aris.securityfocus.com


-- 
Stuart Udall
stuart at cyberdelix dot net - http://www.cyberdelix.net/
..revolution through evolution

want to make some cash? check out http://cyberdelix.net/affiliates.htm


-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com