Tuesday, 31 March 2009

Searching for phishing - the quick win

My quick win for searching for confirmation that a person visited a phishing is to check the Internet history of the browser(s) on the imaged workstation. I use an Encase condition to to search the url names for host names of known phishing sites. We have a comprehensive list going back to the start of Feb 2005.

Start by searching for the Internet history and the email on the workstation. Internet history first and then the email.

The condition code looks like (all from a default condition):
f() Main
  if Url Name find []
  or Url Name find []

When you run this code, it'll ask you the sites. If you have a large list like us you may need to do this in batches. If this yields results, look for the email that the person received as having the email and proof that the site was visited is what you need, but to really seal the deal make sure that you know the structure of the phishing site. Someone can only visit the second page of the site or post to a url if they capture details...

If you don't get a hit in the Internet History - time to pull out the full keyword search and comeback in the morning.

Get in touch if you want screenshots of the process...

No comments: