This is not XOOPS related, but web-site\Internet related. I am exercising my right as an XOOPS member to ask knowledgable people a question that I would otherwise not have access to!

I am a forensic computing investigator by trade working for the UK government in the law enforcement arena. What this basically means is that I provide forensic evidence from digital devices, most commonly PC's, for use in courts of law in the UK. As part of this career, I am currently doing an MS(c) (Masters of Science) Degree in Forensic Computing and am about to emabrk on my thrid and final year. To do this final year I need a masters project, and at last we reach the point!

I'm no major expert in web site related technologies. I know a great deal about the infrastructure of the Internet as a whole, and how evidence is left on a PC and how it can be rebuilt and presented in court. However, when it comes to web sites themselves, I'm not that au fai, other than the hosting of my own site and what I've learnt as an Xooper.

I'd be interested to know if anyone can think of a project that is web-site\Internet related that may be interesting to study for a year and ultimately provide something useful in the arena of law enforcement and forensic computing. For example, I am considering a study of the future effects that IPv6 will have on an investigators ability to investigate a web site compared with the current IPv4. If anyone can think of something I'd be really pleased to hear it, especially if it's along those lines, but I'm 100% open to any ideas.

Thanks

Ted

hmmmm.. can't think of projects off hand, but maybe look for information relating to backtracing of ip's and routes taken between each server & isp..

as u probably are aware, there's many ways you can falsify your IP, by simply using proxy servers and jumping from 1 proxy to another.. what you could look into is the methods used to backtrace a connection to it's source.. altho some contact with ISP's will be necessary, i'm pretty sure if you email some ISP's like AOL, wanadoo, BT etc they could give you some information regarding that. i don't know if this is useful to u or not tho.. i maybe on the wrong track.. sniffer programs and network monitors etc are also handy and are widely used by hackers, i don't know how they'd be used in a forensic way tho..

but my friends dad is a forensic scientist for south yorkshire police, so i'll ask him if he can get some info from the guys where he works that may help you :)

I've decided to do a study about the traces left behind by certain web capture software, such as Webzip, on certain server architectures (i.e. either Apache or IIS) and examine what traces may be left behind for a suspect to detect the fact that they are under investigation.

Obviously Apache is more common, but I am more familiar with IIS and thus I may be able to do better research as a result of a better core understand. Not sure yet.

I also want to look at the implications of permission systems on how well a site can be 'captured' remotely.

There are many little bits I'm thinking of looking yet - too many to mention here. Anyway, I'm glad to have an idea at last.

Thanks

Ted

I've read quite a bit (at PHPFreaks.com) about PHP sessions, and the fact that they are stored on the server, active for a period of time, and contain data such as usernames, IP addresses, etc.

It strikes me therefore that their could potentially be forensic value to a PHP session if a particular web site was being investigated and the authorities needed to know who had been visiting it, when, and how often. Seeing as cookies and Internet caches that are stored on hard disks are already well know of by law enforcement and investigated accordingly, it occured to me that this could be another avenue to go down once the location of the server is known and it's been seized for forensic interegation.

Can anyone direct me to a comprehensive guide on PHP sessions (if there is such a document) that details what, exactly, they store, in what format and in what way (location on the server) so that I can make a somewhat more informaed decision as to whether there is enough 'stuff' there to do an MSc project on.

Thanks

Ted

Quote:

Great... more erosion of our civil liberties and freedoms. Its time for me to do some research into anonymisers, web-proxies etc...

Would rather keep to the topic thread otherwise it will turn into a political chatter.

Been doing a little research and eventually stumbled accross this link at Linux How To's.

It states that PHP Session files are generally stored in a /tmp folder (specified in the php.ini file) and named something like 'sess_c379faad83ad3dc8ab6d22c14dbab3b4'. The content, apparently may look like this :



but it only says that it will mean something if you've used the serialize() and unserialize() functions in PHP, which I haven't :lol!!

Can anyone explain to me what the coded bits are, and is that all that gets stored in a session, or is there generally more than that? If so, what else sometimes gets put in?

Thanks

Quote:
SESSION is an array with one element (a:1) - the index is a string with 5 characters and the value count (s:5:"count";) and the value is an integer with the value 234.

However, sessions can be stored in many places, depending on the configuration - XOOPS for example stores session data in the database.

Yo, thanks Mith.

I'm thinking then that no real substantive data of any forensic use is going to be stored in a session then (and besides I've read that they also expire after a certain amount of time, just as they do in XOOPS and are presumebly then deleted). I was thinking that actual IP addresses and usernames may be stored in them (allbeit perhaps encoded) bbut by the looks of it nothing more than short term temporary variables that get cleared out very quickly? Would that be a correct conclusion?

Quote:
That would be the definition of a session, yes.
Data that is usable during the session, but rather useless afterwards.

IPs are saved in the session table and inside the data is - in XOOPS - the user's ID, but this is not always the case.