• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 547
  • Last Modified:

Tool to extract information from Windows XP User Profiles?

Hello everyone, hoping you guys can help me out.  I work in the IT Department at my workplace - with the Desktop Support group.  Recently, one of the departments at my workplace has had issues with some of their employees going to websites they shouldn't be going to, such as online gaming, cell phone sites, etc. I have been tasked with weeding out this information from these "general use" PC's that are exhibiting the problem sites.  I have never done this and I'm having trouble finding information on the subject.

As an example of the type of information I'm looking for:  On one particular PC, I need to find out all the people who logged in on a particular night in between 12:00AM and 6:00AM.  I also need to find out what websites they visited while logged in.

Can anyone recommend some programs/tools to help me with this (hopefully free software)?  Any advice/suggestions are welcome and appreciated.  Thanks for your time.
0
JPerkins_MMH
Asked:
JPerkins_MMH
1 Solution
 
DanMarCommented:
If you are using a proxy server e.g. Forefront/ISA etc. this will be logged on the server and either built in reporting or third party tools are available.  Do you know what proxy is in use?
0
 
ngcmosCommented:
well the brute force approach. go the the computer with a program called puppy linux  and go to the hard drive thats on the desktop and use this file path C:\Documents and Settings\user\Cookies. how ever if they are using a log in that is on a server domain then this method wont work
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
JPerkins_MMHAuthor Commented:
DanMar:
We currently do not have a proxy.  Our network admin is working on it, but it's only in testing phase (and likely will be that way for a long, long time).

vladh:
Thanks for the link.  I'll check that out.
0
 
JPerkins_MMHAuthor Commented:
ngcmos:
Yes, these computers are connected to my company's domain, and they are logging in with domain user accounts.  

vladh:
I checked the link, that doesn't really suit my current need.  I need to be able to check the logs of what they've already done.  I'm hoping that information is stored somewhere in their profiles local to each PC, and that there is a piece of software available (hopefully free) that will let me analyze that information for reporting to my superiors.
0
 
DanMarCommented:
WIthout a proxy not much is being logged outside the client PC.  I do suggest installing one.  There will be a few shareware/freeware ones out there.
To verify users & sites visited on the PCs you will need to check the event viewer on the machine & IE History.  Check security in Event Viewer and ensure history is enabled for previous x days e.g. 14 days in IE.  You could also click "view files" or check Temporary Internet folder and you will find the internet addresses visited.
This is not ideal for ongoing reporting.
0
 
JPerkins_MMHAuthor Commented:
Well, this won't be an ongoing report.  I found out you can check web history through the .DAT files in each profile.  It's not much, but it does show some information.  

Can you recommend a free proxy program?  I'd like to be prepared in the future with something I can install to check what websites were visited more thoroughly.
0
 
JPerkins_MMHAuthor Commented:
Also, I need to be able to tell who is logged into Windows when the websites are visited.  These are general use PC's, and can be used by anyone in the department.
0
 
DanMarCommented:
You can find who is logged in through the security section in the event viewer based on time & date.
I have had a look for free proxy server software and found this one:  CCPROXY here
http://www.youngzsoft.net/   Wouldn't be much work to set up.  If you need to look for more options I would go to popular shareware sites, google etc. & search for proxy server windows free etc. and compare ratings and ensuring that they are recent releases i.e. 2009-2010.
0
 
btanExec ConsultantCommented:
Since there is no proxy, central logs will take a while to verify (but do-able), check out the suspected user machine browser history. Can check out IEHistoryView @ http://blogs.techrepublic.com.com/window-on-windows/?p=745

This utility reads all information from the history file on your computer, and displays the list of all URLs that you have visited in the last few days. In addition, you are allowed to view the visited URL list of other user profiles on your computer, and even access the visited URL list on a remote computer, as long as you have permission to access the history folder.

Download @ http://www.nirsoft.net/utils/iehv.html

Also Pasco - A command line tool that runs on Unix or Windows and can reconstruct the internal structures for IE Index.dat files. Pasco accepts an Index.dat file, reconstructs the data, and outputs the information in a delimited text file format. The field
@ http://sourceforge.net/projects/odessa

Also verifying the event log on logon event will further confirm the user is login during the browsing event. See "Audit logon events" in article @ http://www.windowsecurity.com/articles/Windows-Active-Directory-Auditing.html

Other info
==============
Suggest that the proxy be implemented since you are going to enforce web surfing to specific sites. You can check out BlueCoat @ http://www.bluecoat.com/products/webfilter. The key is that proxy client setting has to be locked as well so that bypassing the setting cannot be done by user easily.

Bluecoat has a proxy client to enforce this policy as machine global setting independent of browser. Alternatively, if IE browser is the only uniform browser appl used in the organisation, windows client has in built policy via the GPO, see link
@ http://lpakb.stbernard.com/webhelp/ODS/EnterpriseWebFilter/SupportFiles/OD0070.htm
0
 
JPerkins_MMHAuthor Commented:
Thanks so much for the info and links breadtan.  I'll check those out.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now