 Do you ever wonder what your spouse is doing online?

 Are you fearful of what the kids might be downloading?

 Want to know what your employees are doing on the internet?

 Find out today with SPY!

 CONTENTS

1 – Introduction

2 – How to use SPY

3 – Interrogating the web browser

– Introduction
– Cookies
– History
– Temporary Internet Files
– Passwords and Form Data

4 – Forensically examining your hard drive

– Introduction
– Deleted Files
– Common File
– Is Anything Really Deleted?

5 – Filesharing
– Introduction
– Finding filesharing software
– Locating shared files

6 – What next?

7 – Copyright & disclaimer information

 Chapter 1 – Introduction

A very quick point – the copyright for SPY belongs to the author, feel free to share this document
but please do not pass it off as your own! Any queries may be directed to the author at
laingy@gmail.com.

Okay, let's get on with it, shall we?

Virtually everyone in the developed world has access to the internet, whether it be through
their home internet connection, a library terminal, their office workstation, or even their
mobile telephone. It is arguably the greatest and most impactive technological development of
our lifetime, and its uses are uncountable. However, what we are here to investigate is not use
of the internet, but misuse of it.

If you operate a small business, big enough to have employees but not big enough to have an
I.T. department, how can you know whether your staff are misusing the workplace internet
connection? As a boss you will know that if somebody can get away with something, then they
very probably will get away with something! Are you paying your employees wages to sit and
browse eBay or watch videos on YouTube for eight hours a day?

It's not just cheeky employees that can be misusing the internet, though. Perhaps your
teenage kids have access to the 'net at home – after all, it's a great research tool for
homework, and then can keep in touch with friends at the same time. But what else might
they be doing? It doesn't matter how sweet and angelic you think they are, because teenagers
are teenagers are teenagers. Do you really think they've never typed 'sex' or 'porn' into
Google?

Just as worrying is the trend for illegally downloading music and movies. Piracy costs the
entertainment industry a lot of money, which means that they are willing to spend a lot of
money to stop it. Over the last five years, the industry has initiated early-morning search
warrants, arrests, and prosecutions of people for downloading pirated songs and films. Did
you think that the culprits were all 'knock-off Nigels', those guys who go around the pubs
selling DVDs from a holdall? Wrong. By far the biggest group of people who illegally
download is teenagers. Ask yours if they have ever heard of Limewire, for example. They
have? Uh-oh... better fast-forward to Chapter 5 (Filesharing) to find out what they're up to,
before the police come knocking at 6am!

The good news for you, whether you are a parent, an employer, or even a suspicious spouse, is
that it is quite easy to find out how your internet is being used. Computers constantly make
records of what they are being used for. Sometimes the records are open, easy to find, read,
and delete. Often, they are not. Even somebody who is trying to cover all trace of their
internet use, for whatever reason, will find it virtually impossible to get rid of all the evidence.

SPY will take you, step-by-step, through a forensic examination of your computer. It will
show you where to look, and how to interpret what you find. You don't need to be a computer
expert to use SPY – you just need to be able to switch on the computer and use the mouse.
Everything else is explained in the book in all its simplicity.

Best of all, all of the techniques that are used in a SPY examination are entirely free. Some of
the more sophisticated methods might require the use of some free software, and most of them
can be completed with nothing more than what you already have in front of you – the
computer, a monitor, a mouse and a keyboard.

So, good luck in your detective work! If you have any comments about SPY, please feel free to
email me at the address at the start of this introduction – and of course, a positive feedback on
eBay is always welcome!

ML

2 – How to use SPY

As I have mentioned, SPY is designed for everyone – including people who have very little
knowledge of computers. As such, some of the explanations may seem as though they are
teaching you to suck eggs – feel free to skip the parts that you already understand!

At present, SPY is written for PC and laptop users, but not Mac users. Apple Macs are
fundamentally different to PCs, and SPY techniques may not be not suitable for them.

SPY is written for use with the Windows operating system, whether it be Windows XP or
Windows Vista. Most of the techniques will also work with older versions of Windows,
however.

All of the techniques in SPY work on the assumption that you have access to the computer you
are examining, under the same username as the person you are investigating. You may find
that Windows asks you to select a user when you switch on the computer, and it may be set up
with a seperate user account for each member of the household. If you want to know what
'John' has been using the internet for, you'll need to select 'John' in order to access the
relevant files.

As a small aside – you should have authority to access any areas of the computer that you
examine. If you own the computer, then it's very likely that you have such authority! Likewise if
it is a family-owned computer and you are part of the family – but be aware of the legal
implications of accessing somebody else's computer without their permission.

3 – Interrogating the web browser

Introduction

A major element of the internet is the 'world wide web'. A lot of people think that the world
wide web is the internet, which is not far from the truth. When you hear about websites, and
web pages, they are things that are found on the world wide web – or 'www' for short.
Indeed, this is why websites have 'www' at the start of their names.

The 'web browser' is the program that your computer uses to look at things on the world wide
web. The vast majority of computers use the web browser called Microsoft Internet Explorer
('IE' for short) – there are alternatives, but very few computers are supplied with anything
other than IE installed, and people who use alternatives are usually experienced computer
users who download them from the internet. SPY is written with IE in mind.

IE is started as soon as you open the internet on your computer. This is usually done by
clicking the IE icon, which appears as a blue letter 'e' somewhere on the desktop. If you open
any web page, you should see at the very top of the window the name of that web page,
followed by the words 'Microsoft Internet Explorer' – congratulations, you are using IE.

While someone is using IE to look at the internet, the program is making records – thousands
of records – of what they are doing. Technically, every time that person looks at a web page,
IE actually makes a copy of that web page and stores it.

Although it is quite simple to access and delete these records, there are a lot of people who
don't know how to do so. What's more, even if somebody does know how to do so, they
probably won't bother unless they think somebody else might go looking for them.

This chapter will take you through finding and opening these records, and interpreting what
you find.

Cookies
Nope, not the choc chip kind. We're talking about computer cookies. Lots of people have
heard of them, not many people know what they are, and there is a common misconception
that they are fundamentally bad. So what is a cookie?

A cookie is a small computer program, that web designers build into some web pages. When
someone views that web page, the cookie installs itself onto their computer. Then, next time
that same person views that same web page, the cookie communicates with the web page and
remembers some of what happened last time that person viewed the page.

For example – if you go onto the BBC website, you can tell the website your current location
so that it displays local news and local weather. If you then go back onto the BBC website a
week later, it already knows where you are – and displays that local information
automatically. How? A cookie! A cookie installed itself the first time you went there,
remembered what happened when you told it your location, and used that information to tell
the website automatically when you returned.

Cookies are one type of record that are kept when someone is using IE to view the internet,
and if you know where to find them and what they look like, you can get a glimpse of how IE
has been used.

Here's how:

– Open IE – however you usually do this, to access the internet.

– At the top of the screen, there is a 'Tools' menu. It may be in the menu bar near to the top-
centre of the screen, or it may be over in the top-right corner, depending on which version
of IE you have. Click 'Tools' once.
– This will open a drop-down menu, and at the bottom of this menu is 'Internet Options'.
Select this.
– You should now have a small window on the screen, entitled 'Internet Options'. Around
halfway down this window is a section named 'Browsing history', within which there are
two buttons: 'Delete...' and 'Settings'. Click on 'Settings'.
– Another small window should open, entitled 'Temporary Internet Files and History
Settings'. Within this window there are several buttons – one is named 'View files'. Click
this.
At this point, a further window will open. This window is called an 'explorer' window, and it
allows you to view all of the files on a computer's hard drive. This window has opened on the
'Temporary Internet Files' section, and you should see a long list of files within it. Those files
which are cookies always stay at the top of that list, and you should see them now – cunningly,
they all start with the word 'cookie:'!

Now that you have found the cookies, what do they all mean?

Well, all cookies are named in a particular way: they start with 'cookie:' followed by the name
of a user (eg. John), an '@' symbol, and the name of a website. So the following cookie...

cookie:john@bbc.co.uk

...indicates that John has used IE to view the BBC website. Get it?

Without getting really technical, there isn't a great deal you can find out from cookies other
than the names of the websites that generated them. Scroll down the list of cookies (it may be
very long!) and see what sort of websites have been viewed on your computer.

Be aware that sometimes, cookies can be stored simply by viewing an advert for a particular
website, and so by themselves they aren't strong evidence of internet misuse. If you view an
innocent website that has on it an advert for a casino, for example, you might find a cookie
called...

cookie:john@thecasino.com

...and it doesn't necessarily mean that John has been gambling away the mortgage money!

Look at the list as a whole. Expect to see a few 'dodgy-looking' cookies scattered around,
that's normal. If you find that half the list is made up of cookies from one kind of site –
casinos, dating sites, porn – then it might be an indication that a lot of these sites have been
visited.

A final note on cookies – if you follow the above instructions and find NO cookies, this
suggests that the user may have deleted them after they last used the internet. They could do
this to cover their tracks, or for legitimate reasons such as general computer maintenance. All
is not lost, however... we're just getting started!

History

Unlike cookies, 'history' is fairly self-explanatory. IE keeps an index of all previously-visited

websites – pretty useful, huh? There are a few different methods of finding out what's in this
history, depending on which versions of Windows and IE you are running.

The most straightforward method is to see a list of recently visited addresses. Here's how:

– Open IE.
– At the top is a long white bar, where the address of the current web page is displayed. This
is called the 'Address Bar', and it should contain a web address – probably www.msn.com
or www.google.com, for example. Found it?
– To the right of the address bar is an arrow - - that, when clicked, opens a drop-down
box. Try it.

This drop-down box should contain the last ten or so web addresses that have been entered
into the address bar by that user. Note that it will only display addresses that have actually
been typed in – it won't necessarily include addresses that have been visited by the user
clicking on links to get them there.

Although the contents of the drop-down box are limited in this way, it does mean that
whatever you see in here has actually been typed into the address bar, manually, on the
keyboard. So now 'www.thecasino.com' showing up in the list isn't just the result of an advert
or a misplaced click – somebody has physically entered that address into the browser.

But what about the other sites – the ones that have been visited without the user actually
typing the address in? Now, here's a nifty trick to find that information:

– Open IE
– Click in the address bar, so that you can type into it directly
– Type 'www.' followed by any letter of the alphabet.

You should see the drop-down box appear again, this time containing a number of web
addresses that are in the IE history beginning with the letter you chose. If none appear, try a
different letter.

For example – typing 'www.g' into the address bar might open the drop-down box, with
suggestions such as 'www.gasboard.co.uk' and 'www.google.com' because they match with
what you have typed so far.

If a website appears in this manner, it means that the web address has been visited at some
point. Try using every letter of the alphabet, one after another, and see what sites pop up in
the window. You find some interesting results!

Searches

Whilst you are using this method to see the history of visited websites, you might even be able
to find what the user has been searching for on the internet. If you find a web address for a
searching site in the history (almost certainly 'Google', but there are others) you might see lots
of web addresses all starting with 'www.google.com/' followed by lots of nonsense and
gobbledegook. For example...

http://www.google.co.uk/search?q=casino&rls=com.microsoft:*:IE-SearchBox&ie=UTF-
8&oe=UTF-8&sourceid=ie7;

... does that look familiar? Most of that is an instruction to the Google website on how to go
about searching, but can you see the word 'casino' in the middle of it all? Bingo – that's the
search term.

If the user visits Google and searches for 'casino', this is the address that will be generated.
Have a look through all those technical Google addresses in the history, and try to pick out the
search terms. They will be in the same part as the word 'casino' in the above example.

Identifying which search terms have been entered in this way can be very damning for the
user, because it indicates a deliberate act to try and find something on the internet.

Temporary Internet Files

By now you should be into the swing of interrogating IE. Remember earlier, when I said that
when a webpage is viewed, IE makes a copy of the page and stores it? The Temporary
Internet Files area is where it is kept.

As with all things computerised, it's not entirely straightforward!

A webpage will in fact be made up of a number of individual files. Every little image that
appears – even including the logo at the top, and the things that look like buttons for users to
click on – will be stored as a seperate 'image' file. This means that viewing a single webpage
will generate lots of files in the 'Temporary Internet Files' area. You won't be able to just hit a
'playback' button to see what pages are in there, but as with the cookies you can get a feel for
the type of sites that have been visited. Here's how:

– Open IE – however you usually do this, to access the internet.

– At the top of the screen, there is a 'Tools' menu. It may be in the menu bar near to the top-
centre of the screen, or it may be over in the top-right corner, depending on which version
of IE you have. Click 'Tools' once.
– This will open a drop-down menu, and at the bottom of this menu is 'Internet Options'.
Select this.
– You should now have a small window on the screen, entitled 'Internet Options'. Around
halfway down this window is a section named 'Browsing history', within which there are
two buttons: 'Delete...' and 'Settings'. Click on 'Settings'.
– Another small window should open, entitled 'Temporary Internet Files and History
Settings'. Within this window there are several buttons – one is named 'View files'. Click
this.

If you recall, this is the same method you used to find the cookies. The Temporary Internet
Files are stored with the cookies, they are just further down the list.

You should be looking at a window with a list of files in it. The top ones will mostly be cookies
(remember how to spot them? The clue is in the filename!) but further down are the
temporary files. There are probably hundreds, and the names of them will be virtually
meaningless. Fear not.
You need to make sure you are viewing the files in the correct manner, so before you go any
further follow these instructions:
Windows Vista: Click the 'Views' button that is near to the top-left of the window. Select
'Details' in the list that appears.

Windows XP: Click the 'View' menu, that should be located in the menu bar at the top of the
window. Select 'Details' in the list that appears.

You will now have a list of the temporary internet files, which is divided into several columns.
Each row relates to one individual file, with each column displaying different information
about that file. Still with me? Good.

The first column will be headed 'Name' – obviously, this is the name of each file. This will tell
you very little, as they will have names like '078f5' or 'button2.gif' for example.

The second column is headed 'Internet address' – this is a more interesting one, because it tells
you the website that generated each individual file. Like cookies, there will be some rogue
ones that have snuck in from adverts and the like – however, a dozen or so files originating at
'www.thecasino.com' strongly suggests that the actual website has been visited using IE.

Finally, look across the columns until you find one headed 'Last accessed'. Found it? Okay –
now this column will display the exact date and time that an individual file was used by IE.
So if you find all those image files that came from www.thecasino.com and you want to know
when the site was visited, read along to the 'Last accessed' column and you will find out. This
can be vital for finding out exactly who the culprit is!

Many of the files can be opened to see what they are, by double-clicking the filename. Doing
so generates a system message on your screen, that “Running a system command on this item
might be unsafe. Do you wish to continue?”. The choice is yours. In 15 years of internet use I
have never seen a problem arising from clicking 'Yes' here, but that's not to say it won't ever
cause a crash. If you decide to go for it, the computer should open an IE window and show
you exactly what the file is. Don't be surprised to find that most of them are tiny logo or
button images, though!

Passwords and Form Data

Before we move on from IE, I must mention 'passwords' and 'form data'. I need to put a very
brief disclaimer-type thing here, too: this section of SPY might lead to you having an
opportunity to log into a website by using the saved login details of the user you are
investigating. Be aware that in doing so, you will be almost certainly be breaking the law –
you might have full authority to look wherever you like on your computer, but logging into a
website is essentially entering someone else's computer. It is not my intention that you do this,
and in fact I ask that you do not. SPY will provide you with plenty of ways to investigate your
internet use without getting into trouble.

Okay, that's the serious stuff out of the way!

As you probably know, many websites require users to register, and then login each time they
visit. Ebay is one example of this type of site – you register an 'account' with a 'username',
and then each time you visit the site will ask for your 'username' and 'password' before
allowing you access to the member's part of the site. Sound familiar?

Because IE is such a helpful old thing, it can be set to remember things like usernames and
passwords, to save users having to type them in each time they visit a website. You can use IE
to get a peek at some of this information. Here's how:

– Open IE
– Use a search engine (such as Google) to find a number of sites of the type you are
interested in checking – try searching for gambling or dating, for example.
– From the search result, click on each of the sites in turn. The top ten results will be the
most popular and widely used examples.
– When you get to the front page of each site, look for a way to log in. Some will have a
button that is actually called 'Log in' or Sign in', and some will actually have two boxes
already there to type in a username and a password. If these boxes aren't there, try
clicking the 'Log in' button, and it will probably take you to some boxes like this.
– Look if there is anything in the 'username' box already. If it has been filled in already –
bingo! That means that IE has some 'form data' stored, and you are looking at the
registered username of whoever has used your computer to log into that site.

I must stress here that you now have all the information you should be getting. You might see
that the 'password' box is also filled in automatically, allowing you to log into the site. Please
don't. The fact is, you have enough information to show that somebody has been logging into
the site from your computer.

If you need to try and narrow down the culprit, why not try looking back at the Temporary
Internet Files again, to see if there are any time/date details for files originating from that
site?

That's the end of Chapter 3: Interrogating the Web Browser.

I hope it has been useful – however, there is a lot more to your computer than just IE. It is a
very simple task to delete all of the data that I have shown you how to access. If somebody IS
up to no good, they might think that by deleting this stuff they cannot be caught out...
Whether or not you have come across anything unusual so far, I recommend that you read on
and try out the rest of the techniques in SPY.

4 – Forensically Examining Your Hard Drive

Introduction

I'll try to explain this part of SPY in a way that anyone can understand. There are a couple of
pages of boring 'how-to' kinda stuff. Please stick with it, I promise that the detective work
will begin again after that!

I will start by answering the question “What is a hard drive?”.

The hard drive is a piece of equipment inside your computer on which everything is stored.
Also referred to as the 'hard disk' or the 'HDD', it contains absolutely everything that is on
your computer. Your pictures, your music, your emails, your homework, all the programs,
even Windows itself – they are all on the hard drive.

Everything on the hard drive is stored in the form of files. A file can be an image, a song, a
video, a program, a document – there are countless different types of files.

All files are stored in folders.

A folder can also contain other folders, which them selves might contain files. This might
sound as though it is getting complicated – just remember: all data is in the form of files, and
all files are stored in folders.

Imagine the hard drive as being one big folder. Within it there will be a number of other
folders, each of which will also contain folders... a bit like Russian dolls, if you like.

Imagine a file – a photograph of you, for example. The file is called 'photo_of_me'. It might
be stored in a folder called 'Me'. The 'Me' folder might be stored a folder called 'Pictures',
and the 'Pictures' folder might be stored in a folder called 'Media'. The 'Media' folder might
be stored in the main hard drive, usually called 'C:'.

If I were to type a line of text to indicate where you find the picture, I would put...

C:\Media\Pictures\Me\photo_of_me

... and this is the standard way for file locations to be written.
In order to follow the guides in this chapter, you'll need to be able to'navigate' around the
folders on your hard drive.

On your desktop there might be an icon called 'Computer' or 'My Computer'. If it isn't on
the desktop, it might be in the Start menu. Find it and double-click it.

What you should have on the screen is an explorer window – the same as when you went to
look at cookies, remember? Now the layout of explorer windows differs from on computer to
the next, but the principles are all the same.

Somewhere in that window will be an icon that has the label 'C:' with it. There may be other
text in the label, or in some rare cases it might be a different letter – but this is the icon for
your main hard drive. Just imagine that it is one big folder.

In an explorer window, you can go 'in' to a folder by double-clicking it, and you can come
'out' of the folder by either clicking the 'back' button at the top left of the screen, or clicking
the 'level up' icon around the top middle. This looks like a curly green arrow.

Try double-clicking the 'C:' icon.

It should take you 'in' to the 'C:' folder, where there will be a number of other folders. The
icon for a folder is a yellow rectangular document file. Any other icons indicate a file and not
a folder.

Now try double-clicking one of these folders, to go 'in' to it. Done?

Now try coming back 'out', with the 'back' button or the 'level up' button. You should now be
looking again at the list of folders within 'C:'.

Practise going into and out of different folders until you get your head around the way they
are structured. You might find empty folders, you might find folders that just contain one or
two files, or you might find folders that contain a string of other folders as you go further and
further in. You can't break the computer by going in and out of folders, so keep playing.
Okay, you should now have a basic idea of how to navigate the file system of your hard drive.
If you're new to computers that probably sounds rather nerdy... before you read this book
would you have expected to be 'navigating file systems' after a few pages?! Well that's exactly
what you've been doing. So now that you're a whizz, let's start the examination!

Deleted Files

Let's begin by having a look at what items have been deleted by the user.

In order to prevent accidental loss of data, Windows operates a 'Recycle Bin' system. This
means that whenever a file is deleted, it is not actually wiped from the hard drive but moved
into a special folder called the Recycle Bin. Only after it has been subsequently deleted from
the Recycle Bin does the file actually disappear from view. (Even this does not render the file
lost forever, though – see the section on File Deletion Software below for more information.)

So, want to know what's in the Recycle Bin? Here's how:

– Look on the desktop for the Recycle Bin icon. It looks cunningly like a waste paper bin...
double-click to open it.

– If you cannot see the icon, it may have been moved or hidden. Open the 'My Computer'
icon, as described in the introduction to this chapter. This window should have a column
of folders and files over to the left-hand side. Scroll down this column until you find the
Recycle Bin, and open it.

– Once you have opened the Recycle Bin, you will be presented with a window showing you
the contents. It may well be empty, but if not you'll want to change the view.

- Windows Vista: Click the 'Views' button that is near to the top-left of the window.
Select 'Details' in the list that appears.

- Windows XP: Click the 'View' menu, that should be located in the menu bar at the top
of the window. Select 'Details' in the list that appears.
What you now have is a view of all the files that have been deleted, but not yet removed from
the Recycle Bin. The first column will tell you the name of the file, the second column will tell
you the location from where it was deleted – remember how to interpret this location, in term
of which folders it was in? There should also be a column to tell you the date and time that
the file was deleted.

See anything interesting? Here's how to take a closer look:

– Take a written note of the original location – the list of folders in which it came from.

– Double-click the filename

– You should see a small grey window pop up, containing some information about that file.
There is a button marked 'Restore'. Click this.

– The file will vanish from the Recycle Bin, and be placed back in its original location.
Because you noted this location before restoring it, you can now navigate to the file using
the methods you have learnt. When you find the file, you can double-click it to open it,
and see exactly what it is. Remember – if you do this, you should delete the file again
afterwards. If you leave it where you put it, the user may realise that it has been restored!

As mentioned above, there is a lot more to deleted files than just the Recycle Bin. I will
explain in more detail later in this chapter.

Common Files

If you like, you can navigate around your hard drive all day long, looking in folder after
folder to see what you can find. However, you will realise that there are thousands and
thousands of files, most of which will have no interest for you whatsoever. Instead, I will show
you how to use Windows to search through the entire hard drive and show you particular
types of files.

For this section, you need to understand that there are many different types of files – for
example, there are picture files, music files, video files, text files – the list goes on. In terms of
what you are actually searching for on your hard drive, you're likely to be interested in just a
few of these.
A file tells the computer what type of file it is by using three letters at the end of its name,
after a fullstop. For example, the picture file we talked about called 'photo_of_me' –
remember? - will actually be called something like 'photo_of_me.jpg' where the '.jpg' is a code
to tell the computer what kind of file it is.

It might be worth re-reading that paragraph until you understand, or you might get lost!

Okay – what you are going to do next is use these codes to search through all of the files on
your hard drive. Here's how:

Windows Vista:
– Open My Computer

– In the top-right hand corner of the window, you will see a box with the word 'Search' in
grey letters in it. Click in this box, and type '*.jpg' (without the inverted commas). You
should see the contents of the main window change, and what you are left with after a few
seconds is a list of every 'jpg' type file on the hard drive. A 'jpg' is a type of file associated
with pictures – this might be a good search to try if you suspect somebody has been
downloading pictures of a sort that they shouldn't!

– Try changing the 'View' of the files (View button or View menu) to 'Thumbnails' or 'Large
Icons'. This will allow you to see what every picture is actually of, so you can scroll
through quickly to identify any rogue images.

Windows XP:
– Click 'Start'

– Select 'Search'

– In the window that appears, click on the words 'All files and folders'

– You should be presented with some text boxes to type searches in. In the tope box, labelled
'All or part of the filename', type '*.jpg' (without the inverted commas), and click 'Search'.
You should see the contents of the main window change, and what you are left with after a
few seconds is a list of every 'jpg' type file on the hard drive. A 'jpg' is a type of file
 associated with pictures – this might be a good search to try if you suspect somebody has
been downloading pictures of a sort that they shouldn't!

– Try changing the 'View' of the files (View button or View menu) to 'Thumbnails' or 'Large
Icons'. This will allow you to see what every picture is actually of, so you can scroll
through quickly to identify any rogue images.

Okay, you have just successfully interrogated the hard drive to find all of the jpg files that are
on it. There are lots of different types of files to look for, however – try substituting the
characters 'jpg' in the above instructions with some the codes below, to find the relevant type
of file:

bmp = picture files

gif = picture files
mp3 = sound / music files
ogg = sound / music files
wav = sound / music files
mov = movie files
mp4 = movie files
mpg = movie files
doc = text documents
txt = text documents
exe = program files (casino and poker games need
one of these)

There are many, many more file types, but these are some common ones that might ring alarm
bells for you.

Just a note on finding files on a hard drive – there are programs available that will literally
'lock away' files, keeping them hidden until a certain action is taken and a password entered.
Try clicking 'Start' and looking at the names of any programs that might feature in that
menu. Look out for ones with names like 'File Vault', 'Data Safe', 'Folder Locker' etc – such
programs are likely to be designed to hide and secure files. Without hacking and stealing
passwords, you won't be able to bypass these – but the very fact that these programs exist
might be cause for concern, and reason to confront the user.
Is Anything Really Deleted?

To help you fully understand this section of SPY, I'll have to explain a little bit more about
what happens when a file is deleted.

Imagine your hard drive as a room full of little boxes. When the hard drive is blank, all of the
boxes are empty. As files are written to the hard drive, they are placed in these little boxes –
and whenever a file is placed in a box, a label is stuck to the lid to tell you what is inside. The
label also tells the computer that the box is in use, and so if it needs somewhere to put another
file then it must go and find another box.

When you look at the contents of the hard drive using Windows, you aren't actually looking in
all the boxes – you are just looking at all the labels, to see how much of your hard drive has
stuff on. Still with me?

Now, when a file is deleted, you'd be forgiven for thinking that the file is removed from the
box and thrown away. Wrong! All that happens when you use Windows to delete a file is that
the label is removed from the box. (Even when the file is emptied from the Recycle Bin so that
there is no visible trace of it.) The file itself stay in the box, with no label attached. It will stay
there until the computer comes along with a new file, and decides to re-use that box – only
then will the old file be thrown away. What's more, if there is enough room for the new file to
fit in the box even on top of the old file, then the old file will still remain in there!

The computer doesn't know it's there because the label makes no mention of it, and you don't
know it's there because when you scan all the labels you get a negative result.

Now you should understand why people say that it's impossible to delete things from
computers! It isn't actually impossible at all, but if the user only uses the Windows delete
command to get rid of the files then the chances are that they aren't getting rid of anything.
When you think that there are millions of boxes on your hard drive, many of them empty,
there is a good chance that even when you tear the label off a box by pressing 'delete' that the
contents of that box will remain intact for a long, long time.
What does this mean for you? Well, it means you have to know about two types of program
that are available – File Deletion Software, and File Recovery Software.

File Deletion Software:

Does what it says on the tin. These programs are available on the internet to download. Some
are free, some are not, some work better than others. Basically, what a good file deletion
program will do is instead of just tearing the label off those boxes, it will actually open each
one, throw away what was inside, and then fill the box right to the top with rubbish.

This of course means that whatever was in the box when you delete it is well and truly gone.
Most file deletion programs also include a function to 'wipe free hard drive space'. That's
right, I bet you've worked it out already – that program will search through all those
unlabelled boxes, empty them, and fill them with rubbish. This will eradicate leftover bits of
files that may have been lingering in those unlabelled boxes for years.

The only interest you should have in file deletion software is to see if the computer has any
installed. If it does, you might want to know why. If it is a work's computer that stores
important, valuable or sensitive data then the presence of file deletion software is to be
expected. If, however, this is your teenage son's laptop that he uses for homework then he
might have a question or two to answer!

So, find out if there are any of these programs installed. Here's how:

– Open My Computer

– Navigate to a folder containing files, any old file will do.

– Right-click any file, to bring up a small grey menu box.

That menu will include a number of selections, such as 'Open', 'Open with', 'Rename' and so
on. It will also have a 'Delete'. Look carefully to see if there is any unusual 'Delete' selection,
such as 'Delete with Megawipe' or 'Erase with Nukefile' or some such thing. Most file
deletion programs build an option like this into those little menus, to allow a user the option to
delete a file with that program quickly and easily. If you see an option like this, you've found
some file deletion software.
File Recovery Software: I'm pretty sure you're ahead of me on this one... again, file recovery
programs are available to download online. Most of them are not free, although lots will offer
some sort of trial period. What these guys do is search through all of the boxes without labels,
just to see what's inside. They'll tell you the details of what they found, and then if you ask
them to they will go and stick a label back on the boxes you were interested in, so that your
computer can go inside and retrieve the file for you.

Most of the programs I have tried allow you to search the deleted boxes for free, and they will
tell you what's in there – but then they will want you to pay for a license to actually recover
the files for you. They work in a similar way to Window's search tool that you used earlier
(remember searching for '*.jpg'?) but aswell as listing the files that Windows finds on your
hard drive, they list the ones that have been left lying around in those unlabelled boxes.

If you're a confident user, try a Google search for 'free file recovery program', and experiment
with a couple of those that are available. If you don't want to pay for their use, you could still
take advantage of the free part of the program that will at least tell you what has been deleted.

And so we come to the end of Chapter 4: Forensically Examining Your Hard Drive.

Everything that is on your computer is stored in the hard drive, and with the information you
now have you should technically be able to find everything. As you will have seen, however,
the file system on a normal Windows machine can be an absolute labyrinth of folders, sub-
folders and shortcuts. Take the time to explore a little, you won't break anything by simply
looking at it!

Chapter 5 – Filesharing
Introduction

Filesharing is very aptly named. People have files on their hard drives, and they want to
share them with other users. Everybody connects to the same filesharing network, and looks
around to see what files other people have to share. If a user sees one they want, they
download a copy of it. Simple.

There are, of course, problems!

Firstly, most files that people want to share have some copyright attached. The latest U2
album, a new Hollywood movie – it's illegal to copy them, it's illegal to share them. As with
most things on the internet though, illegality doesn't stop anyone!

Secondly, because of the anonymous nature of filesharing, it is the method of choice for people
who want to distribute illegal material – and sadly, it doesn't stop at pirated music.
Paedophiles use filesharing as a means of obtaining and distributing child pornography, and
because the whole domain isn't policed in any way then this stuff is very easy to stumble
across.

If your teenage son uses a filesharing program to search the network for a movie, he is very
likely to be confronted with a list of search results that include the worst kind of material
imaginable. Even if he ignores the horrific files that are available and just downloads a file
that claims to be a Hollywood blockbuster, there is nothing to say that it won't be
pornography in disguise. Remember, the pirated blockbuster is illegal in the first place so
nobody is going to complain to Watchdog that their rip-off version of Toy Story happened to
be an hour-long video of child abuse, are they?

Even if the download doesn't include porn, there's a very good chance it will contain viruses –
and lots of them. I recently cleaned up a friend's computer that kept freezing up. I
discovered that his teenage son had been using a filesharing program to get pirated music.
There was a little bit of porn, but most astonishing was a virus I discovered. It had taken
control of the network connection, had downloaded 3,500 (yes, that's three thousand five
hundred) DVD films into his hard drive, and was acting as a hub for thousands of users all
over the world to download the films. If anyone ever looks at the activity, it will appear to
them that my friend has been distributing pirated movies on a massive scale, 24 hours a day.
All because his son – who didn't even realise he was taking a risk – wanted to get some Blink
182 tracks for free!

These are the dangers of filesharing – be aware of them. Filesharing – also known as 'P2P' or
'peer to peer' networking – does have some legitimate uses. Having said that, the people who
have those legitimate uses for it are invariably experienced and knowledgable computer
professionals. It is your call, but I urge you not to allow your kids or your employees to use
this software!

Finding filesharing software

Okay, the first thing to do is to find out if the computer even has a filesharing program on it.
There's no simple way to search for such a program, but with your skills at navigating the
hard drive (remember Chapter 4?) we'll suss it out in no time.

There are lots of different programs that allow access to P2P networks. Some that I can think
of right now include 'Limewire', 'Frostwire', and 'Bearshare'. It's a little clumsy, but here is
the most straightforward way to find them on your PC:

– Conduct a Google search for 'P2P fileshar program client'

– Scroll through the results, and make notes of any words you see that seem to be the name
of a program. I have just done this now and come across 'WinMX', 'SoulSeek', and
'Shareaza' aswell as the three I have already named.

– Open My Computer

– Search the hard drive for each of the words you have noted. (If you can't remember how
to search, refer back to the 'Common Files' section of Chapter 4.)

If your search results include any folders with the same name as one of those filesharing
programs, then you can be pretty sure that the program is installed on your computer. Make
a note of the location of these folders – they will probably be in the 'Program Files' folder on
your C:\ hard drive.

Locating Shared Files

Okay, so it's bad news – you've found a P2P program on the computer. Don't panic just yet –
remember, there are some legitimate uses for the software. Let's have a look at what files are
being shared by this program, and then we will find out if there is any danger.

– Open My Computer

– Navigate to the filesharing program's folder – the one you should have noted above.

– Within that folder, look for another folder called 'Shared', 'Saved', 'Stored', 'Incomplete'
etc. If you see any of these, open them and see what is inside.

These folders are where the P2P program will save its downloads by default. It can be setup
to save them elsewhere, and if you want to go digging around then feel free – but 99% of the
time the files will be here. You can also try:

– In the Start' menu, find and open 'My Documents'.

– Within the My Documents folder, there may be a folder which includes the name of the
P2P program.

– Explore within this folder if present, as some P2P prgram store their downloads here
instead.

If you find any downloaded files in any of these folders that appear to be music, movies, or
computer programs then you should worry a little. Files that are downloaded from P2P are
often virus laden, and inexperienced users will not be able to see the danger signs. My advice
is to confront the person using the software to see what they know about what they are
downloading – and perhaps get them to shell out for a good antivirus software!

Chapter 6 – What Next?

Right, you've done your detective work and you've found evidence of computer misuse... what
should you do next?

Well obviously that depends on what you've found, the circumstances, the culprits etc. I hope
that you haven't come across anything too disturbing.

Firstly, remember that what you have found is evidence that the computer has been involved
in internet misuse, and maybe some evidence of exactly when it was involved – you'll have to
do some digging of your own to find out who was responsible. Don't assume anything!

I would suggest that before taking any drastic action (sacking staff, divorcing your husband,
having the kids arrested, etc) you take the computer to a local computer expert and have your
suspicions confirmed. SPY is a good guide, but there is a chance you have misinterpreted
what you have found.

And if you want to stop anybody else using these SPY techniques on your computer in the
future – maybe after you sell it, or throw it away – there is a very simple procedure that will
stop them in their tracks. It is a security measure that even SPY cannot get around, and
guarantees your privacy. Here's how:

– Fit a 6mm heavy-duty drill bit to a Black & Decker hammer drill

– Drill 12 holes directly through the hard drive

– Throw the remains onto a blazing fire

– Bury the ashes.

Copyright & Disclaimer Information

Okay, here's the boring bit that you probably won't even read:

SPY is a work by Mark Laing. The copyright for SPY belongs to Mark Laing.
By purchasing SPY you have the right to keep the one copy with which you have
been supplied. You have the right to make a physical printout of the book for
your own use. You do not have the right to copy the book. You do not have the
right to resell the book. You do not have the right to distribute the book. You do
not have the right to make the book, or any part of the book, available for public
viewing – this includes the internet.

The methods and instructions in SPY are based on the author's own knowledge
and experience. The author accepts no responsibility for damage caused by the
use of these techniques.

Your own country will have laws governing the use and access of data and
computers. It is your responsibility to abide by these laws. The author accepts
no responsibility for any breach of law that arises from the following of SPY
techniques.