User tracks - audit hard drive

[Alixer]

I am trying to find out how to tell by checking a hard drive pulled from a PC whether or not a particular username was used on it in AIM. Where will I find the usage of a particular sign on name on this hard drive. I will attach it to my PC and then I want to look in it for tracks of this one particular signon name. Please help!

[patndoris]

Hello and welcome to BBB! I would gather this is not your hard drive (as I'd expect you'd have known what was going on with your own machine). I view this as an invasion of privacy to be looking on someone else's drive for personal data or traces/tracks of anything.

[Alixer]

Actually, someone has asked me to prove that he did not use a certain username, because he is being accused of inpropriety as a certain signon name. I told this person that I would look at it, but I told him that if I find evidence of the inpropriaty that he is accused of, then I will bring it to the authorities. He is insistant that he did not do what he is accused of, so I need to know what to look for. Is it a cookie, or ini file... please help me figure out what I am looking for. I also plan on using a file finder to find any files that he may have deleted. But still, I need to know, exactly, what am I looking for?

[patndoris]

If the person is facing any legal ramifications from the accusations of impropriety, you accessing the hard drive in any way could be considered tampering with evidence. I would suggest you consider carefully if you are willing to put yourself in the middle of such a situation and possibly risk your own reputation in the process. I personally wouldn't even put one of my fingerprints on that hard drive let alone hook it up to my computer to do anything based on this information.

That said, a user name could be stored any number of places depending on the actual way a person logged in. AOL desktop software, AIM standalone program, web based AIM, via a multi-protocol client. You must also remember that just trying to login to a particular screen name, regardless of whether you are successful may (depending on your preference settings) leave a useless stored login on a machine that might appear as if it had been used when, it had not. Someone deceitful has any number of anonymous ways to reach web based sites and login that may not leave direct traces on a machine. Users can also login from cell phones, so no traces on a computer does not make one impervious to blame either.

I'm afraid it's not possible for me to answer the specific question. If it is a legal situation, lawyers can subpoena records from AOL and an ISP or cellular carrier to prove (or disprove) what they need.

[Alixer]

No, this person is not facing legal ramifications with the State or Federal authorities. Another things is that there is already enough circumstantial information, I just found out, that would indicate that he could not have been using the particular signon name and conversing since he was not using a PC or phone at the time. But there are a few cookies on his PC that the file name ends with this signon name, so the people involved believe that he did what he is accused of. This person is a teacher and on leave until this matter is settled. Just the circumstantial evidence that he could not have been a part of the 3 conversations (for which he is in trouble for, nothing else) that were recorded on the victim's PC, because he was entertaining friends at the time with his wife present, or at work with a phone that could not have AIM on it and no access to a PC there, should be enough, but not so. The fact that a few files in his Temporary Internet files folder has this perpitrator's signon name in the last part of the file name seems to outway the fact the circumstantial evidence proves the case for him. Can there be a file name with the signon name as part of the file name, but not have been able to authenticate? He did try to signin as this user. So, since he has tried to authenticate as the signon name to determine who is framing him, could this file be there from those attempts?

[Alixer]

I believe that what I saw were Session Cookies with the signon name in question as part of the file name. All I have at the moment are the screen shots of explorer showing the contents listed of the files in the Temporary Internet files folder. The hard drive has a few damaged sectors and has been removed from the laptop to be returned for a replacement. This laptop that was used by this accused user was a college laptop, property of the college. We are currently working with the college's IT Department to locate this "lost" hard drive, because someone in their department set it aside because of this issue of an accusation of inappropriate things said to a minor. The accused attends this college for further training and pursuing higher degrees, but works as a teacher in another school. Not sure if you need all that, but question is, can there be files in the Temp Internet Files folder with the signon name in question as part of the file name and this laptop have never been used to communicate with the victim as that user?

[patndoris]

Well, if you've ever tried to login to a website and you have IE (or whatever browser you use) set to store your passwords, and you've accidentally typed it wrong - you'll know from experience you can go to that same site and the incorrect information will indeed often be available for your use even though you know it's wrong. So it's stored somewhere...

It is possible to have some traces of a login attempt never actually completed that remain on a machine if someone doesn't take the time to get rid of it. I have personally cleaned out incorrectly stored passwords where I had forgotten my login and tried all kinds of things to get into sites. I routinely clean cookies and temp files so I can't say that I've ever looked there.

I wish you the best of luck with this. I'm afraid I doubt I have anything else I can add that would be of help. People will ultimately draw their own conclusions from any evidence found, or from whatever evidence is presented (regardless of what's there to back it up.) It sounds like a very difficult situation for those involved.

[Alixer]

Thank you Doris, I appreciate the advice of caution on getting involved, since I quite often just step in to help without thinking of all the ramifications involved. I also appreciate your help on this issue, too.
I am not giving up yet, though. Does anyone know what the files in IE's Temporary Internet Files folder with the last part of a very long name having the signon name as part of the name would be? Does the existance of these files prove that there was a successful signon as that signon name or maybe it is there even if it was only an attempted signon?