There are increasingly many companies which, along with the use of a firewall equipment, use for HTTP proxy servers. They are designed to be intermediate between the client and the web server, making connections on their behalf. Usually they contain a powerful caching mechanism.
The good part of a proxy server is that it has a history of pages that were accessed using it. That makes it relatively easy to investigate by obtaining evidence when it is available to those who are investigating the case. The downside is that the proxy server logs are not available, for reasons of confidentiality or jurisdiction (may be anywhere in the world), the suspect can not be found, the registration connection appears to have been made by the server.
Consider the example given by the figure above, suppose we want to identify all users who use the site http://www.website.com/. The first stage is carried researching the web server log. Here is available the next record:
2004 February 14 03:04:14 [proxy_c.private_company.com 184.108.40.206] “GET / HTTP/1.1”
From this record it can be inferred that at 3 am on February 14, a user with that address 220.127.116.11, meaning a proxy_c.private_company.com, accessed the website. Contacting the company, it says that the address is a proxy server that serves all users.
The next step is for the company to provide proxy log records. Here are seeking proper registration of the web server, which has the following form:
2004 February 14 03:04:13 george@client_b “HTTP/1.1 GET http://www.website.com/“
This latest evidence leads to the conclusion that at that time, the user george on the PC called client_b accessed researched website. Statement is sustained ny the company representatives too, who say at that time in the buildingwas only George, the night watchman.
Usually investigation continues on PC client_a, to obtain evidence supporting the History, Cache, Cookies, and Favourites.