±Partners and Sponsors

±Your Account


Nickname
Password


Forgotten password/username?


Membership:
New Today: 0
New Yesterday: 3
Overall: 26818
Visitors: 51

±Follow Forensic Focus

Join our LinkedIn group

Subscribe to news

Subscribe to forums

Subscribe to blog

Subscribe to tweets

Last Accessed -- Win7

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page 1, 2  Next 
  

Last Accessed -- Win7

Post Posted: Tue Feb 26, 2013 6:04 pm

By default Win7 (and Vista) don't update the Last Accessed date/time stamp when one views a picture or opens a file.

How else could one determine if a picture was opened (let's presume it's not in the recent files listing)?  

JimGill
Newbie
 
 
  

Re: Last Accessed -- Win7

Post Posted: Tue Feb 26, 2013 7:22 pm

.lnk files, registry MRU's immediately come to mind.

Depending on what software you are using you may be able to recover deleted copies of the picture that were previously in different locations (may indicate copy/paste type behaviour showing they were at the very least dealt with in some manner)  

Adam10541
Senior Member
 
 
  

Re: Last Accessed -- Win7

Post Posted: Wed Feb 27, 2013 2:00 am

Thanks, Adam. I see that the MRU listings are numeric. What software would you suggest to search the Registry for the file names?

The lnk files work oddly. It appears as though there's a limit to how long or how many of them stick around in the Recent folder. Plus, I just tested opening some jpg files with Windows Explorer and no lnk files were created.  

JimGill
Newbie
 
 
  

Re: Last Accessed -- Win7

Post Posted: Wed Feb 27, 2013 8:09 am

- JimGill

How else could one determine if a picture was opened (let's presume it's not in the recent files listing)?


As mentioned, LNK files are a possibility.

Jump Lists are a pretty big one.

*Where* the data appears can depend a great deal on how the image was viewed...with which application. Like I said, Jump Lists are a big one, and new to Win7, and specific to both the user and the application (via the AppId).

One of the things that generally doesn't help to say is "the MRU keys", because there are many.

Do you know the extension of the image file in question? How about the graphics viewers on the system? Any indication of the file name beneath the ComDlg32 key in the user's hive?  

keydet89
Senior Member
 
 
  

Re: Last Accessed -- Win7

Post Posted: Wed Feb 27, 2013 9:20 am

Internet History is a good one as well.  

twjolson
Senior Member
 
 
  

Re: Last Accessed -- Win7

Post Posted: Wed Feb 27, 2013 6:07 pm

- keydet89

Jump Lists are a pretty big one.


To reiterate: I would check the file extension in the registry and determine the default viewing program, then using Mark Woan's jumplister have a look if a jumplist for that appid exists.

If the file isnt in that jumplist (or the jumplist doesnt exist) then I'd start exploring other appid's  

randomaccess
Senior Member
 
 
  

Re: Last Accessed -- Win7

Post Posted: Thu Feb 28, 2013 4:09 am

I normally look at the file access history stored within the user area 'ntuser.dat' file - some refer to it as the internet history.

also look at thumbcache db files within the folders that the images might have been stored in, if there are thumbnails in the folders then it could be argued that the images were viewed in windows explorer 'image view'.

As others have said MRU, LNK files are worth looking at.  

fuzed
Senior Member
 
 
Reply to topicReply to topic

Share this forum topic to encourage more replies



Page 1 of 2
Go to page 1, 2  Next