±Your Account
Membership:
New Today: 2
New Yesterday: 5
Overall: 24168
Visitors: 47±Latest Webinar
±Latest Articles
· Geo-tagging & Photo Tracking On iOS
· KS – an open source bash script for indexing data
· Mobile Device Geotags & Armed Forces
· Categorization of embedded system forensic collection methodologies
· Interpretation of NTFS Timestamps
· What are ‘gdocs’? Google Drive Data – part 2
· What are ‘gdocs’? Google Drive Data
· Bad Sector Recovery
· Forensic Artifact: Malware Analysis in Windows 8
· Windows 8: Important Considerations for Computer Forensics and Electronic Discovery
· KS – an open source bash script for indexing data
· Mobile Device Geotags & Armed Forces
· Categorization of embedded system forensic collection methodologies
· Interpretation of NTFS Timestamps
· What are ‘gdocs’? Google Drive Data – part 2
· What are ‘gdocs’? Google Drive Data
· Bad Sector Recovery
· Forensic Artifact: Malware Analysis in Windows 8
· Windows 8: Important Considerations for Computer Forensics and Electronic Discovery
±Follow Us
±Latest Jobs
Back to top
Skip to content
Skip to menu
Back to top
Back to main
Skip to menu
Go to page 1, 2 Next
As mentioned, LNK files are a possibility.
Jump Lists are a pretty big one.
*Where* the data appears can depend a great deal on how the image was viewed...with which application. Like I said, Jump Lists are a big one, and new to Win7, and specific to both the user and the application (via the AppId).
One of the things that generally doesn't help to say is "the MRU keys", because there are many.
Do you know the extension of the image file in question? How about the graphics viewers on the system? Any indication of the file name beneath the ComDlg32 key in the user's hive?
To reiterate: I would check the file extension in the registry and determine the default viewing program, then using Mark Woan's jumplister have a look if a jumplist for that appid exists.
If the file isnt in that jumplist (or the jumplist doesnt exist) then I'd start exploring other appid's
Last Accessed -- Win7
Last Accessed -- Win7
Posted: Tue Feb 26, 2013 6:04 pm
By default Win7 (and Vista) don't update the Last Accessed date/time stamp when one views a picture or opens a file.
How else could one determine if a picture was opened (let's presume it's not in the recent files listing)?
How else could one determine if a picture was opened (let's presume it's not in the recent files listing)?
-
JimGill - Newbie
Re: Last Accessed -- Win7
Posted: Tue Feb 26, 2013 7:22 pm
.lnk files, registry MRU's immediately come to mind.
Depending on what software you are using you may be able to recover deleted copies of the picture that were previously in different locations (may indicate copy/paste type behaviour showing they were at the very least dealt with in some manner)
Depending on what software you are using you may be able to recover deleted copies of the picture that were previously in different locations (may indicate copy/paste type behaviour showing they were at the very least dealt with in some manner)
-
Adam10541 - Senior Member
Re: Last Accessed -- Win7
Posted: Wed Feb 27, 2013 2:00 am
Thanks, Adam. I see that the MRU listings are numeric. What software would you suggest to search the Registry for the file names?
The lnk files work oddly. It appears as though there's a limit to how long or how many of them stick around in the Recent folder. Plus, I just tested opening some jpg files with Windows Explorer and no lnk files were created.
The lnk files work oddly. It appears as though there's a limit to how long or how many of them stick around in the Recent folder. Plus, I just tested opening some jpg files with Windows Explorer and no lnk files were created.
-
JimGill - Newbie
Re: Last Accessed -- Win7
Posted: Wed Feb 27, 2013 8:09 am
- JimGill
How else could one determine if a picture was opened (let's presume it's not in the recent files listing)?
As mentioned, LNK files are a possibility.
Jump Lists are a pretty big one.
*Where* the data appears can depend a great deal on how the image was viewed...with which application. Like I said, Jump Lists are a big one, and new to Win7, and specific to both the user and the application (via the AppId).
One of the things that generally doesn't help to say is "the MRU keys", because there are many.
Do you know the extension of the image file in question? How about the graphics viewers on the system? Any indication of the file name beneath the ComDlg32 key in the user's hive?
-
keydet89 - Senior Member
-
twjolson - Senior Member
Re: Last Accessed -- Win7
Posted: Wed Feb 27, 2013 6:07 pm
- keydet89
Jump Lists are a pretty big one.
To reiterate: I would check the file extension in the registry and determine the default viewing program, then using Mark Woan's jumplister have a look if a jumplist for that appid exists.
If the file isnt in that jumplist (or the jumplist doesnt exist) then I'd start exploring other appid's
-
randomaccess - Senior Member
Re: Last Accessed -- Win7
Posted: Thu Feb 28, 2013 4:09 am
I normally look at the file access history stored within the user area 'ntuser.dat' file - some refer to it as the internet history.
also look at thumbcache db files within the folders that the images might have been stored in, if there are thumbnails in the folders then it could be argued that the images were viewed in windows explorer 'image view'.
As others have said MRU, LNK files are worth looking at.
also look at thumbcache db files within the folders that the images might have been stored in, if there are thumbnails in the folders then it could be argued that the images were viewed in windows explorer 'image view'.
As others have said MRU, LNK files are worth looking at.
-
fuzed - Senior Member