Here's the scenario
Suspect's machine running XP Pro and using Outlook Express with preview pane option on.
FTK has pulled out some significant text from pagefile.sys. Suspect says he has never seen it, but it may have been contained in an email attachment which he received but has never opened/viewed.
Does the presence of that text in the pagefile prove that the text has been viewed, or the attachment opened, or could it have resulted from the attachment having been loaded into the ..\Local Settings\Temp directory of the active user account as he scrolled through his emails?
Any suggestions gratefully received!
In general, it's difficult to say authoritatively that anything has been viewed on a computer. You can show that a file has been accessed by a user or by the default behaviour of a process or application, but not that it was actually viewed/seen by someone. Furthermore, if you, for example, received an email with a 10 page Word attachment – it could be shown that this Word document had been saved at a certain location by a particualr user but it couldn't be shown that he'd scrolled down and seen page 8 of the document, which may contain a diagram or whatever which is crucial to the case.
I think in your situation, if there are no other pointers near your artefact in the pagefile or even elsewhere on the system then all you can credibly say about it is that, at some time, it was present on your suspect's hard drive.
Does the presence of that text in the pagefile prove that the text has been viewed, or the attachment opened, or could it have resulted from the attachment having been loaded into the ..\Local Settings\Temp directory of the active user account as he scrolled through his emails?
No. But Registry analysis might. I've used Registry analysis several times to locate indications of user's actually viewing documents.
Does the presence of that text in the pagefile prove that the text has been viewed, or the attachment opened, or could it have resulted from the attachment having been loaded into the ..\Local Settings\Temp directory of the active user account as he scrolled through his emails?
No. But Registry analysis might. I've used Registry analysis several times to locate indications of user's actually viewing documents.
How can the registry show that a user actually viewed something as opposed to just opening it? In the OP's scenario he mentions finding a fragment of text in the pagefile and no associated meta-data…how would registry analysis help here to show that a user had seen the fragment of text in question? I'd be interested in finding out.
How can the registry show that a user actually viewed something as opposed to just opening it? In the OP's scenario he mentions finding a fragment of text in the pagefile and no associated meta-data…how would registry analysis help here to show that a user had seen the fragment of text in question? I'd be interested in finding out.
Take the sample text from the pagefile and do a search of the hard drive. If the sample appears in a document on the hard drive, use a tool like RegRipper to determine if the document was viewed by a particular user. If the text appears in a cached web page…well…
HTH
Take the sample text from the pagefile and do a search of the hard drive. If the sample appears in a document on the hard drive, use a tool like RegRipper to determine if the document was viewed by a particular user. If the text appears in a cached web page…well…
HTH
Sure, but I presume that the OP found it in pagefile only via the FTK text search function and they found it only there otherwise they would have mentioned it? Perhaps they can provide more details.
By the way, you don't seem to differentiate between 'viewing' something and 'opening' or accessing it. Any reason for that? I think the terminology used to describe a user's actions is pretty important.
Agreed. The registry artefacts that were mentioned must surely only show access rather than viewing. It's pedantic but you have to be in this game!
Sure, but I presume that the OP found it in pagefile only via the FTK text search function and they found it only there otherwise they would have mentioned it? Perhaps they can provide more details.
The OP didn't say one way or another. I offered to help.
By the way, you don't seem to differentiate between 'viewing' something and 'opening' or accessing it. Any reason for that? I think the terminology used to describe a user's actions is pretty important.
I don't see the distinction. Sorry.
Agreed. The registry artefacts that were mentioned must surely only show access rather than viewing. It's pedantic but you have to be in this game!
How so? Since I never mentioned specific keys?
If the entry appears in a file MRU for Word, or any other GUI application, then it would stand to reason that the user opened the file in some manner and it appeared on the screen. If the access was a result of, say, a Search MRU entry, then I wouldn't suggest that would be an indication of viewing the file, no.
Greetings,
If I understand Jonathan's point correctly, he's saying that just because someone opened a 20 page document doesn't mean that they viewed the text on page 19 of the document.
If I select 10 Word documents in Explorer, select Print from the menu, and walk away from the system, all those files will open, print, and close and I didn't "view" any of them.
-David