±Forensic Focus Partners

Become an advertising partner

±Your Account


Forgotten password/username?

Site Members:

New Today: 0 Overall: 36231
New Yesterday: 0 Visitors: 156

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Images.opened from an android device

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts


Images.opened from an android device

Post Posted: Oct 11, 18 19:42

I have been doing some basic testing on attaching an android phone (samsung galaxy s7) to a windows 7 machine via usb cable, navigating to the camera directory on the phone and opening a few images (jpg), to help educate myself where on windows artefacts evidence of that activity occuring. After I reviewed thumbcache db files.in the explorer directory, lnk files, jump lists and also ran regripper over ntuser.dat (what I thought would be the obvious areas) and I cant see evidence of the files being opened anywhere. The lnk shortcuts did show that I opened the camera directory but not the image files I opened. Any idea why this could be or any other artefacts that I could check? System hive analysis and certain evtx logs show the usb entry fine its just puzzling why the system seems to of missed evidence that I opened numerous jpegs from the camera directory. I have set an image of the hard drive running and will run keyword search of the filemames (images I opened) to see where else may capture evidence they were opened.

I did notice only one file in the thumbcache directory had a modified date of a similar time but the free utility I found for viewing them claims its not a valid file. Similar tests of a standard usb storage device do list the file names in the usual places but for some reason those opened on an android phone are not as clumsy in leaving traces behind.  


Re: Images.opened from an android device

Post Posted: Oct 12, 18 10:12

I did get a hit in webcachev01.dat and usrclass.dat  

Page 1 of 1