To elaborate, I work for a health care company and am always concerned about HIPAA and privacy. If I am editing a Microsoft Word or Excel file from a flash drive on a public computer, and it's only ever saved to that flash drive, does anyone know what information Word or Excel might save to the hard drive, whether it's a temporary file, something in the virtual memory, etc.? Any insight would be most appreciated. Thank you all for your time.
There could be a lot of changes. Some examples,
Word's most recently used file list in the registry
Explorer's recent docs in the registry
LNK files in the roaming folder
C\Users\<username>\AppData\Roaming\Microsoft\Office\Recent\<documentname>.docx.LNK
IconCache files.
The list of USB drives used from the registry
Windows search index updates
Jump list data
Maybe changes to the \SOFTWARE\Microsoft\Office\16.0\Word\Resiliency\DocumentRecovery registry entries.
Of course what is actually available will depend on the Operating system, how long ago the document was edited, the version of Word used, and several other factors. (for example if the machine was hibernated when the document was still open in Word).
I dont think the OP is talking specifically about the metadata
I think the temp files are still saved in the same directory as the original file, but if word crashes the temp/crashdump will probably be saved temporarily in the appdata or temp folder (cant remember off the top of my head).
Otherwise content could appear in the pagefile or hiberfil.
If you're really serious about not letting any data off the flash drive then only plug it into a computer you have control of.
I think the temp files are still saved in the same directory as the original file, but if word crashes the temp/crashdump will probably be saved temporarily in the appdata or temp folder (cant remember off the top of my head).
.
One other place to look for file content depending on the type of device you are plugging in; if you happen to be using a MTP device, check out the "WPDNSE" folder. Nicole Ibrahim has documented this on her blog and SANS presentation.
http//
One other place to look for file content depending on the type of device you are plugging in; if you happen to be using a MTP device, check out the "WPDNSE" folder. Nicole Ibrahim has documented this on her blog and SANS presentation.
http//
nicoleibrahim.com/part-6-usb-device-research-open-file-artifacts-lnk-files/
True except if he's working off a usb drive it's unlikely that it'll be an MTP device