Trace Evidence When...
 
Notifications
Clear all

Trace Evidence When Burning a CD

5 Posts
2 Users
0 Likes
338 Views
(@sunnyd)
Posts: 3
New Member
Topic starter
 

I am trying to locate what kind of trace evidence is left on a pc after burning a cd. I exported the registry before burning a cd then exported the registery after burning a cd and used a software to compare the differences but I didn't really find anything. I also did some research on the hard drive under local settings and program files, again, I didn't find any evidence that a cd was burned.

Can anyone point me in the right direction? Thanks.

 
Posted : 09/07/2005 11:15 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

I guess you're looking at Windows systems. If the system is XP, check the Prefetch directory for files pertaining to the burning software. XP does application launch prefetching by default, so you may find something there.

Can you be more specific as to the os (and version) you're looking at, as well as the application?

Thanks,

H. Carvey
"Windows Forensics and Incident Recovery"
http//www.windows-ir.com
http//windowsir.blogspot.com

 
Posted : 10/07/2005 3:40 pm
(@sunnyd)
Posts: 3
New Member
Topic starter
 

I am looking at both XP and Windows 2000 and the applications are Roxio and Nero. I did find the prefetch files in XP but I will look again for more info.

I am trying to find if there is anyway I can tell what was burned to a cd and when. I thought there would be an easy answer but I keep digging further and further and I can't seem to find anything on it.

I also have a question related to this. If I am burning a cd and pull the plug will I be able to find traces of what I am burning in the buffer and how would I get to it.

Thanks.

 
Posted : 10/07/2005 9:12 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

I am trying to find if there is anyway I can tell what was burned to a cd and when. I thought there would be an easy answer but I keep digging further and further and I can't seem to find anything on it.

Sometimes there are no quick fix, easy answers. Not all applications create logs. I remember a version of Roxio, I believe, would ask it you wanted to keep the profile settings after you burned a bunch of files to CD. I used to do that with my music CDs, in case I wanted to go back and make another copy…maybe that's something you could look for. Of course, you'd have to use that version of the software and see what the file formats and extensions are…

I also have a question related to this. If I am burning a cd and pull the plug will I be able to find traces of what I am burning in the buffer and how would I get to it.

A couple of questions…first and foremost, why not try it and find out?

Second, what "buffer" are you referring to? If it's a memory buffer, or anything else related to volatile memory, it would stand to reason that when you pulled the plug and removed power from the systems, that sort of thing would disappear.

H. Carvey
"Windows Forensics and Incident Recovery"
http//www.windows-ir.com
http//windowsir.blogspot.com

 
Posted : 11/07/2005 3:15 pm
(@sunnyd)
Posts: 3
New Member
Topic starter
 

Thanks. I will give it a try.

 
Posted : 12/07/2005 12:25 am
Share: