Join Us!

Locating Screen Sav...
 
Notifications
Clear all

Locating Screen Saver Log file  

  RSS
deano
(@deano)
New Member

I am working on a case that involves someone using My Picture Slideshow that is buit into XP to display pics of CP. The pictures have been deleted and have been overwritten. Does anyone know if windows keeps a log file of what was placed into this screen saver or is there a place in the registry that this info may be located. The file name is ssmypics.scr. I am using FTK for forensics. Any help would be appreciated.

Quote
Posted : 11/03/2005 11:03 pm
Jamie
(@jamie)
Community Legend

deano,

Just a quick note to say welcome to the Forensic Focus forums.

Kind regards,

Jamie

ReplyQuote
Posted : 12/03/2005 5:19 pm
andy1500mac
(@andy1500mac)
Member

I believe the registry will only contain a pointer to the .scr file in the system32 folder. If the pics have been deleted and overwritten there is always the possibility of pulling some info out of the hidden file thumbs.db (in the folder that would have contained the pics in the first place). This is by default the My Pictures folder when using ssmypics.scr This will not recoup the picture but may be able to provide some valuable information even if the pictures are no longer present.

Keep in mind that the thumbs.db file will only be there if the user selected the thumbnail view as his option in the particular folder that the pics were in.

I have never tried this myself and am not 100% sure what info you will get (names, deletions, modification times..?). You will need some third party software to accomplish this however…

Andrew-

ReplyQuote
Posted : 12/03/2005 5:44 pm
Andy
 Andy
(@andy)
Active Member

Thumbs.db files have been disgussed before.

ReplyQuote
Posted : 12/03/2005 10:48 pm
keydet89
(@keydet89)
Community Legend

I believe the registry will only contain a pointer to the .scr file in the system32 folder.

The HKEY_USER hive will contain the "pointer" you're refering to…

The key of interest is HKEY_USER\<SID>\Control Panel\Desktop

The value is SCRNSAVE.EXE. The data in this value will point to the .scr file used, regardless of location. The key also contains other values that refer to various screensave (and desktop) settings.

The LastWrite time of the key will tell you when the contents of the key were last modified. However, it will not tell you which value was modified last.

HTH,

H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com

ReplyQuote
Posted : 14/03/2005 11:38 am
Share: