Simple question I hope…
I have a hard drive with 4 partitions and two operating systems installed, the operating systems are vista and xp, I have a large number of files that have the same last written date as the last access date… I need to prove whether the user had accessed said files… any guidance appreciated.
I've got a keyword search running on the file names in question, so hopefully that could throw up anything relating to media player logs and lnk files (have examined lnk files, dat files - nothing of relevance within those).
Does anyone know if there's a way to tell which OS copied/created specific files?
and also any guidance on finding any other info on last access data?
Have a look at the permissions of the said files and the user secuirty keys associated with each. If you can find permissions on the files, you should be able to match them up to users on one of the other 4 partitions
I have a hard drive with 4 partitions and two operating systems installed, the operating systems are vista and xp, I have a large number of files that have the same last written date as the last access date… I need to prove whether the user had accessed said files… any guidance appreciated.
Okay, good…Windows, and you appear to know which user is involved.
I generally tend to use RegRipper to parse the NTUSER.DAT…gives me a LOT of information.
I've got a keyword search running on the file names in question, so hopefully that could throw up anything relating to media player logs and lnk files (have examined lnk files, dat files - nothing of relevance within those).
What's the purpose of the keyword search? Do you know the names (and paths) of the files in question?
Does anyone know if there's a way to tell which OS copied/created specific files?
Well, it depends on what you mean. The issue of using forensic analysis to determine if files were copied has been covered in this and other forums numerous times. OS's don't "create" files, per se…files are generally created as a result of a service, process, or user using some method to call the CreateFile() API, which is provided by the OS.
It might be easier, perhaps, to provide some insight if you could better describe the issue or question at hand.
and also any guidance on finding any other info on last access data?
"last access data"? Such as…what?
background its a CP case, alot of legal porn then a small proportion of illegal stuff. I need to identify if the 'user' has accessed these files at all, everything i've looked at so far suggests they havent.
I've used netanalysis on the drives (with mount image pro). nothing of interest has been found within the dat files… - will take a look at NTUser.dat - although I think net analysis parses the data from that anyway.
They keyword search was just to see if I get any filename hits within log files or application logs etc that could shed some light on whether the images/videos had been viewed.
I should have worded that correctly, I just wanted to see if there was any info I could pull that would give me a little more about the file access times that were applied to the files.
background its a CP case, alot of legal porn then a small proportion of illegal stuff. I need to identify if the 'user' has accessed these files at all, everything i've looked at so far suggests they havent.
I've dealt with similar cases.
I've used netanalysis on the drives (with mount image pro). nothing of interest has been found within the dat files… - will take a look at NTUser.dat - although I think net analysis parses the data from that anyway.
I don't use NetAnalysis, but a review of the web pages at the Digital Detective site make no reference to accessing the NTUSER.DAT.
Generally, if I don't know definitively what a tool does, I don't simply assume that it does something.
They keyword search was just to see if I get any filename hits within log files or application logs etc that could shed some light on whether the images/videos had been viewed.
You need to parse the NTUSER.DAT. Most of the viewer applications that come installed in Windows write their list of recently accessed files there.
I should have worded that correctly, I just wanted to see if there was any info I could pull that would give me a little more about the file access times that were applied to the files.
A little more than what?
I'm fairly sure NetAnalysis does not parse NTUSER. You may have done most of this, however, if I was looking for some evidence that files were opened or attempted to be opened I'd start with
Internet Records - NetAnalysis - Check the local FILE access records which HstEx / NetAnalysis may display.
LNK Files - Parse and review all Link files.
NTUSER - Use RegRipper which will indicate MRU lists for WMP and picture files.
WMP - chesk lastplayed.wpl file. These can also be carved from unallocated and Shadow Copies.
Also the WMP library database may throw a bit of supporting evidence.
A Vista OS could be a gift. Use RegRipper on NTUSER extracted from each Shadow Copy which would be quick.
I'd want to know more about evidence indicating how the files got there. EG. Limewire may provide extra supporting evidence such as Preview-t traces……..
I'd also do an assessment of other MediaPlayers which were installed and possibly set up some tests with them and depending on the amount of files I'd run keyword searches for the filenames.
"could shed some light on whether the images/videos had been viewed"
I'd be very careful about using the word "viewed" unless I had lots and lots of solid evidence. I'd still probably not use it in a report. Played, or attempted to be played.
Hope this helps a bit.
I am a frequent NetAnalysis user.
NetAnalysis does NOT parse NTUSER.dat. It is an internet history application, NTUSER.dat is a registry file.
As for registry file, the other commenter (Keydet89) wrote the book on registry analysis (literally).
What he recommends as steps are fairly detailed and should shed some light and give you ideas to continue the search into more specific areas.
Good luck.
Do not discount the NTUSER.dat file, it does contain lots of helpful information such as last typed URLs
Thanks all, I had a look at the files… very helpful! )
When a file is downloaded and not viewed once completed, it's last written and last accessed attributes will be the same.
This could explain your findings and also explains why you have no evidence of the user accessing the files because they probably never did.
It is not uncommon for users to 'bulk' download files using a P2P file sharing application and never get a chance (especially if the computer is seized by the Police) or have the inclination to access the files until some time afterwards.
I would concentrate on finding evidence that the user ended up with the files as a result of performing specific keyword searches in order to locate such material. If you locate this kind of evidence, you will have shown that the user was most likely aware of the files contents having made efforts to seek it out.
