Hi Neil, just another thought…… The chances are, if your subject has copied the relevant files to CD, he may possibly have accessed said files via explorer and possibly opened one to check the burn process has completed correctly (human nature). In doing so a .lnk file may have been created. This .lnk file may still be present in the hidden ‘Recent’ folder, or if deleted you might have some luck carving lnk’s from the unallocated clusters. This is fairly simple process in EnCase. I’m sorry I can’t remember how you’d do it with FTK (it’s been almost a year since my boot camp, and I haven’t used it since), but I’m sure it’s straightforward.
Once you parse or carve the lnk files, (or even conduct a text search for the lnk file header in the UA) view them in text view. The lnk file has additional information coded within including the drive letter, volume name, and volume serial number of the media where the original file resides.
For example if I insert my USB thumb drive into my laptop it is allocated drive letter “Gâ€. If I then navigate in explorer to a folder contained within and open a document. A lnk file is created in the ‘Recent’ folder (only the most recent 15 lnk’s are displayed by default in Windows XP – Start –My Recent Documents). However in the hidden Recent folder are many older and deleted lnk’s. My newly created lnk file now has the drive letter "G" as a pointer to the original file.
If you find a .lnk file (active or in unallocated) relating to your relevant files, and it points to the CD writer drive letter then you will have gone some way to prove your subject has indeed burned the files to disk (or at least accessed them on disk).
If you have already tried this (you mention lnk files in recent documents) then I apologise for teaching you how to suck eggs.
Andy
Andy
Thanks for the post.
I've been through the hard disk and left live searches going overnight but no sign of any files being opened on any drives.
I also checked the registry for USB devices and hard disks after an article I read on H. Carvey's blog but there is nothing out of the ordinary.
I'll keep looking.
Neil