had a call form a customer today inquiring about how he could tell if his employee was stealing data, hes only got video evidence of the employee logging on the computer, but he thinks that the employee may have burned the data to a cd, since it was more than 2 weeks ago the last file access time may have been overwritten , and the only thing would be maybe a cd burner log file, the customer said he uses roxio , anyone ever run across a case like this? im looking for more pointers to help me gain more evidence
I wrote up a PDF that addresses this issue and included it on the DVD that accompanies "Windows Forensic Analysis", 2/e.
Contact me off list at keydet89 at yahoo dot com for a copy.
A lot of CD burning software use a temp file similar to an ISO. They copy the data to this file, then burn that to the CD. I haven't used Roxio in a long while, so I can't remember how it does this, but it's worth checking the Roxio settings to see if there is a temp file, and if so, where it's stored. It may be the software deletes the temp file after it's finished, in which case you'll need to do a little data recovery.
I know the default installation of Roxio Creator, which is on every OEMed Dell laptop as far as I know, keeps a log of the speed of writing.
It doesn't tell what was burned but does tell of a burn, and amount can be estimated from the time it took to burn.
It is possible that such info is also available with other burners.
Well worth a read on this subject is