Hi everyone,
Does anyone know any way to discover the last time(s) the cd/dvd drive was used (or even opened say!) ? Or any general forensics in this area?
I'm interested in such information for windows xp, sp2.
Thanks in advance for any help.
One thing you can do
You could check the mounted Devices in the registry, and look for link files/MRU's etc pointing to that mounted volume.
Apologies I cannot be of more help, never needed to look into it further in a case.
Kind Regards,
Minesh
Look for LNK files or file// links in browser history (usually IE) that point to files on the CD ROM drive. This will show you when items were accessed from the drive.
Also, review the System Event Log for signs of the IMAPI CD Burning service starting, running and stopping. In most, if not all scenarios, you will see the service start, run and stop when
1. computer reboots
2. CD ROM is placed in computer
3. CD Burning takes place
Typically the start, running and stop will be within seconds of each other in the Event log. If a burning process takes place, however, they are separated by the time it takes to burn the data to the CD (depending on how the burn took place).