I thought I might draw this issue to your attention, as it doesn't seem to have been mentioned on any of the other computer forensic forums that I subscribe to.
My current investigation is a CP case, recovered from the suspect were 2 laptops and a desktop PC. One of the laptops belonged to his employer and was running Win XP.
Evidential material was recovered from the suspects home machine. On first analysis, there was no trace of CP on the laptop belonging to his employer. However, on doing a keyword search for a URL which featured in the case, I got a hit in an interesting folder structure. The folder was entitled "CSC" and was within the "Windows" folder. Within the CSC folder were 8 sub-folders labelled d1 - d8. Each of these folders contained numerous files with no extensions and numeric/alpha names such as "80004CCE". On looking through these files in raw form with a hex viewer the first few dozen files were meaningless. However other files appeared to have valid JPEG and Microsoft Office headers. I then did some file carving through this directory structure and recovered numerous CP images.
My initial research indicates that the CSC folder structure is created when the machine is a client in a network environment and the "Offline Files" facility is used. This facility allows the user to download specific files from a server, then disconnect from the network and work on those files. When they reconnect to the network the files are synchronised with the server so that any files that have been modified on the client machine are uploaded to the server.
As the CSC folder structure is a system file and the files therein have no extension these files cannot be detected through filtering for image files, viewing your case in gallery view, file carving in unallocated space or via signature checks. Put another way…they are very easy to overlook unless you are specifically checking for their presence.
The only way to discover these files is to check the Windows folder for the presence of the CSC folder structure. In this case I have checked the employer's server, copies of the offending files were discovered on the server. It appears that the offender accidentally left his USB pendrive containing CP images in his laptop when it was backed-up to the server ?
All the data on the pendrive was backed up to the server along with data from his laptop hard drive.
The backed-up data goes into a master folder on the server which was then enabled for "Offline files", so that when his laptop was later used to synchronise with the files in the master folder on the server, the accidentally uploaded images were now accidentally downloaded to his laptop. 😯 I hope that makes sense!
Having detected the images, you still have to do a bit of work to get them into a report. Merely bookmarking the files by but a tick in the box next to the filename in Encase does not allow them to be included in a report. You have to sweep through the raw data of the image so that all of the bytes in the image are highlighted, then bookmark that data.
It does seem strange that when the folders and files are "downloaded" using the "offline files" facility that they are renamed and have their extensions removed. I am not entirely certain how the client and the server keep track of the files and any modifications. There appear to be files created on the client side that hold the filenames of data in the CSC folder structure, although these filenames are stored in unicode.
If anyone is doing a degree or MSCin forensic computing, this might be a good topic for your dissertation. In any case, everyone should be aware of this folder structure as it can be easily overlooked and can contain crucial evidence.
Hi Stumpy!
Nice find -) Makes for interesting reading…I would sure like to know more about your findings.