Yeah, I should have been clearer. I was regarding to any web history, if he tried opening any links or history it would change those dates. But I suppose is it a cost of just proving that it was on there and it was being played or is it showing it was played in work time, etc?
I don't play poker, does it have installers or it is all online?
Hi guys,
(….)
At this point, I'd suggest doing the following
1. Stop any work while logged into the system.
2. Locate a resource where an image can be saved, and use FTK Imager to create a DD image of the system (albeit live).
3. Use available tools to perform Registry analysis, looking for UserAssist subkey entries, the existence of gaming/poker software having been installed, etc.HTH
Interesting; does this mean that even after the user has uninstalled the poker software, I might be able to find registry traces? I always believed that all registry hives related to a program were completely removed upon uninstalling the software (and wiping the free space.)
Yeah, I should have been clearer. I was regarding to any web history, if he tried opening any links or history it would change those dates. But I suppose is it a cost of just proving that it was on there and it was being played or is it showing it was played in work time, etc?
I don't play poker, does it have installers or it is all online?
I am basically trying to prove that poker was played on this PC - doesn't matter whether it was during working hours or not, as this computer shouldn't have been used for that no matter what.
RE your second question; we are talking about installers in this case.
All things considered though, it does seem that the computer owner has done quite a lot to hide his footprints, don't you guys think? I'm not sure if I would have done this much work just to cover up my tracks after playing poker. Makes me think if there is something else he might be hiding there.
Mark
I might have found something actually.
Seems that there is a mention of a specific poker room in one of the registry entries. Would someone knowledgeable please tell me what exactly does the following key contain
HKCR \ Local Settings \ Software \ Microsoft \ Windows \ Shell \ BagMRU
I'm assuming "MRU" is Most Recently Used, but what exactly does this Key contain?
I simply used Regseeker and searched the registry for different words related to online poker rooms, and I'm beginning to find something.
I'm assuming "MRU" is Most Recently Used, but what exactly does this Key contain?
Here is a detailed (though not "FULL") explanation
http//
jaclaz
Perfect, thank you!
Interesting; does this mean that even after the user has uninstalled the poker software, I might be able to find registry traces? I always believed that all registry hives related to a program were completely removed upon uninstalling the software (and wiping the free space.)
You're right…some uninstallers do delete entire Registry keys; however, these may be able to be recovered, depending upon how the deletion was performed.
Also, there are traces not of the application, but the *use* of the application by the user that persist, even if the application uninstaller was run.
I am basically trying to prove that poker was played on this PC - doesn't matter whether it was during working hours or not, as this computer shouldn't have been used for that no matter what.
Sure, understood.
RE your second question; we are talking about installers in this case.
Installers are, many times, files like "setup.exe" or .msi files; there are some places that you can look within the Registry to find indications of these.
All things considered though, it does seem that the computer owner has done quite a lot to hide his footprints, don't you guys think? I'm not sure if I would have done this much work just to cover up my tracks after playing poker. Makes me think if there is something else he might be hiding there.
Some, yes, but in many instances, the "hiding his footprints" isn't complete.
(…)
Also, there are traces not of the application, but the *use* of the application by the user that persist, even if the application uninstaller was run.
Could you please give me an example of where I might find this?
(….)
Installers are, many times, files like "setup.exe" or .msi files; there are some places that you can look within the Registry to find indications of these.
An example here would be very helpful as well!
Some, yes, but in many instances, the "hiding his footprints" isn't complete.
Could you give me an example? Seems like I'm missing something from the big picture )
hasek,
You said that you're not an experienced analyst, and that you're accessing the system by booting and logging into it. I could provide you some of what you're asking for, but that would require some considerable background…I just wanted to answer the specific questions that you asked.
For example, I'd suggest you use RegRipper, because it comes with the necessary plugins to extract the data I've mentioned, but that works on Registry hives extracted from the system, and not on a live system.
Keydet,
I guess that's fair. Thanks a lot )
hasek747,
I agree with 4Rensics
Working on the suspect computer will destroy any evidence you will find. For each evidence you might be challenge on how to obtain it.
Using FTK Imager to create a forensic copy will be a good start
As for Chrome, did you try Chrome Analysis ?
http//
Also, if you create a DD image of the Hard drive, you can try CAINE
http//
You can try to parse the DD image to find any image, specially in the unallocated sector of the disk
Even with anti-forensic software, I'm sure you can find traces of evidence