Hi Folks - Anyone ever had a case involving finding evidence of a CD-R being burned? I know that burning apps create a temporary .iso or other image file when copying CDs, but not sure about creating a data CD. Any tips?
TIA.
A
What OS and version are you dealing with?
I worked a case a while back quite similar to this.
Can't remember offhand the burning software, but I could find no evidence on the local PC such as log files.
However, what I did find was evidence in Streams MRU of the user navigating his way through a CD that had an identical structure to the data we suspected was stolen, on the day the individual tendered their resignation.
Nero Burning is a popular CD-R recorder. Following burning data, a message appears do you want to save image and auto-attributes a file name ISO…this produces a file extention "Nero CD-ROM (ISO)" for Data CD.
The folder for Nero can be found in Program Files and is titled "ahead"
trewmte,
Can you comment on what can be done to show that Nero was used to burn a CD, and when?
Thanks,
Harlan
I have previously had luck linking back a CD to a computer that was burnt using Nero. Nero seems to burn some information early on in the disc that has data about the burn. In our case we found the string "C\documents and settings\USERNAME\…."
This may also be worthwhile looking at.
trewmte,
Can you comment on what can be done to show that Nero was used to burn a CD, and when?
Thanks,
Harlan
keydet89 you have had some good replies above from others about Nero. You could also look into
NeroHistory
Nero.lgc
System.Dat
User.Dat
Also check the previous days system back up for example C\WINDOWS\SYSBCKUP