Last night I had a question I copied a file on a HD have Windows 98 this file copied it using another HD that works with Windows XP, then I remove the hard disk with Windows XP, I start with the hard disk window 98 and see the copied file. If I analyze only the hard disk with windows 98, I can understand how the file was created? Sorry if I do not write correctly but I'm Italian.Thank you all.
Let me explain. doing a forensic analysis is understood that the file was created with another hard drive?
Hi tex,
just so I know I have this correct, you made a copy of a file in windows XP and placed the copied file in windows 98.
You are now analysing only the windows 98 box? is this correct?
Windows does not keep a log of where files are moved to or from.
The path in the metadata will display the new location.
Only if you have both machines then you can compare the 'last accessed' timestamp.
Moving on to NTFS file systems
There are circumstances where you can use the Object ID sometimes found in the MFT entry and also in some link files to show the MAC address of the source computer and the MAC address of the destination. I wrote LinkAlyzer specifically to allow the user to look at large numbers of link files for precisely this reason.
There is a short article here http//
Moving on to NTFS file systems
NTFS on Win98?
Possible ) , but not probable. wink
jaclaz
Moving on to NTFS file systems
NTFS on Win98?
Possible ) , but not probable. wink
jaclaz
Err - thats why I started with "moving on…."
Its sort of a feature of forums on the internet, known as thread creep, and its one of the features that I find most interesting and probably teaches more than a straight answer to the original post.
What kind of file are we talking about and what exactly are you trying to prove?
How was the Win98 drive connected to the WinXP OS when the file was copied?
Are we talking about one physical disk with two operating systems?
Is the WinXP disk NTFS?
Without this info it is hard to answer your question but you are sure to find LNK files on both copies of the file.
I also think that the copy of the file may have inherited its last written attribute from the original file.
Therefore the file created and last written attributes of the original may make sense (particularly if it was a download and took time to fully complete) but the same attributes of the copy may clearly indicate that it was copied over as the created time may be after the last written time (inherited in the copy process).
Using XP with NTFS I cpoiato on another hard drive slave type a file, the second hard drive installed on board windows 98 fat 32. restarting the computer with only Windows 98 disks, and without the xp disk, a forensic investigation can clarify where you copied this file?
Using XP with NTFS I copied to another hard drive slave type a file, the second hard drive installed on board windows 98 fat 32. restarting the computer with only Windows 98 disks, and without the xp disk, a forensic investigation can clarify where you copied this file?
Tex, sorry but it's really hard to understand what you are asking for, you can send me a PM in Italian if you want and i'll try to answer your question
btw, you can start from reading some informations about the filesystems you are trying to analyze to check wich metadata and informations are stored about a file copied to/from them.