Hey all,
I tried searching for my question but couldn't find an answer, so hopefully you all can help. I'm new to the forensics game so please be gentle with me. lol
I have an image of the suspects pc and have had no problem searching for files and such with encase 5.04a. I also have a cd with AVSEQ.DAT files that belong to the suspect. We have viewed the contents of the cd with no problem, used media player to watch the video. What I am needing to find out is if the suspect has viewed this cd on the pc. Where or how do I find this out? I have searched the media player files but can't seem to find a log, would there be a log that tells me what was viewed?
Thanks for you help
Rong
Rong,
Reading your post, I have to ask…are you trying to determine if the user viewed the CD (such as with Windows Explorer), or are you trying to determine if the user viewed/accessed files on the CD?
You seem to be most interested in the Media Player…it turns out, like many applications, this one does have an MRU list. Check out my Registry reference spreadsheet at
http//
I'd also look in the UserAssist key, and if the system you're looking at is XP, maybe even the Prefetch directory.
Hope that helps,
Harlan
Harlen,
Thanks for replying, I am trying to determine if the user accessed the files on the cd. We mainly want to know if this person watched the video that was on the cd, using either media player or any other means possible.
I'm going to give your registry spreadsheet a look right now…thanks.
Rong
Hi Rong,
If the user double clicked the file in Explorer to open it then an entry for this file would be added to the index.dat file for that day. This could then be found very quickly using a tool such as NetAnalysis. To double click a dat file and it open in Media Player would require the user to have set an association though but if it were set you could also find this in the registry.
Sorry if I'm teaching you to suck eggs (as we say in England).
Steve
There may also be a .lnk file in the user's "Recent" folder (if its a Windows XP box) relating to the file. Try having a look there.
Andy
Steve862,
You said, "If the user double clicked the file in Explorer to open it then an entry for this file would be added to the index.dat file for that day." Where would this index.dat file be located?
Now that we have a better idea of what Rong is looking for, I'd suggest the following
1. If the system is XP, check the Prefetch directory for any .pf files that have a name that begins with "WMPlayer.exe" (if the viewer was Windows Media Player), or "RealPlay.exe" (if the viewer was Real Player), or anything that points to a video viewer.
You can then use information from within the file to determine how many times the app was launched, as well as the last time it was launched. This pertains only to XP, as only XP has application prefetching by default.
2. Translate the contents of the UserAssist\{GUID}\Count keys for the user (found in the NTUSER.DAT file). The values are ROT-13 "encrypted"…decrypt these and if the 16 bytes of data are not 0, then you will have the run count in the second DWORD, and the last two DWORDs comprise the last run date.
3. Check out the Registry reference spreadsheet, and look at the Recent keys, as well as the OpenSaveMRU key.
4. Depending upon the application used, look to see if it maintains an MRU list of it's own…Windows Media Player does. The ordering of the entries will tell you which one was the last one added, and then you can use the LastWrite time associated with the Registry key to add to your timeline info.
Hope that helps. If you have any questions, I'd be happy to help…
Harlan
Keydet89, your explanation has been very instructive. However I don't really understand the second point (the one about the GUIDs). What can you use these IDs for? I have used the value of .lnk files before, but I didn't have heard about pf, GUIDs and stuff yet. Thanks!