Folder???

Do you have any info on the program(s) involved? Each chat, P2P, News program has a default folder which is often a good place to look.

No specifiy application used.

We trying yo cover all base and want to know all possible default folders that picture might exist.

No specifiy application used.

We trying yo cover all base and want to know all possible default folders that picture might exist.

Many applications enable you to set the download folder to anywhere on
the computer. Trying to create a definitive list is not too helpful. Why not
search for all picture files? If you are worried about finding too many
smaller images from web page 'parts' then filter out very small ones.
Obviously, if you have dates you can also filter out picture files either
side.

Start on the user's home directory (including directories usually hidden
from the file browser like explorer or finder) and expand from there.

Do you suspect that he/she may have downloaded a particular image? If so, and you have a copy of the image in question (like from a website or a network server or from your victim) run a hash-match from the known image against the hard drive (assuming no alternations were made to the image on the suspects computer)

If you know the type of file that was downloaded (eg. bmp, jpg, gif) then you could take an image of the drive and carve the files out by using the headers. This may bring back quite a few images, however it would allow you to more acurately find all images. Other ways would allow for the user to possibly change the extension to make the image "undetectable."

You may start by looking through the computer to try and find details of applications that may allow a user to download images and then work out from there.

You can't however rely on the default locations.

We recently had a Peer to Peer with a shared folder on the root of C called Syst3m32. Bit stupid of him when you think about it as it sticks out like a sore thumb but it is a good example of the sort of thing to look for.