Forums
Main Category
General (Technical,...
FTK Disk Viewer
 
Notifications
Clear all

FTK Disk Viewer

 
Page 2 / 2
General (Technical, Procedural, Software, Hardware etc.)
Last Post by Cults14 15 years ago
19 Posts
7 Users
0 Reactions
2,728 Views
RSS
 armresl
(@armresl)
Noble Member
Joined: 21 years ago
Posts: 1011
21/07/2010 3:33 am  

I wont go into great detail, but the reason I asked is that I have run into a lot of investigators who do searches for the most common of a particular product, i.e. (defrag) diskkeeper, perfect disk, OO, etc. and if they don't see those names then they move on.

The time isn't invested into logs, rp, reg, or lesser known names to see if those are present.

I've been in a conference room where someone exported an S key and did a quick look and then told counsel, nope that software was never installed.


   
ReplyQuote
 Jonathan
(@jonathan)
Prominent Member
Joined: 20 years ago
Posts: 878
21/07/2010 4:29 am  

And the operating system is…? Windows Vista and 7 for example defrag by default on a regular basis. Extract the event logs and analyse 'em for the answer. Google will help with Event IDs, etc.


   
ReplyQuote
 douglasbrush
(@douglasbrush)
Prominent Member
Joined: 16 years ago
Posts: 812
21/07/2010 5:30 am  

Have you investigated the various Windows artifacts of the scheduled tasks?


   
ReplyQuote
 twjolson
(@twjolson)
Honorable Member
Joined: 17 years ago
Posts: 417
21/07/2010 9:19 am  

I am still new, but did you check prefetch? Whether defrag was ran by the user or as part of the prefetch process, those exe's should be listed.

It should be listed in the registry as well, I would imagine.


   
ReplyQuote
klc1977
 klc1977
(@klc1977)
Active Member
Joined: 15 years ago
Posts: 13
Topic starter 21/07/2010 7:53 pm  

Yes the areas that everyone has mentioned has been looked into and screens shots were taken for visual reference for counsel on both sides. The OS is windows XP SP 2003.


   
ReplyQuote
 douglasbrush
(@douglasbrush)
Prominent Member
Joined: 16 years ago
Posts: 812
21/07/2010 8:03 pm  

What specific scheduled task items & artifacts did you look for?


   
ReplyQuote
klc1977
 klc1977
(@klc1977)
Active Member
Joined: 15 years ago
Posts: 13
Topic starter 21/07/2010 8:29 pm  

Mr. Brush, due to the litigation sealed order, I can't really say what specific programs, items or artifacts I'm searching for. I don't know why this is the way it is, it makes research and using comparable statements almost impossible to find or use. In a generalized area, what are your recommendations?


   
ReplyQuote
 douglasbrush
(@douglasbrush)
Prominent Member
Joined: 16 years ago
Posts: 812
22/07/2010 12:33 am  

Ahhh. Gotcha. Have a few of those going myself 😉

Task Scheduler log
%SYSTEMDRVE%\WINDOWS\SchedLgU.txt

Task Scheduler
%SYSTEMDRVE%\WINDOWS\Tasks

Task Item extensions
*.job

UA Reg Keys….

Now that I remember SANS had some good info as well
http//blogs.sans.org/computer-forensics/2009/08/05/de-mystifying-defrag-identifying-when-defrag-has-been-used-for-anti-forensics-part-1-windows-xp/


   
ReplyQuote
 Cults14
(@cults14)
Reputable Member
Joined: 17 years ago
Posts: 367
22/07/2010 3:36 pm  

Now that I remember SANS had some good info as well
http//blogs.sans.org/computer-forensics/2009/08/05/de-mystifying-defrag-identifying-when-defrag-has-been-used-for-anti-forensics-part-1-windows-xp/

Cool!! Thanks, excellent link clarifying the position. Good to see that the article also says at the end that we can't say why something was done, only that it WAS done.

Remember also that even the evidence we could gather using the advice in this article still doesn't prove that a particular person carried out the action, only that someone logged on as that user did. Corroboration is still required e.g. building security, witness statements etc


   
ReplyQuote
Page 2 / 2
Forum Jump:
  Previous Topic
Next Topic  
Share: