Hello all,
A quick question related to a case I am currently investigating… I am using EnCase 6 and looking for specific messages on a disk to substantiate a fraud allegation.
I run a keyword search and found numerous hits but only in the unallocated sectors of the disk / paginated memory and hiberfil.sys. Strictly no relevant hit elsewhere. Additionally there is no profile (current or deleted) for the suspect in Windows, despite the fact the computer was undoubtedly assigned to her.
I have enough evidence in Windows artefacts to secure the case but I am trying to find a potential explanation for such a situation. Any suggestion would be helpful…
Bernard
I have no direct answer, but maybe you'll find this discussion helpful http//www.forensicfocus.com/Forums/viewtopic/t=9975/
….I am trying to find a potential explanation for such a situation. Any suggestion would be helpful…
Unfortunately, there really isn't enough context available.
I run a keyword search and found numerous hits but only in the unallocated sectors of the disk / paginated memory and hiberfil.sys.
Okay, nothing particularly odd about that. Is there some context that you can share? What did you search on? What was the context of the hits you found? I believe this is what's really useful about keyword searching with EnCase…the Preview gives you some context of the hit.
Since you found a hit in the hibernation file, what did you find when you parsed the file with Volatility?
Strictly no relevant hit elsewhere.
Again, I got nothin' for you…without knowing more about the search term, there's no way to say, "okay, that's weird", or "that's legit". No context.
Additionally there is no profile (current or deleted) for the suspect in Windows, despite the fact the computer was undoubtedly assigned to her.
Again, no context. Were there any profiles on the system? Could she have used one of them? Did you search for any deleted profiles? Did you search for deleted keys in the Software hive and in the SAM hive?
check to see if it's a fresh windows install.
Have had cases where users use the system recovery CD for the computer to overwrite the operating system.