How are r2h**.tmp files created?

General (Technical, Procedural, Software, Hardware etc.)

Last Post by Jesterladd 16 years ago

1 Posts

1 Users

0 Reactions

715 Views

RSS

Jesterladd

(@jesterladd)

Trusted Member

Joined: 20 years ago

Posts: 28

Topic starter 17/08/2009 7:04 pm

I am looking at a case and some evidence is located on a machine running WIN2K Pro. The evidence is contained in a temp file at c\Documents and settings\<UserName>\Local Settings\Temp. The name of the file is r2h**.tmp but has an RTF file header. There are a number of files, where the ** represents a hex number, in this folder.

Other tmp files with a name format of ~DF<hex number>.tmp are also in this folder. These are created when an htm\html file is opened by the user.

Testing I have done so far cannot replicate the creation of the RTF tmp files. Does anyone know how these files are created?

Thanks

JesterLadd

Quote

Podcast: Well-Being In Digital Forensics And Policing: Insights From Hannah Bailey

Hannah Bailey shares her journey from frontline policin...

By Zoe , 3 days ago
RE: Android Forensics

Hi, Try decompressing the file using zlib in python. ...

By Dexter4n6 , 4 days ago
Interview: Neal Ysart, Co-Founder, The Coalition of Cyber Investigators

Neal Ysart shares how The Coalition of Cyber Investigat...

By Zoe , 4 days ago

8 Forums
15.7 K Topics
92.3 K Posts
9 Online
41.1 K Members

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed