Is there a correlation between plugging in a flash drive or external hard drive to a computer and having the $I30 file show up within a minute or two after the device was plugged in? Trying to understand if the files were written to the external device or were they present on the external device and being read from there? There is a large file listing within the $I30 file that contain files that are crucial to the case, but are not present anywhere on the computer. Ccleaner was also present on this computer.
Thoughts?
> …having the $I30 file show up…
I guess the first thing I'd ask is, show up where? The $I30 file is most often a folder index file.
What's the OS and file system of the system being examined? I'm assuming Windows based on what you've said, but that doesn't address the version.
When you say "…show up within a minute or two after the device was plugged in", how did you determine this? Did you create a timeline?
Hello keydet89,
OS is Windows 7. I am using FTK 3.4 and looked at the timeline for when that file was accessed. It was accessed within a few minutes of when the device was plugged into the computer via USB. I did a USB history using an EnScript in EnCase to determine when devices were plugged in to find that date and time.
A folder was also accessed at the same time and listed right before the $I30 was. The folder contained a lot of what I see in the file names in the $I30, but not all.
Hope this information helps a little more.
OS is Windows 7. I am using FTK 3.4 and looked at the timeline for when that file was accessed. It was accessed within a few minutes of when the device was plugged into the computer via USB.
Interesting…by default, on Windows versions starting with Vista, last access times on files are not updated via normal user activity, such as opening or accessing that file.
I did a USB history using an EnScript in EnCase to determine when devices were plugged in to find that date and time.
A folder was also accessed at the same time and listed right before the $I30 was. The folder contained a lot of what I see in the file names in the $I30, but not all.
Hope this information helps a little more.
Well, it's still mystery as to the path of the folder where the $I30 file is located…sorry, I'd like to help you more, but there's just not enough information available.