Images.opened from an android device
I have been doing some basic testing on attaching an android phone (samsung galaxy s7) to a windows 7 machine via usb cable, navigating to the camera directory on the phone and opening a few images (jpg), to help educate myself where on windows artefacts evidence of that activity occuring. After I reviewed thumbcache db files.in the explorer directory, lnk files, jump lists and also ran regripper over ntuser.dat (what I thought would be the obvious areas) and I cant see evidence of the files being opened anywhere. The lnk shortcuts did show that I opened the camera directory but not the image files I opened. Any idea why this could be or any other artefacts that I could check? System hive analysis and certain evtx logs show the usb entry fine its just puzzling why the system seems to of missed evidence that I opened numerous jpegs from the camera directory. I have set an image of the hard drive running and will run keyword search of the filemames (images I opened) to see where else may capture evidence they were opened.
I did notice only one file in the thumbcache directory had a modified date of a similar time but the free utility I found for viewing them claims its not a valid file. Similar tests of a standard usb storage device do list the file names in the usual places but for some reason those opened on an android phone are not as clumsy in leaving traces behind.
I did get a hit in webcachev01.dat and usrclass.dat