Hi, i'm hoping for some wisdom.
I have a scenario whereby .lnk files(movies/images) exist in unallocated area's of the disk.
Can I say with no doubt that these files/movies, due to the creation of a .lnk file, whether they are unallocated or not, that they have been at least accessed, by a user?
Or, are there other scenarios whereby the system creates a .lnk file without a user accessing those files?
Any words are welcome!
Regards
L
I wouldn't be happy to say that the user had defiantly accessed them without further supporting data.
Can the the embedded MAC date/times allow you to draw conclusions, for example is the accessed date after the creation? I believe some testing has been done showing that the MAC dates aren't always correctly updated but it would be a starter!
Just another thought, did you recover any strings containing file paths of the link files? a link file in a user's /Recent/ is certainly a good indicator. Other supporting data would be MRU entries from deleted or live registry keys.
Can I say with no doubt that these files/movies, due to the creation of a .lnk file, whether they are unallocated or not, that they have been at least accessed, by a user?
As the files are in unallocated space, you may not be able to uniquely link them to a user account. However, you can corroborate/support what you found with Registry analysis…*if* the user you're interested in accessed the files, then you're likely to find some indication(s) of that in the Registry.
h
I would caution against saying "without a doubt". I have seen many installation applications put LNK files on a computer pointing to an HTML, PDF, DOC or other type of document.
Which software are you using? If EnCase then remember that the standard link file parser from the Case Processor doesn't show all the information that can be extracted from the .lnk files.
As to the user question - I'd check the event logs and establish the logon/logoffs of the given user for the interesting period of time and then connect it with the relevant MAC dates extracted from the .lnk files.
Hi, i'm hoping for some wisdom.
I have a scenario whereby .lnk files(movies/images) exist in unallocated area's of the disk.
Can I say with no doubt that these files/movies, due to the creation of a .lnk file, whether they are unallocated or not, that they have been at least accessed, by a user?
Or, are there other scenarios whereby the system creates a .lnk file without a user accessing those files?
Any words are welcome!
Regards
L
From what I understand and hearing, most prosecutors will not present anything that is found in UC. It’s like Swiss cheese to the defendant.
From what I understand and hearing, most prosecutors will not present anything that is found in UC. It’s like Swiss cheese to the defendant.
I'm not sure whether this has been covered before but I think the area of presenting artefacts from unallocated areas deserves its own topic.
From what I understand and hearing, most prosecutors will not present anything that is found in UC. It’s like Swiss cheese to the defendant.
I'm not sure whether this has been covered before but I think the area of presenting artefacts from unallocated areas deserves its own topic.
Hi, i'm hoping for some wisdom.
I have a scenario whereby .lnk files(movies/images) exist in unallocated area's of the disk.
Can I say with no doubt that these files/movies, due to the creation of a .lnk file, whether they are unallocated or not, that they have been at least accessed, by a user?
Or, are there other scenarios whereby the system creates a .lnk file without a user accessing those files?
Any words are welcome!
Regards
LFrom what I understand and hearing, most prosecutors will not present anything that is found in UC. It’s like Swiss cheese to the defendant.
As a general principal based on my experience, in matters where possession is an element of the offense, existence in unallocated is NOT sufficient to support a possession charge. This is generally because if you download something that you don't want and delete it, you are specifically not wanting to possess the item, and the remnant in unallocated is not your fault. The same principal also applies to files in your cache in many places, unless they have a specific offense for access, rather than possession.
However, in other matters, evidence in unallocated is good evidence, e.g. in a fraud case where you find a forged document in unalloc which matches some paper document which has been uttered, then this is relevant, and would be admitted.
Obviously, since I'm not a lawyer, this isn't legal advice, just my experience.
My colleague has recently written a paper on the subject of link files. It is available
Paul