Hi
Probably not an easy one to answer but any comments appreciated.
I am going through a schedule of files and am trying to determine if an automated process was responsible.
The hard drive in question has 11 serious viruses present as reported by AVG. There are some peculiar patterns in some of the search records.
The main issue though is with the files which are image files. It seems to me that multiple files are being created in a short space of time. In total 3218 image files were created in 33 minutes which is 97 files a minute. On one day 2535 files were created in 21 minutes giving 121 files per minute. The files are created in short bursts of activity say 15 minutes with up to 260 files created in a minute all though in other minutes only 1 or 2 files are created.
Could this be normal browsing behaviour or is it viral activity?
The main issue though is with the files which are image files. It seems to me that multiple files are being created in a short space of time. In total 3218 image files were created in 33 minutes which is 97 files a minute. On one day 2535 files were created in 21 minutes giving 121 files per minute. The files are created in short bursts of activity say 15 minutes with up to 260 files created in a minute all though in other minutes only 1 or 2 files are created.
Could this be normal browsing behaviour or is it viral activity?
Either one, there really isn't enough information to tell.
Where are the files located? What are their names and sizes? When a browser hits a web page with a lot of little images, multiple threads will be launched to download those files.
I'm not entirely sure what you mean by a "schedule" of files, but if you can get some header info for those files from the original source, that would be helpful.
"Serious viruses" is not an appropriate definition. Check virus library first to learn what these viruses do. Secondly, check firewall logs and also what software was running at the time. userassist can be helpful, but there are hips of other places to check for this. CP from paid sites would unlikely be placed by a virus onto the suspect's computer. CCTV from outside the suspect's home can also be valuable.
I would check all files accessed, not just the internet history/cache your looking at.
Surely, if that user went On-line, the internet browser would be accessed first. Then normally, personal email. What did the user do a hour or two before internet browsing? and 1-2 hours after.
Are the same locations repeatedly accessed, or do the locations / downloaded content vary?
Answering those questions can give you a 'likely', or 'unlikely' automatic conclusion. Without analysing the 'virus', if its found, that's as best a answer you can form.