Hello,
My company has used Photorec, running from a USB stick, to acquire selected file types from a few live systems.
What trace does Photorec leave on the machine if it runs from a USB drive? I have seen the exe in the Windows Prefetch folder, and I'm assuming there'll be a record of the USB stick in the registry.
Does anyone know if it leaves trace elsewhere on the PC? This is so I can cover everything in my evidential log.
Many thanks,
Mark
The traces left depend on the version of Windows you're referring to…for example, Windows 2003 does not do application prefetching by default, so you won't find a Prefetch file for it. However, you're likely to find one on Vista, as well as XP.
Also, depending on how the application is run, you may see something in the Registry hive for the user account used, as well as within the file system.
"Windows Forensic Analysis 2/e" discusses a couple of approaches you can use to determine this information on your own. I think that this would be a better approach to take, as you're the one who needs to have first-hand knowledge of the information, and you also have access to the systems themselves, including installed applications.
HTH,
h
You could use regmon and filemon from sysinternals to see what activity is there. You should be able to filter the output fairly easily to see just what is being generated from photorec
I have found "RegShot" is the best bet to ID any system changes.
As far as Photorec is concerned there is a VERY active forum working on USB portable applications (
One of the advantages of open source is that if it really matters you can examine the source code to see what activity might be initiated by the application itself. Not a trivial task though as photorec.c alone runs to 849 lines of code and thats just 1 of 499 code files in the source.
The other side of the coin is how the OS reacts to the program when it is run in that environment. When it comes to Windows, keydet89 is the fount of all knowledge there 😉
As ddewildt points out the sysinternals tools are great (procmon, my favourite for this kind of task) but you should take care applying filters because if you filter out everything except the process you are investigating then you might miss some of the stuff generated by Windows itself that applies.
One method might be to create a virtual machine, image it, run photorec and then do a hex differential between the two states. You can then investigate what changes have been made.
I suppose it comes down to how much time you have on your hands and how important it is…
Paul