Forums
Main Category
General (Technical,...
The information fro...
 
Notifications
Clear all

The information from link file

 
General (Technical, Procedural, Software, Hardware etc.)
Last Post by TuckerHST 13 years ago
8 Posts
4 Users
0 Reactions
458 Views
RSS
 dark_elf
(@dark_elf)
New Member
Joined: 14 years ago
Posts: 3
Topic starter 02/07/2012 8:50 am  

Hi, all,

I am using EnCase v6 to check if someone copied suspect file to external drives, the system disk is "C" and that's only HDD volume. One suspect link file in "Recent" folder indicated it was opened from "S" disk, but the problem is the serial number of "S" is as same as "C", why that occurs?

The original storage path of suspect file is under C\_S\xxx.ppt.

Thanks


   
Quote
TuckerHST
 TuckerHST
(@tuckerhst)
Estimable Member
Joined: 16 years ago
Posts: 175
07/07/2012 10:43 am  

What if \_s is mapped to S?

Suggestion perhaps decode it with this tool and see if there's consistency and see if it decodes more information http//code.google.com/p/lnk-parser/ Can you share the decoded version of the shortcut file?


   
ReplyQuote
 dark_elf
(@dark_elf)
New Member
Joined: 14 years ago
Posts: 3
Topic starter 08/07/2012 10:16 am  

What if \_s is mapped to S?

Suggestion perhaps decode it with this tool and see if there's consistency and see if it decodes more information http//code.google.com/p/lnk-parser/ Can you share the decoded version of the shortcut file?

Thanks, but is that not enough to use EnCase to parse the link file? And I think maybe I can check the USB connection information in Registry, then cross-check with the information from EnCase.


   
ReplyQuote
TuckerHST
 TuckerHST
(@tuckerhst)
Estimable Member
Joined: 16 years ago
Posts: 175
10/07/2012 1:55 am  

Is EnCase enough? That's a judgment call for you to make. Personally, when I run across results that are either ambiguous or central to the case, I use another tool for validation. Thought I would do you a favor and suggest one.


   
ReplyQuote
keydet89
 keydet89
(@keydet89)
Famed Member
Joined: 21 years ago
Posts: 3568
19/07/2012 5:43 pm  

Hi, all,

I am using EnCase v6 to check if someone copied suspect file to external drives, the system disk is "C" and that's only HDD volume. One suspect link file in "Recent" folder indicated it was opened from "S" disk, but the problem is the serial number of "S" is as same as "C", why that occurs?

The original storage path of suspect file is under C\_S\xxx.ppt.

Thanks

A couple of thoughts/questions

First, what is the version of Windows that you're analyzing? This is very important, for a plethora of reasons.

Second, when you say, "..the serial number of "S" is as same as "C"", what are you referring to specifically? What value, and where did you retrieve the value?

Third, have you performed any USB device analysis on the system? Part of this may include finding that the S\ volume isn't a USB external device at all, but instead a mapped network drive.


   
ReplyQuote
 dark_elf
(@dark_elf)
New Member
Joined: 14 years ago
Posts: 3
Topic starter 20/07/2012 7:09 am  

Thanks, I think the 3rd point is the key point. Appreciate your ideas.


   
ReplyQuote
jhup
 jhup
(@jhup)
Noble Member
Joined: 16 years ago
Posts: 1442
21/07/2012 12:42 am  

Or good old SUBST…


   
ReplyQuote
TuckerHST
 TuckerHST
(@tuckerhst)
Estimable Member
Joined: 16 years ago
Posts: 175
21/07/2012 1:12 am  

Indeed, what about venerable SUBST?!

I should have thought of that one (for reasons that aren't particularly important to anyone but me and Digital Research/Novell/Caldera).


   
ReplyQuote
Forum Jump:
  Previous Topic
Next Topic  
Share: