Hi
Working on a case involving indecent images.
These are found in unallocated, there are no indecent images in the allocated.
How do i find out which user account was used to view these images?
I have checked internet history, cookies, index.dats etc and can't find anything. I've also checked thumbs.db, emf files & emf files. Keyword search brings up some hits in unallocated but only the odd web address.
Computer seems relatively clean so I'm scratching my head some what, where else should i be looking??
Cheers
If this is a case involving Windows, check the NTUSER.DAT file…RecentDocs, any MRU keys for image viewers, etc.
Is there P2P software installed on the system? Thumbs.db might contain thumbnails of the recovered images but you've already checked that. I don't think there's much you can do if the recovered files no longer have their original files names.
Hi
Working on a case involving indecent images.
These are found in unallocated, there are no indecent images in the allocated.
How do i find out which user account was used to view these images?
I have checked internet history, cookies, index.dats etc and can't find anything. I've also checked thumbs.db, emf files & emf files. Keyword search brings up some hits in unallocated but only the odd web address.
Computer seems relatively clean so I'm scratching my head some what, where else should i be looking??
Cheers
A couple of things spring to mind
Link Files .. Live and deleted
Restore Point info
Exif data within files ? Link to a camera owned ?
Have you carved out deleted internet history ? (NetAnalysis)
Depending on file type of images .. anything pointing to what application was used .. is this installed on the suspect machine?
Let me know how you get on ..
Cheers
Mark
did he use any removable disk????
Mark,
A couple of things spring to mind
<snip>
Restore Point info
<snip>
Specifically what in the Restore Point did you have in mind?
Thanks,
Harlan
Thanks for the feedback.
I have checked and cant find any history of an external device being attached, and can find no record of any p2p software every having been installed.
I will check link files ntuser.dat and recent docs again just incase.
Will let you know how i get on once i am back from a two week training course.
Cheers
Mark
Mark,
A couple of things spring to mind
<snip>
Restore Point info
<snip>Specifically what in the Restore Point did you have in mind?
Thanks,
Harlan
In a way, he might be able to find some information in the Restore Points, although how helpful it is will be dependent on the case and the supporting information you have.
For example, if he is looking for .lnk files with suggestive names (like Indecent_image_1.jpg.lnk) then records of these will be found in Restore Points because they are stored under \Documents and Settings\<USER>\Recent, which is examined by Windows during RP creation.
Similarly, you *may* get records of folders (again with suggestive names), even if they have been placed in the Recycle Bin and deleted later. This is less likely because the folder will have to contain a file that is backed up during the restore point creation process. However, image viewing applications like Picasa generate ini files that are stored in the folder with the images.
In Picasa's case this is advantageous because ini files are backed up during RP creation, and should induce records of folder names in the change.log file. The Picasa-created ini files should also be backed up into the restore point itself, and if I remember correctly this file should at least have the file names of the image files that were edited using Picasa. I don't have an Internet-connected machine to hand that I can install Picasa on to test, so I don't know if it lists all the image files in that directory.
All of this depends on Picasa being installed, and of course you don't get the file names from deleted files so matching up records with recovered files doesn't really work. However, it might give him a starting point if they have obviously suspicious names. It's a shame .db files aren't backed up, because then you'd have every Thumbs.db file -)
Either way, he might strike it lucky and find relevant link name records under a named user's \recent\ directory, or folder names in the change.log files that have backed up files in. This is especially helpful if they have been left in the recycle bin, because then you'll have UIDs for the folder. It's worth having a look.
Regards,
Tom
Just got home and checked - for info, Picasa only creates an ini file when you edit a file in some way, but then it stores the file name of the edited file.
Either way, my previous post still stands that it might be a way to show that a user was in possession of indecent images. Good call mas66.
Cloudy
Hi ive had a go pm you but for some reason your not getting them re VMware.
On this case how have you been looking at the index.dat files