Folks, I have a matter in which link files pointing to a digital video containing child pornography exist. In fact, there are three one pointing to the completed version of the video located in LimeWire's Saved folder and two pointing respectively to the preview and temporary versions located in LimeWire's Incomplete folder.
It has been my experience and my training that the existence of link files are conclusive evidence of the opening and viewing of a file. I am starting to question that.
The Windows Registry Hive NTUSER.dat for the client's user profile contains several entries in the Windows Explorer and Media Player keys. However, I expected to find entries in the Media Player RecentFilesList Key for all three files, however, there is only one, for the preview version. This entry is the first entry in the key, which was Last Written almost 10 minutes before the link file's created date/time attribute.
So I have 3 questions
1) When exactly is a Windows link file created?
2) Is the Media Player RecentFilesList a record of files recently played or of files recently added to the Media Player library? Or both?
3) Are MRU and OpenSave entries in the Windows Registry evidence that a file was opened and viewed or of a file being downloaded, saved, copied or moved? Or both?
Easy questions! Thanks in advance.
(I can't answer any of your questions directly, but just a thought - the existence of a "Preview" version of the movie shows that not only did your suspect view the movie while it was downloading, but knew of it's content and let it download anyway. This is stronger evidence than a lnk file, in my opinion.)
Well, its actually not as clear cut as that.
One cannot categorically state that the user actually saw anything when he attempted to open the temporary file in the Incomplete folder. The most one can say is that the user attempted to watch the downloading file.
A preview file is only a copy of the temporary file as it existed at the time the user attempted to view it. LimeWire makes a copy of the temporary file but renames it by annotating "PREVIEW" to the file's T- name and then attempts to play it. I dont think you can say any more than that.
Thank you for your input, though.
If you read
H
Sorry, I had assumed that you had checked the preview file and it was viewable! )
Oh no problems, I didnt want to burden the forum with every single detail. The reason I cannot view the preview file is that it does not exist. Only its link file exists.
Is there any chance that another program, such as VLC, had been used to view the movies? That would explain why there are lnk files but nothing in the MRU list for Media Player.
Just a thought….
Dave
That's a good point and I will investigate. Thanks for the tip.
Dont't forget to carve for the xml style file which I think is named lastplayed.wpl. I've not got the correct header and footer to hand but you'll be able to find it from the current lastplayed.wpl live file. You my find many of these in unallocated.
I would agree with others about using the word 'attempted' to be viewed in relation to the preview-t
I would also want to assess whether the codecs were available on the suspect PC to view the video in the saved folder. and test it in a VM.
David,
Any luck with Prefetch files?
Regards,
Chris