Actually, while searching for other video players on the system on the recommendation of Dave Allen, I discovered that Apple's QuickTime player is in Prefetch and that it was available for use on the date the subject video was downloaded. I am going to check event logs for any evidence.
Does anybody know if QuickTime keeps a log or index of files played? I didnt find anything in the Registry.
Great responses! As usual.
You might also check the UserAssist to see if any type of viewer was opened around the same time the lnk files were created (or last modified). This might help is determining which viewer was used. And don't forget about jump lists, if applicable.
I am a digital forensics student conducting a research project on the Windows artifacts left behind by using QuickTime Player. I'm using the Windows 7 OS in Bootcamp. I have located the xml document listing the MRU/URL strings but in order to get timestamps/dates of these files I need to carve them in Winhex. Does anyone know what the header/footer is for this? Any input on this or anything else related to my research to help direct me would be greatly appreciated.
Thank you.