I have come across some deleted files/folders in this location. Windows/Temp/2017-07-01.
there are plenty of folders 2017-06-30, 2017-06-29, 2017-06/28 etc etc
I know that temporary files can be quite important but I don't know how to associate these files/folders to a given user. I'd expect any temporary files for any given user to be within the appdata/local directories.
So what is this folder? how do I associate the information in it to a given user?
Googling hasn't really given me much info, other than that blurb on what temp files are used for.
any help and advice here is much appreciated
It seems to me like you have a set of assumptions (or great expectations wink ) about the ideal way a forensic friendly OS should work (as opposed to how a common OS, not necessarily forensic friendly, actually works).
As always do a complete timeline of the system.
Please note how you should have done that anyway, you don't really want to believe that if something is found in some given user's "personal" folder it can uniquely and definitely be attributed to the given user's actions.
Who was logged in at the time the folders/files were created?
Which programs were running at the time?
More loosely which one among the programs installed on the machine (or however run on the machine) does actually create those files/folders in \Windows\Temp?
I am very much out of practice these days.
il try look for the information you've listed below - see what comes up!