Temp file
Is it possible to have temp copies of word files in temporary internet folder without ever having used the internet? In what circumstances are these temp files created ?
Haven't researched this myself, but have a look at
http// blogs . technet . com /b/robert_hensing/archive/2006/11/15/ever-found-malware-hiding-in-the-all-users-profile-on-windows-ever-wonder-how-it-got-there-or-why-it-was-there.aspx
I'm not sure it contains the full answer, but it does provide part of it.
Briefly, the Windows system call URLDownloadtoFile() call is used to 'get' a resource identified by a URL. While the file is being downloaded it's stored in the Temporary Internet Folder of the user who runs the code that makes that call. When the download is finished, the file is copied to the intended target file.
I see nothing that prevents that URL from referring to protocols such as file// (which refers to local files), or pop// or imap// (which probably are on a network somewhere, but are mailbox-specific, and thus very well may be on the local network in corporate settings).
The main question in this scenario is what software calls this particular function, and is there other code (say, in Outlook) that performs similar functions?
There is also another Windows system call 'URLDownloadtoCacheFile' which appears to do something similar, only the data remains in the cache, and isn't copied to a target file somewhere else..
I have ~WRS* and ~WRF* files in my Content.Word folder. And they come from Microsoft Word being used as the editor for my Outlook 2007.
I have not found any other tool yet that creates these temp files in Content.Word outside of Outlook yet - nor have I found the method of these files' creation and manipulation. I have found snippets of my own email interspersed throughout a single ~WRS file and have not yet been able to determine the algorithm Outlook/Word employs when, or even if, it creates one of these temp files.
I have a forensic case where an individual is suspectd to have printed/ mailed a word document. It is a Win XP system with no evidence of internet connection. However the document was found in the content.Word folder in Temporary internet folder as a temp file. I want to know that whether he emailed the document or not. Is it possible to have temp copies of word files in temporary internet folder without ever having used the internet? In what circumstances are these temp files created ?
Typically if the document is an Outlook attachment, when it is openned it is put in the OLK2 subfolder under Temporary Internet Files.
According to this article
http//
Word will put temp copies of Word docs in this folder.
The discovery of a Word document in Internet cache means very little. Even IF you could prove that Outlook saves files there prior to sending, I would think it is much more likely that it was saved their while browsing the internet, or as an opened attachment. Neither of these prove that the document was mailed.
My two cents, you are barking up the wrong tree. You may have tried these already, but this is what I would do. Check registry for network settings (no network settings, no internet, no internet, no sent mail), check Web History (same logic), and then really hit Outlook. Check sent mail folder, try and access the Mail server logs (which, of course, may be impossible), check network logs (ie, packet captures from the local network)
You could also hit the print angle too. Though that is more difficult. Word metadata might help. So might the \Windows\System32\spool folder (Though unlikely)
In either case, finding the original document is important. Users won't typically email or print a report from their temporary internet files. (Although, I am assuming that this is a document the suspect originated, things will change if they received it via attachment, and then printed or forwarded it from there.)
I don't know, I guess I would say, again, my two cents, if you tried all that an more, and all you have for evidence is a cached word document, the case isn't looking to good.
Just some thoughts off the top of my head based on the original post. I hope it is helpful.
I am new to the CF World.
However, I wonder if you have checked the registry and files / folder for usb based devices? Specifically usb based wi-fi, Ethernet and, cell phone based 3G/4G transceivers? The suspect system may have been connected to a neighboring wi-fi or cell transceiver.
Have you checked the areas of the drive to see if an account was set up in OE or other app? The account could have been deleted but will still leave a "reg" tracker entry in the email app
Also (with out specifics of actual email to / from) were you able to exam a copy of the email that was sent? Or are you trying to find if someone even sent an email though no one reported receiving it?
EX C\Documents and Settings\USER\Local Settings\Application Data\Identities\{12345678-A234-1234-4564-3423758}\Microsoft\Outlook Express
Just thoughts from a person new to CF? Thoughts anyone?
The discovery of a Word document in Internet cache means very little. Even IF you could prove that Outlook saves files there prior to sending, I would think it is much more likely that it was saved their while browsing the internet, or as an opened attachment. Neither of these prove that the document was mailed.
The folder "Temporary Internet Files" contains more than just the IE browser cache. The file was found in Content.Word not Content.IE5 - and the question from the OP is how does it get in that specific folder.