I'm working on a CP case involving one machine that, according to the owner, numerous people have access to. I have numerous CP images in numerus folders over the course of several months. Once again I will have to tie the images to a specific user based largely on timeline. The machine owner has provided me with some information as to the "legitimate" computer use and internet activities, which has helped me somewhat, but I have yet to locate any evidence of a "login" page with a specific user that is associated with the CP. It's a WIN XPSP2 OS.
I have located Yahoo history files that show URL history and in some instances what appear to be specific paths to CP file names that I have located on the hard drive. These history files are under the following path
c\Documents and Settings\Owner\ApplicationData\Yahoo!\JoeBlow@******.net\History\his13356
An example of the data contained in the his13356 file would be
44cda41e
I have little experience with Yahoo other than webmail and am looking for help with the following
1. Why is this path on the machine? Is it created simply with Yahoo messenger or is it only because the user uses Yahoo as an ISP? (The machine owner has not provided any info on his ISP but but the email address I am assuming that the ISP is a local comapny) I'm asking this because I am having a hard time duplicating this on my machine.
2. can any other data be gleaned from this his file, such as date and time (other than the cr date and ac date)?
3. Any idea what the 44cda41e refrences? There does not seem to be any consistency to this.
Any help or ideas on where to get more info would be greatly appreciated. Thanks again.
Nick
When you say that multiple users have access to the system, does that mean that they have their own logins?
You say
"I have numerous CP images in numerus folders over the course of several months. Once again I will have to tie the images to a specific user based largely on timeline."
If that's the case, have you tried Registry analysis? Many applications have MRU lists of files that have been recently accessed…checking those may show you which user account was actually used to view the files, and when. There are other locations in the Registry, as well, that may help you…
h
Hi Harlan,
I guess I should have used a different term than user. By user here I mean the person at the keyboard, not user as in SID or account.
I have multiple users with one created profile with no logon password. I have looked into the registry and have had one piece of success tying a user to the timeline with the MRU. That involved a CAD file that was saved in "Joe Blow's Drawings" folder. That has helped somewhat but the "adult" images that I was able to tie to that user for that timeframe falls into the "borderline" category. It also doesn't eliminate any other users. I have so many other images over a timeline of months that I'm trying to either eliminate other users completely or lock them in.
I do have one index.dat file that, based on timeline, shows "Joe Blow" accessing personal documents as well as some CP, but the Yahoo his files on the machine really cover a much greater timeline. Trouble is, I can't or haven't been able to duplicate it on my own machine to help understand what the his files mean or the information they contain. So far it looks like supercalifragilisticexpialidocious to me. And If I spelled that wrong, it doesn;t change my mis-understanding of it!
Nick
I have written a tool that will decode BT Yahoo! History files. Let me know if you need it - tedsmith@f3.org.uk.
Greetings,
Just out of curiosity, have you notified law enforcement and your own legal counsel? If not, and if you're looking at real CP, you may be digging yourself into a big hole.
-David
Greetings,
Just out of curiosity, have you notified law enforcement and your own legal counsel? If not, and if you're looking at real CP, you may be digging yourself into a big hole.
-David
A quick view of his profile shows he's Law Enforcement.
All about NickJG
Joined 29-Aug-2007
Rank Newbie
Location Wisconsin, USA
Web Site
My Occupation Law Enforcement
Interests
I have written a tool that will decode BT Yahoo! History files. Let me know if you need it - tedsmith@f3.org.uk.
Is this what hes looking for?
BT Yahoo? i didn't even know that history files were created from an ISP? i understood it was just browsers that created these