+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 18
Windows Thread, Investigation Help in Technical; Without going into details, I basically need to check a computer out. The user has files stored on an external ...
  1. #1

    Join Date
    Apr 2007
    Location
    York
    Posts
    569
    Thank Post
    11
    Thanked 5 Times in 5 Posts
    Rep Power
    20

    Investigation Help

    Without going into details, I basically need to check a computer out. The user has files stored on an external hard disk. They have access them on the computer but there isnt a copy of it on the computer. Is there any way to check when they have been opened and will there be a cached version ?. Some are pictures .jpg too.
    Thanks

  2. #2


    Join Date
    Feb 2007
    Location
    Northamptonshire
    Posts
    4,698
    Thank Post
    352
    Thanked 803 Times in 718 Posts
    Rep Power
    348
    The "Recent" folder in their profile might provide you with some file names / paths.

    Not sure if there will be a cache but some data recovery software would be my port of call.

    Slave the disk up or you will risk ruining the data chances.

    Also, if this is being done for anything even remotely disciplinary/legally you shouldn't be doing it without guidance(or at all in some cases).

  3. #3

    powdarrmonkey's Avatar
    Join Date
    Feb 2008
    Location
    Alcester, Warwickshire
    Posts
    4,866
    Thank Post
    412
    Thanked 777 Times in 650 Posts
    Rep Power
    182
    Take a forensic copy of any disk you want to read and only use the copy. Don't even spin the original drive up (except to do this).

    Don't mount or boot the disk, use a live CD to examine the files in isolation of any operating system installed, Windows particularly is terrible for clearing some clues up during boot and periodically.

  4. #4

    Join Date
    Apr 2007
    Location
    York
    Posts
    569
    Thank Post
    11
    Thanked 5 Times in 5 Posts
    Rep Power
    20
    I'm not sure what you mean mate? I cant get access to the original USB disk. The only disk I have access to is the hdd on the PC hoping there is a cached version of the files been opened via the disk

  5. #5


    Join Date
    Feb 2007
    Location
    Northamptonshire
    Posts
    4,698
    Thank Post
    352
    Thanked 803 Times in 718 Posts
    Rep Power
    348
    Don't fire up the PC, treat this as a case where you are trying to recover data.

    Recovery software & navigate through the profile's Recent, & Temp dirs but I suspect you may not yield a good result.

  6. #6

    Join Date
    Apr 2007
    Location
    York
    Posts
    569
    Thank Post
    11
    Thanked 5 Times in 5 Posts
    Rep Power
    20
    Ok cheers. All my data recovery software requires booting up PC. Is there any that you can put ona live cd?

  7. #7
    pritchardavid's Avatar
    Join Date
    Sep 2009
    Location
    South Ockendon, Thurrock, United Kingdom
    Posts
    932
    Thank Post
    18
    Thanked 64 Times in 58 Posts
    Rep Power
    26
    Try ubuntu, it's what we use for recovery

  8. #8


    Join Date
    Feb 2007
    Location
    Northamptonshire
    Posts
    4,698
    Thank Post
    352
    Thanked 803 Times in 718 Posts
    Rep Power
    348
    Quote Originally Posted by karldenton View Post
    Ok cheers. All my data recovery software requires booting up PC. Is there any that you can put ona live cd?
    Really? That's some pretty awful software if it insists you boot FROM the disk you want to recover from?

    I suspect what you mean is that it runs inside windows so you should take the disk out of this PC and slave it up if you want to go that route or try the ubuntu live cd.

  9. #9

    Join Date
    Apr 2007
    Location
    York
    Posts
    569
    Thank Post
    11
    Thanked 5 Times in 5 Posts
    Rep Power
    20
    Thanks I will try the ubuntu live cd.
    If there will be a cache of the images and files where would they be ? Would it just be the shortcut in recent documents ?
    Thanks

  10. #10

    Join Date
    Apr 2007
    Location
    York
    Posts
    569
    Thank Post
    11
    Thanked 5 Times in 5 Posts
    Rep Power
    20
    Anyone able to help me on where cached files might be in ubuntu ?

  11. #11

    Join Date
    Sep 2006
    Location
    West Midlands
    Posts
    410
    Thank Post
    73
    Thanked 75 Times in 58 Posts
    Rep Power
    44
    Can you do a search of "all files modified in the last X days" or similar? That way you would find any more recent activity/residue.

    mb

  12. #12
    somabc's Avatar
    Join Date
    Oct 2007
    Location
    London
    Posts
    2,337
    Thank Post
    83
    Thanked 388 Times in 258 Posts
    Rep Power
    112
    Are you expecting to find anything 'illegal' because if so don't touch it. You are not qualified and you will only tamper with the evidence. Give it to the police.

  13. #13

    Join Date
    Nov 2006
    Location
    Kendal
    Posts
    1,555
    Thank Post
    112
    Thanked 177 Times in 144 Posts
    Rep Power
    72
    Quote Originally Posted by somabc View Post
    Are you expecting to find anything 'illegal' because if so don't touch it. You are not qualified and you will only tamper with the evidence. Give it to the police.
    Totally agree with this. Also depending on the nature of what you are looking for you run the risk of committing criminal offences of your own.

  14. #14

    russdev's Avatar
    Join Date
    Jun 2005
    Location
    Leicestershire
    Posts
    6,946
    Thank Post
    709
    Thanked 553 Times in 368 Posts
    Blog Entries
    3
    Rep Power
    204
    As pointed out if this might even got slightly into legal side then stop (as you could void any use of that evidence by evening touching it). If you have looked at it.

    Stop

    Seal it in envelope sign the seal put in safe. Document in great detail any work you have done so far (I mean to point of I clicked this and then clicked that etc). Then contact LA if your are a state school etc.

    This really is something you should not be doing if this could become a legal case.

    Russ

  15. #15

    Join Date
    Apr 2007
    Location
    York
    Posts
    569
    Thank Post
    11
    Thanked 5 Times in 5 Posts
    Rep Power
    20
    THanks.
    I can't go into detail but I know there is nothing of an illegal nature.

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. UKERNA and JANETs' investigation into Skype
    By Dos_Box in forum IT News
    Replies: 4
    Last Post: 12th May 2006, 11:16 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •