Making complex data simple and compelling
From digital device to digital evidence
Unlock your vehicle's digital evidence potential
Forensic Analysis and Enhancement
Investigating and analyzing financial records
Gain access to the online accounts of deceased loved ones
Clear, precise evidence for a messy world
Expert reports to suit your specific needs
We can locate people anywhere
Stop worrying and learn the truth
Prevent, Detect, Respond To Cyberattacks
First response is crucial. Every minute counts.
The first response is critical to reduce liability
Detection & Removing Spyware Services
Reduce your electronic risk from digital transmittals
Find out who you are really talking to
Experienced, Confidential Services
Swift, professional incident response
Complicated cases require compelling digital facts
Find, recover and document digital evidence
Bring solid evidence before a judge
Cases can be investigated using Social Media
Divorce, custody battles, and other
Win the most important battle of your life
Everything you need
Effective Expert Witness in Court
Evidence shows who is telling the truth
Subpoena power yields strong evidence
Digital evidence can build a strong defense
Go to court with compelling digital evidence
Today we will talk about Electronic Evidence, where you can find in the files.
1. Windows Searches
Windows Search is a desktop search platform that has instant search capabilities for most common file types and data types, and third-party developers can extend these capabilities to new file types and data types. Because the searches are recorded in temporal order, an analyst can frequently see indications of the user’s thought process as he searched for particular files.
2. File Access
Four of the most useful digital artifacts to identify files opened or attempted to be opened are “LNK” files (pronounced as “link” files), Jump Lists, and several “most recently used” registry keys.
3. LNK files
LNK is a file extension for a shortcut file used by Microsoft Windows to point to an executable file. Shortcut files are used as a direct link to an executable file, instead of having to navigate to the executable.. LNK files contain some basic properties, such as the path to the executable file and the “Start-In” directory. LNK files contain a wealth of information including the modified, accessed, and created dates and times of the file opened.
4. Jump Lists
Jump Lists are a new Windows 7 Taskbar feature that gives the user quick access to recently accessed application files and actions.
Jump Lists come in multiple flavors:
– automatic (autodest, or *.automaticDestinations-ms) files
– custom (custdest, or *.customDestinations-ms) files
– Explorer StartPage2 ProgramsCache Registry values
As jump lists are essentially compound LNK files, they contain all the same information as LNK files, such as when each file was opened, modified, accessed, and created.
5. Most Recently Used (MRU) Registry Keys
There are several registry keys that track most recently used items. An analysis of these registry keys can help an analyst quickly identify files accessed.
The master RecentDocs key maintains a master list, organized in temporal order of the last 150 files or folders opened. By analyzing the order that particular files were opened, analysts have often been able to refute claims that a single type of file was opened by mistake.
7. Applications Specific Most Recently Used (MRU)
Each application in the Office suite has its own set of “FileMRU” (most recently used files) that tracks most recent files used and when they were opened.
Windows has some basic dialog boxes that all programs can use when a user opens or saves a file. These file names are saved as a part of the “OpenSavePIDMRU” registry key which is located under the “NTUSER.DAT \ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ ComDlg32\ OpenSaveMRU” registry key.
Save my name, email, and website in this browser for the next time I comment.
Speak to a Specialist Now