Tweet
Hi,
I have been trying to search and acquire a good and cost effective forensic software and find OSforensics a good candidate with clean and well thought interface.
I immediately jump into it and run a number of test cases.
As you see, running the software to get result is one thing, but to be able to stand by the result and stand the challenge of opposing party is another.
In fact, I got stuck nearly immediately
After installing OSForensics on a window 7 station, I import a test dd disk image into OSForensics and run. The test image is just a windows XP test system.
I wanted to check my findings but do not know where to start. So I go to "Recent Activities" and run it.
Looking at the result, under Most Recently Used -> MS Office-Recent Docs.
I see a list of files with files displayed under many fields such as :
-Items -Activity Type -Path -User -Last Access
One small error I discover here is if I click "open containing file" on any of the document listed, instead of going to the image's directory, it goes to look for my desktop at C: (which is my running system). Not too bad as I understand where it should go anyway.
I noticed the list of "Last Access" time and was rather pleased. The next thing to ask was how did those time stamps come about. I did a right click of the file and realized that it must be from the registry because there was an option for me to "open Registry file". I did that and it went to "Software\Microsoft\Office\12.0\Excel\File MRU" subkey. Under the "File MRU" subkey, I saw the same list of files as listed. But as the subkey "File MRU" could only have one "last write" time stamp, the question here is how did the listed files got their individual "Last Access" time ? The time spread out over many months so they must be obtained from somewhere though I had no clue how the software did it.
Any explanation is much appreciated.
I have been trying to search and acquire a good and cost effective forensic software and find OSforensics a good candidate with clean and well thought interface.
I immediately jump into it and run a number of test cases.
As you see, running the software to get result is one thing, but to be able to stand by the result and stand the challenge of opposing party is another.
In fact, I got stuck nearly immediately
After installing OSForensics on a window 7 station, I import a test dd disk image into OSForensics and run. The test image is just a windows XP test system.
I wanted to check my findings but do not know where to start. So I go to "Recent Activities" and run it.
Looking at the result, under Most Recently Used -> MS Office-Recent Docs.
I see a list of files with files displayed under many fields such as :
-Items -Activity Type -Path -User -Last Access
One small error I discover here is if I click "open containing file" on any of the document listed, instead of going to the image's directory, it goes to look for my desktop at C: (which is my running system). Not too bad as I understand where it should go anyway.
I noticed the list of "Last Access" time and was rather pleased. The next thing to ask was how did those time stamps come about. I did a right click of the file and realized that it must be from the registry because there was an option for me to "open Registry file". I did that and it went to "Software\Microsoft\Office\12.0\Excel\File MRU" subkey. Under the "File MRU" subkey, I saw the same list of files as listed. But as the subkey "File MRU" could only have one "last write" time stamp, the question here is how did the listed files got their individual "Last Access" time ? The time spread out over many months so they must be obtained from somewhere though I had no clue how the software did it.
Any explanation is much appreciated.
Comment