I had a similar request before to determine if certain intellectual property files had been copied onto a Zip disk. The Zip disk was the d: on the subject system. To make a long story (or long examination...) short, I searched for "d:\" across the entire drive. I found numerous hits in the User.dat file; some of these included the IP files I was seeking. (It was a Win98 system.) The process of figuring out what made the text entries was less successful. The first thing I did was booted a clone copy of the hard drive and ran regedit. I searched for the strings that I had previously found, but received no hits. I even exported the registry to a file and searched it, but again came up empty. I used a hex editor to view the User.dat file and found the strings. The only conclusion I could come to was that there must be registry "slack". The strings must have been part of the registry at one time, but were no longer an active part. They might have been pointers to most recently accessed files. Best Regards, Doug Rehman Rehman Technology Services, Inc. Specializing in Computer Forensics and Technology Related Investigations License A-9800119 Mount Dora, Florida (Orlando Area) (352)357-0500 http://www.surveil.com
This archive was generated by hypermail 2b30 : Tue May 29 2001 - 21:11:52 PDT