Just a quick note here on this thread: 1) A user can set his RECENT folder to any path and folder he/she likes (so the default path of C:\Winnt\Profiles\USERX\Recent may not be accurate all the time). This is done within the registry. 2) A user can set the system such that NO files are 'remembered'. I.E., they would not appear in the DOCUMENTS listing from the task bar (no matter if path was changed or not). Again, this is done within the registry and works on NT and 2000 (I have not tried on 9x). So, if these areas are barren, perhaps look around to see if either the default path was changed and/or the remembered files was set to 0 or not. thomas > Look in the Recent Files information... which is displayed on the > Start -> Documents listing from the Task Bar. > > The Recent Documents are also in the folder (which is really what is > displayed on the task bar) - > C:\Winnt\Profiles\<the profile of interest>\Recent > > Hope this helps. NT does leave a trace of the last few files touched. > > --------------------------------------------------------- > Michael S Hines | Phone 765-494-5875 > Purdue University | FAX 765-496-1380 > Management Information | Email mshinesat_private > OS/390 Systems Programmer | Certifications: > 1061 Freehafer Hall | CIA, CISA, CFE, CDP > West Lafayette, IN 47907-1061 | > > > > -----Original Message----- > From: phil_curranat_private [mailto:phil_curranat_private] > Sent: Tuesday, May 29, 2001 6:38 AM > To: forensicsat_private > Subject: Determining if someone copied file to a: drive > > > I have been tasked to determine if some has copied a file to the a: drive. > My system information is as follows: NT Workstation, SP6a, auditing is NOT > on. > > Without auditing turned on, is there a method I can use to determine if a > user copied files to the floppy drive (a:)? I am not aware of any way to > do this. Any help is greatly appreciated. > > v/r > > Phil Curran > > > > ********************************************************************** > This e-mail and any files transmitted with it may contain > confidential information and is intended solely for use by > the individual to whom it is addressed. If you received > this e-mail in error, please notify the sender, do not > disclose its contents to others and delete it from your > system. > > ********************************************************************** > >
This archive was generated by hypermail 2b30 : Wed May 30 2001 - 20:38:43 PDT