RE: CD Burner Footprints

From: Piehl, Curby A. (cpiehlat_private)
Date: Wed Jan 16 2002 - 14:42:44 PST

Next message: Troy Larson: "RE: Hard drive write blocking in Windows"

Previous message: Titus, Jennifer: "Top Ten List!?"
Maybe in reply to: Ed Shirley: "CD Burner Footprints"
Next in thread: William Carty: "Re: CD Burner Footprints"
Next in thread: adam: "Re: CD Burner Footprints"
Reply: William Carty: "Re: CD Burner Footprints"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

if i recall correctly (i'd have to go home to check for sure, that won't be
for a while :( ) NERO makes a log file as it burns, and it gives you a
prompt asking what you want to do with it...

"Save"
"Print"
 or 
"Discard" 

... and Murphy should be able to tell you that the default is "Discard".

If your lucky, your sifting of the void area might give you something, if
the log was paged from RAM to disk or something, but the chances of that
being intact are slim to none.  I guess it depends on how much and how long
the machine was used after the ex-emp did his thing.

Good luck...

Curby
-----Original Message-----
From: Ed Shirley [mailto:thewthrmanat_private]
Sent: Tuesday, January 15, 2002 8:33 AM
To: forensicsat_private
Subject: CD Burner Footprints


At the moment I am working on a case which is alot
like most of my work.  I am trying to figure out what
a termed employee may have burned to CD to take with
him when he left.  I have gotten lucky before and
found where the guy had copied the files locally, or
some other hard-to-miss/hit-you-over-the-head
situation.  

This time, the guy had used NERO and copied it over
the network.  I don't have alot of cooperation with
on-site technical personnel on that end, so all I have
is a the rig that the burner was installed on.  I have
never worked with Nero either.

It would be extremely helpful if I could find any sort
of temporary layout file that would list what files
were burned.  I am sifting through unallocated/slack
space and may get lucky again.  I am though about 25%
ofit and it ain't looking good.

If anyone has any suggestions as to where this type of
info might be hiding, by all means, drop me a line.

Ed



__________________________________________________
Do You Yahoo!?
Send FREE video emails in Yahoo! Mail!
http://promo.yahoo.com/videomail/

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Troy Larson: "RE: Hard drive write blocking in Windows"
Previous message: Titus, Jennifer: "Top Ten List!?"
Maybe in reply to: Ed Shirley: "CD Burner Footprints"
Next in thread: William Carty: "Re: CD Burner Footprints"
Next in thread: adam: "Re: CD Burner Footprints"
Reply: William Carty: "Re: CD Burner Footprints"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jan 16 2002 - 17:15:32 PST