Re: CD Burner Footprints

From: adam (adamdat_private)
Date: Wed Jan 16 2002 - 15:22:28 PST

Next message: Bruce Fowler: "RE: CD Burner Footprints"

Previous message: Troy Larson: "RE: Hard drive write blocking in Windows"
In reply to: Ed Shirley: "CD Burner Footprints"
Next in thread: Bruce Fowler: "RE: CD Burner Footprints"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

If the data was written from the network, theres a good chance he used a
local iso image or the software created a large temp file on the local
hard disk to avoid buffer under runs when writing the CDR. If the layout
was not saved at any point, i would assume that its kept in memory and not
paged out to the disk, but i cant conform this.

Hope it helps

Adam Daniel

Technical Consultant
-----------------------------------------------------------------------
FORENSIC DATA SERVICES PTY LIMITED
http://www.forensicdata.com.au
------------------------------------------------------------------------

On Tue, 15 Jan 2002, Ed Shirley wrote:

> At the moment I am working on a case which is alot
> like most of my work.  I am trying to figure out what
> a termed employee may have burned to CD to take with
> him when he left.  I have gotten lucky before and
> found where the guy had copied the files locally, or
> some other hard-to-miss/hit-you-over-the-head
> situation.
>
> This time, the guy had used NERO and copied it over
> the network.  I don't have alot of cooperation with
> on-site technical personnel on that end, so all I have
> is a the rig that the burner was installed on.  I have
> never worked with Nero either.
>
> It would be extremely helpful if I could find any sort
> of temporary layout file that would list what files
> were burned.  I am sifting through unallocated/slack
> space and may get lucky again.  I am though about 25%
> ofit and it ain't looking good.
>
> If anyone has any suggestions as to where this type of
> info might be hiding, by all means, drop me a line.
>
> Ed
>
>
>
> __________________________________________________
> Do You Yahoo!?
> Send FREE video emails in Yahoo! Mail!
> http://promo.yahoo.com/videomail/
>
> -----------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>


-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Bruce Fowler: "RE: CD Burner Footprints"
Previous message: Troy Larson: "RE: Hard drive write blocking in Windows"
In reply to: Ed Shirley: "CD Burner Footprints"
Next in thread: Bruce Fowler: "RE: CD Burner Footprints"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jan 16 2002 - 19:31:51 PST