The simple solution is to do a file search on all file contents for the word NERO. You will be sure that the word appears somewhere in any log or cache file used by the product (vendors just love banners!). Hopefully this should highlight any log or temporary files still on the disk. -----Original Message----- From: Piehl, Curby A. [mailto:cpiehlat_private] Sent: Thursday, 17 January 2002 08:43 To: 'Ed Shirley'; forensicsat_private Subject: RE: CD Burner Footprints if i recall correctly (i'd have to go home to check for sure, that won't be for a while :( ) NERO makes a log file as it burns, and it gives you a prompt asking what you want to do with it... "Save" "Print" or "Discard" ... and Murphy should be able to tell you that the default is "Discard". If your lucky, your sifting of the void area might give you something, if the log was paged from RAM to disk or something, but the chances of that being intact are slim to none. I guess it depends on how much and how long the machine was used after the ex-emp did his thing. Good luck... Curby -----Original Message----- From: Ed Shirley [mailto:thewthrmanat_private] Sent: Tuesday, January 15, 2002 8:33 AM To: forensicsat_private Subject: CD Burner Footprints At the moment I am working on a case which is alot like most of my work. I am trying to figure out what a termed employee may have burned to CD to take with him when he left. I have gotten lucky before and found where the guy had copied the files locally, or some other hard-to-miss/hit-you-over-the-head situation. This time, the guy had used NERO and copied it over the network. I don't have alot of cooperation with on-site technical personnel on that end, so all I have is a the rig that the burner was installed on. I have never worked with Nero either. It would be extremely helpful if I could find any sort of temporary layout file that would list what files were burned. I am sifting through unallocated/slack space and may get lucky again. I am though about 25% ofit and it ain't looking good. If anyone has any suggestions as to where this type of info might be hiding, by all means, drop me a line. Ed __________________________________________________ Do You Yahoo!? Send FREE video emails in Yahoo! Mail! http://promo.yahoo.com/videomail/ ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Jan 16 2002 - 19:32:53 PST