-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 If you want to be sure for unchanged log files, you can use the (privileged) performance log and alerts from w2k & xp. a) diskperf -YD -YV b) add to "Trace Logs" a "Sequential Trace File" for "Disk IO" and "File Details" with "Manual Start" and "Stop log after 1 minute". c) add a 5 seconds triggered alert "\\COMPUTERNAME\Process(nero)\IO_Data_Bytes/sec" > 100000 which starts your "Performance Data Log" as an action. d) find a way to evaluate the binary logs windows will log almost all data transferred by nero. enough for evidence. I didn't tested this in detail, if you have managed to use it, please release a small report. oleg. > -----Original Message----- > From: Ed Shirley [mailto:thewthrmanat_private] > Sent: Tuesday, January 15, 2002 3:33 PM > To: forensicsat_private > Subject: CD Burner Footprints > > > At the moment I am working on a case which is alot > like most of my work. I am trying to figure out what > a termed employee may have burned to CD to take with > him when he left. I have gotten lucky before and > found where the guy had copied the files locally, or > some other hard-to-miss/hit-you-over-the-head > situation. > > This time, the guy had used NERO and copied it over > the network. I don't have alot of cooperation with > on-site technical personnel on that end, so all I have > is a the rig that the burner was installed on. I have > never worked with Nero either. > > It would be extremely helpful if I could find any sort > of temporary layout file that would list what files > were burned. I am sifting through unallocated/slack > space and may get lucky again. I am though about 25% > ofit and it ain't looking good. > > If anyone has any suggestions as to where this type of > info might be hiding, by all means, drop me a line. > > Ed > > > > __________________________________________________ > Do You Yahoo!? > Send FREE video emails in Yahoo! Mail! > http://promo.yahoo.com/videomail/ > > ----------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > -----BEGIN PGP SIGNATURE----- Version: PGP 7.1 iQA/AwUBPEcc4KjW+ZawCG3VEQJt9ACdFrIEDYD2Bbj19N1QXmRBhbV0GeoAnjBn 7JBDtXR7yA/iQu00nCqSChtl =CXU9 -----END PGP SIGNATURE----- ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Jan 17 2002 - 18:42:28 PST