±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 34614
New Yesterday: 0 Visitors: 186

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

Images.opened from an android device

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

Images.opened from an android device

Post Posted: Thu Oct 11, 2018 1:42 pm

I have been doing some basic testing on attaching an android phone (samsung galaxy s7) to a windows 7 machine via usb cable, navigating to the camera directory on the phone and opening a few images (jpg), to help educate myself where on windows artefacts evidence of that activity occuring. After I reviewed thumbcache db files.in the explorer directory, lnk files, jump lists and also ran regripper over ntuser.dat (what I thought would be the obvious areas) and I cant see evidence of the files being opened anywhere. The lnk shortcuts did show that I opened the camera directory but not the image files I opened. Any idea why this could be or any other artefacts that I could check? System hive analysis and certain evtx logs show the usb entry fine its just puzzling why the system seems to of missed evidence that I opened numerous jpegs from the camera directory. I have set an image of the hard drive running and will run keyword search of the filemames (images I opened) to see where else may capture evidence they were opened.

I did notice only one file in the thumbcache directory had a modified date of a similar time but the free utility I found for viewing them claims its not a valid file. Similar tests of a standard usb storage device do list the file names in the usual places but for some reason those opened on an android phone are not as clumsy in leaving traces behind.  

cb122
Newbie
 
 
  

Re: Images.opened from an android device

Post Posted: Fri Oct 12, 2018 4:12 am

I did get a hit in webcachev01.dat and usrclass.dat  

cb122
Newbie
 
 

Page 1 of 1