±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35750
New Yesterday: 1 Visitors: 124

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Locating Screen Saver Log file

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

deano
Newbie
 

Locating Screen Saver Log file

Post Posted: Mar 12, 05 00:03

I am working on a case that involves someone using My Picture Slideshow that is buit into XP to display pics of CP. The pictures have been deleted and have been overwritten. Does anyone know if windows keeps a log file of what was placed into this screen saver or is there a place in the registry that this info may be located. The file name is ssmypics.scr. I am using FTK for forensics. Any help would be appreciated.  
 
  

jamie
Site Admin
 

Re: Locating Screen Saver Log file

Post Posted: Mar 12, 05 18:19

deano,

Just a quick note to say welcome to the Forensic Focus forums.

Kind regards,

Jamie
_________________
Jamie Morris
Forensic Focus
Web: www.forensicfocus.com
Twitter: twitter.com/ForensicFocus
Facebook: www.facebook.com/forensicfocus 
 
  

andy1500mac
Senior Member
 

Re: Locating Screen Saver Log file

Post Posted: Mar 12, 05 18:44

I believe the registry will only contain a pointer to the .scr file in the system32 folder. If the pics have been deleted and overwritten there is always the possibility of pulling some info out of the hidden file thumbs.db (in the folder that would have contained the pics in the first place). This is by default the My Pictures folder when using ssmypics.scr This will not recoup the picture but may be able to provide some valuable information even if the pictures are no longer present.

Keep in mind that the thumbs.db file will only be there if the user selected the thumbnail view as his option in the particular folder that the pics were in.

I have never tried this myself and am not 100% sure what info you will get (names, deletions, modification times..?). You will need some third party software to accomplish this however…

Andrew-  
 
  

Andy
Senior Member
 

Re: Locating Screen Saver Log file

Post Posted: Mar 12, 05 23:48

Thumbs.db files have been disgussed before.  

Last edited by Andy on Aug 04, 05 01:14; edited 1 time in total
 
  

keydet89
Senior Member
 

Re: Locating Screen Saver Log file

Post Posted: Mar 14, 05 12:38

I believe the registry will only contain a pointer to the .scr file in the system32 folder.


The HKEY_USER hive will contain the "pointer" you're refering to...

The key of interest is HKEY_USER\<SID>\Control Panel\Desktop

The value is SCRNSAVE.EXE. The data in this value will point to the .scr file used, regardless of location. The key also contains other values that refer to various screensave (and desktop) settings.

The LastWrite time of the key will tell you when the contents of the key were last modified. However, it will not tell you which value was modified last.

HTH,

H. Carvey
"Windows Forensics and Incident Recovery"
www.windows-ir.com
windowsir.blogspot.com  
 

Page 1 of 1