Notifications
Clear all

IEF 'Facebook Pictures' in Windows 10, not Facebook images?

3 Posts
2 Users
0 Likes
820 Views
(@beaner46)
Posts: 3
New Member
Topic starter
 

I'm currently examining a Windows 10 machine, IEF has thrown out some images in the 'Facebook Pictures' section but they are full screenshots of all kinds of internet activity and PC setup etc. They don't look like they are in any way related to Facebook. The file paths are \Windows\SysWOW64\aamdata\ss1\ and the file names appear to be dates/times.

Can anyone help me with how they got there?

 
Posted : 21/05/2018 7:53 am
kastajamah
(@kastajamah)
Posts: 109
Estimable Member
 

I have been using IEF and AXIOM for years. I had a similar issue with a high profile case back in 2014. I called Magnet and spoke to one of their digital forensic consultants. What I learned and what I have seen is, IEF/AXIOM will put artifacts in categories that it believes it belongs in. Then it is up to you, as the digital forensic examiner, to determine if the artifact is valid. IEF/AXIOM errs on the side of abundance in order not to miss anything, but leaves the responsibility to verify the artifact is properly placed/parsed in the hands of the examiner.

As I have heard in classes by Guidance/OpenText instructors, you are the examiner not the software.

I hope this helps. Many times I have seen Magnet employees comment in forums. If I am wrong, I am sure they will correct me. If you reach out to the company, they have always been very helpful in resolving concerns that I have had.

 
Posted : 21/05/2018 1:35 pm
(@beaner46)
Posts: 3
New Member
Topic starter
 

Thanks for your reply, I wasn't going to trust it because the screenshots are obviously not FB related at all but as always, a bit of confirmation from the experts is always good! Back to the drawing board then to figure out how they got there!

Cheers

 
Posted : 21/05/2018 1:51 pm
Share: