Computer Forensics & Temporary Files

[Guest]

Archived from groups: microsoft.public.windowsxp.general (More info?)

Attending a computer forensics seminar today, our group was told that
whenever we open a Word file, it creates 4 temporary files. I know of only
two. If this is true, where are the files stored and under what name?

We were also told that users who visit Hotmail or Yahoo type email services,
and those who do not clean out their temporary files, can still have their
emails discovered? I asked if he just meant the websites, and he said no,
that the actual emails can be read. I find this very hard to believe.

Anyone care to shed any light on this?

 

[Guest]

Archived from groups: microsoft.public.windowsxp.general (More info?)

Open a word document on your desktop, minimize word, and then check your
desktop. You'll see a few ghosted files there.

As for the temp files, clear your internet cache, check your hotmail
account, and then look at the files.

Matt Gibson - GSEC

 

[Guest]

Archived from groups: microsoft.public.windowsxp.general (More info?)

Description of how Word creates temporary files
http://support.microsoft.com/default.aspx?scid=kb;en-us;211632

%homepath%\Local Settings\Temporary Internet Files\Content.IE5

%homepath%\Local Settings\Temporary Internet Files\Content.IE5\index.dat

The following is copied from
C:\Documents and Settings\Wesley P. Vogel\Local Settings\Temporary Internet
Files\Content.IE5\0D2RGTUJ\wbk5EC.tmp
---------------

Description of how Word creates temporary files

http://support.microsoft.com/default.aspx?scid=kb;en-us;211632







--

Hope this helps.  Let us know.



Wes

MS-MVP Windows Shell/User



In news:ulUs4GvkFHA.1244@TK2MSFTNGP10.phx.gbl,

Wayne <wray@hinklaw.com> hunted and pecked:

> Attending a computer forensics seminar today, our group was told
that

> whenever we open a Word file, it creates 4 temporary files. I know of
only

> two. If this is true, where are the files stored and under what
name?

>

> We were also told that users who visit Hotmail or Yahoo type email

> services, and those who do not clean out their temporary files, can
still

> have their emails discovered? I asked if he just meant the websites,
and

> he said no, that the actual emails can be read. I find this very hard
to

> believe.

>

> Anyone care to shed any light on this?

-----------------------------------

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In news:ulUs4GvkFHA.1244@TK2MSFTNGP10.phx.gbl,
Wayne <wray@hinklaw.com> hunted and pecked:
> Attending a computer forensics seminar today, our group was told that
> whenever we open a Word file, it creates 4 temporary files. I know of only
> two. If this is true, where are the files stored and under what name?
>
> We were also told that users who visit Hotmail or Yahoo type email
> services, and those who do not clean out their temporary files, can still
> have their emails discovered? I asked if he just meant the websites, and
> he said no, that the actual emails can be read. I find this very hard to
> believe.
>
> Anyone care to shed any light on this?

 

[Guest]

Archived from groups: microsoft.public.windowsxp.general (More info?)

Best way is to download a SysInternals tool called Filemon. You can
capture all disk activity to a log and review. It's pretty interesting to
see what & how files are accessed.
Download & White Paper info here:
http://www.sysinternals.com/Utilities/Filemon.html


"Wayne" <wray@hinklaw.com> wrote in message
news:ulUs4GvkFHA.1244@TK2MSFTNGP10.phx.gbl...
> Attending a computer forensics seminar today, our group was told that
> whenever we open a Word file, it creates 4 temporary files. I know of only
> two. If this is true, where are the files stored and under what name?
>
> We were also told that users who visit Hotmail or Yahoo type email
> services, and those who do not clean out their temporary files, can still
> have their emails discovered? I asked if he just meant the websites, and
> he said no, that the actual emails can be read. I find this very hard to
> believe.
>
> Anyone care to shed any light on this?
>