examined the ntuser.dat file with Willi Ballenthin's shellbag.py script
https://github.com/williballenthin/shellbags
and verified with tzworks sb64.exe and found some interesting information about the original locations of the files.
Whilst not something that I can include in my report (the time on the computer was unreliable) it was interesting to note the original location of the files.
Bad guy had placed the files (containing a previously unknown victim) in a directory A. then moved into new directory B.
then deleted new directory B.
directory A still had a thumb.db file which contained the names of the files and of course a thumbnail image.
if bad guy had not put the files in directory A then we would not have found any indications of the files existance; shellbags would have shown the filenames, but since they werent particularly indicative they would have been overlooked.
↧