video forensics

We have a potential internal investigation whereby somebody is accused of watching inappropriate videos in works time. They suspect the videos were on either a USB pen drive, or on the users phone which was then attached to their windows 7 enterprise laptop. Would there be any obvious places to look for evidence to support if they did indeed watch such material? If so, can any pointers be provided? or is it a case of if the videos themselves were not saved locally on the laptop (i.e. were only ever on the USB drive and/or phone), there will be no real pointers of such activity taking place. I assume there wouldnt be an actual copy of the actual video played via USB/Phone stored locally on the machine itself?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Norm DickinsonGuruCommented:
Depending upon the viewer software used, there may be a recently used file list or possibly temporary files created in the playback process. Also data recovery software could potentially pull up deleted files. However, it might be a better use of resources to implement a group policy moving forward that prevents access of USB devices or various other sources or file types, as the availability of these devices on an enterprise machine gives a user potential access to company data that should not be available to copy.
As Norm said, you might find evidence of filenames played in the registry. I'd start with MRU (Most Recently Used) entries for any installed video players. You also might find similar evidence in shellbag entries, which store detailed information about the folders used on a machine, even if those folders are no longer accessible on the machine, as with folders that were accessed on an external device. It's possible to extract and parse shellbag entries and see the entire folder structure on a thumbdrive that was once connected to the machine. Lots of info out there on these shellbags, and several freebie apps to deal with them.

You can also carve for video files. I've found them before in pagefile, hiberfil, and memory dumps, even though they were never stored to a local drive.

Good luck!

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
pma111Author Commented:
can you recommend any free tools for the registry and shellbag analysis. There used to be one called regripper for registry stuff, but shellbags is something new.
Powerful Yet Easy-to-Use Network Monitoring

Identify excessive bandwidth utilization or unexpected application traffic with SolarWinds Bandwidth Analyzer Pack.

pma111Author Commented:
Which registry hive would store MRU records for video players in, is this ntuser.dat?
Yes, MRU entries will be in the NTUSER.DAT hive for that particular user.

Regripper is still around and will be great for the MRU extraction.

You can get sbag for the shellbags here:
pma111Author Commented:
Looks like sbag is commercial as when I try to run it states licence expired. Can only really see media player installed on the machine, looks like they user hooked up a sony smartphone/tablet, and somehow viewed a video stored on that device via the laptop... reg ripper doesnt return any MRU results "Fri Aug 14 09:19:37 2015: Software\Microsoft\MediaPlayer\Player\RecentFileList not found"..
Here's another shellbag tool that's even easier to use:

Shellbag Explorer

And here's a Prefetch parser you should also use:


Prefetch analysis might show you another media player that was run that you're unaware of.

I should have said this earlier, but will say it now:  If this is something that has the potential to end up in litigation or other legal proceedings, you should abandon all efforts immediately and bring in a pro to preserve the integrity of the evidence.
pma111Author Commented:
no it isn't something that will end up with legal proceedings
pma111Author Commented:
will give prefetech view a go, any idea how much data is records, i.e. how far it goes back for? Can you copy files from an image and run them through the software or is it only meant for running on a live system?
You can run it against files extracted from an image, or a live OS. To run it against extracted files, just copy out the entire Prefetch folder under the Windows folder, then point the tool at the extracted folder.

Too many variables to say how far back prefetch analysis will take you. Sometimes way back, sometimes not so much. The good news is it's easy to run and easy to understand.
pma111Author Commented:
Looks like I get about 9 days worth on my test windows 7 laptop..
pma111Author Commented:
:Looks like you can copy a file from an image, i.e. C:\windows\Prefetch\
One .pf file contains the prefetch records for one app. That's why you want to copy out the entire folder, so you can see all of them at once in the table that WinPrefetchView generates.
pma111Author Commented:
ok thanks
pma111Author Commented:
aside from windows media player, are there any other common video players you have come across in your investigations, especially those that by default would load up/play videos from attached tablets/smartphones (on windows 7 devices), these are corporate machines where nobody has any admin rights, so its not like the users would be installing non standard applications? if its of any use the attached device is probably sony xperia which I think run android from 2010 onwards.
The most common media players I see are Windows Media Player, QuickTime, and VLC (from VideoLan). As an anecdotal observation, the more techno-savvy a user is, the more likely I am to see VLC. It's a freeware player that's quite powerful and known to be able to play almost anything.
I know the question is closed, but here's a selection of utilities that would help you or other users to nail somebody's ass to the wall for the purposes of confronting an employee and gaining a full admission when shown the evidence.  It's always better to have several sources of evidence that all show a history or pattern of inappropriate activity, because it helps to kill off any lame defence about erroneous results from one program or source, or "it wasn't me", or "the window just popped up".  They are not full-blown forensic utilities and wouldn't stand up in court, but their results are great for getting confessions during employee interrogation. (browser search strings - can be revealing) (alternative to Windows search) (shortcuts in the "recent" folder) (file > open or file > save history) (as it says) (various, including the last two) (explained on page) (explained on page) (get useful info from images copied to PC) (identify which devices are/were connected) (identify which devices are/were connected)

The ones listed above will all work in Windows 7, with some having been updated to run in Windows 8, 8.1 and 10.

They are all from here
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Digital Forensics

From novice to tech pro — start learning today.