If a user plugs into a windows 7 machine a smartphone or USB device via USB and views an image on the external device, apart from areas like lnk files and jump lists (and presumably certain registry entries) which will show a file name of the image opened, does windows create any sort of thumbnail on the PC's local drive of the image, or is the best you would ever get the date stamp and file name of the image opened, and not an actual thumbnail of the image itself. The filename in itself isn't of much use, but even a thumbnail of the image would be useful. I am just unsure where exactly on the drive that thumbnail may reside once opened.

Hi,

I am trying to find information or definitions of metadata fields in PDF.
Specifically I am trying to determine how the following field is created

http://ns.adobe.com/pdfx/1.3/            pdfx:SourceModified:D:20180806072738

Please see attached screenshot.  The highlighted orange areas match with the information in Document Properties.

The yellow fields are of interest.  Do these indicate (reliably) that modifications have been made and is the field for the Application used set in stone once the document is created?

I have tried some internet searches and I can t find anything to point me in the right direction.

The purpose is to determine if this document is genuinely from 2004 or recently modified

Many Thanks

I am interested in finding out if a lawyer has manipulated the will of my mother, who has since passed. He sent me a copy of it by email and wondering if there is any way to forensically inspect the document? I saw a previous answer that said you could go into "inspect" the document to detect changes? Please any info appreciated!

Would facebook provide any evidence under any circumstances if copies of a users posts etc were required, and to whom would they release this information, e.g. only law enforcement?

Also if a user deleted a post - would FB be able to prove a post ever existed?

aside from the standard history sql lit db for chrome, and WebCacheV01.dat for IE history files, where else on a windows machine could give clues if a user has accessed a certain webmail service and logged in using a specific email account? I suspect either gmail or hotmail. Just want to rule out any other areas such evidence may reside apart from the obvious browser history locations.

Hi there,
Please can you help me? On my Android Samsung Galxy S6 are stored files under /userdata/data/com.microsoft.office.word/app-EmailAttachments.. So, I know what this files are but I don`t know how the names of the files are generated.
i.e. /app_EmailAttachmentseaa8ac15-baaf-4675-9f6a-9698e54f0108. This file name belongs to a pdf i have sent. What does the string "eaa8ac15-baaf-4675-9f6a-9698e54f0108" in the file name mean?
Thx

Greeting Experts,

I need help locating a software that is able to take a snapshot of a remote computers H/D without the end user knowing it. I have been searching the internet and have not found anything so far. Can somebody recommend software that is able to do this type of function?

OSXPmem version 2.0.1 will successfully dump to AFF4. However, we need RAW. I found references to a -format flag in various blogs but "-format" is not evident in the OSXPmem man page and entering the flag throws errors. OSXPmem is not really designed to dump to RAW but supposedly it is possible. I just can't get it to work.

My AFF4 dumps are around 12 GB. I attempted to convert these AFF4 dumps to RAW using this command:

bash# osxpmem.app/osxpmem -e /dev/pmem -o Memory_Captures/mem.raw Memory_Captures/mem.aff4

Multiple different copies of my AFF4 memcaps converted to new files sized at exactly 2.06 GB and then stalled with “Imaging failed with the error: -8”. Googling this error yields nothing.

There's very little documentation on OSXPmem and virtually zero support. It looks like you can only use OSXPmem dumps with Rekall. Any suggestions appreciated.