AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

AboutDFIR Site Content Update 6/4/22

Surprise, not surprise, I posted the research! 

Informally, I’d like to break down a little more what it could be useful for. App Timeline Provider logs mouse, keyboard, and audio activity for apps that are in focus on Windows 8+ machines. If you have mouse and keyboard activity within an app, you’re validating that the window was “in focus” and that it was interacted with. If you have audio input and audio output, you can say that the user tried to play audio to an output device (speakers/headphones) and allowed the application to access the microphone. On finding this data, I thought of a recent interview, in a now resolved case, in which the suspect admitted to downloading the content but not that they’d viewed any of it. Their defense was that they didn’t know what the content was. Going back, I can’t prove that they watched the videos in the folder they downloaded. However, I can show through a timeline that on that date, they only navigated to and downloaded that folder from a file sharing site and that the media player loaded and played audio output to speakers for a long period of time. I don’t know for sure what files were played but, circumstantially, the timeline is interesting and if I had that data prior to the interview, I may have had more good questions to figure out the truth of the matter.

AboutDFIR stickers are still a thing! If you’re interested in one, please let us know! Here’s what they look like:

I missed National Donut Day (it was yesterday). I hope you didn’t!
Cassie (DFIRDetective)

Related Posts