Friday, January 5, 2007

A New Beginning

Well he is my first post. I was reading Harlan Carveys lastest windowsir Blog post and took his advice and I am starting this blog. I know I do not have as much knowledge as others in the field and I am still constantly learning but who knows maybe I might be able to help one or two individuals, at least I hopefully get better at writing.

What I would like to accomplish with this blog is to pass along knowledge that either I or someone else has gained. If someone else passes the info along to me expect to get credit, if there is nothing more that I hate then people passing along an idea and not getting credit for it. I will try to post a couple times a week but will not make any promises.

How I came up with the title cfed-ttf. I was reading Jesse Kornblum's Blog's lastest entry about naming tools and had to come up with something so cfed is Computer Forensics/Electronic Discovery and ttf is Tips/Tricks and inFo. I tried to be creative but sometimes it is hard.

Now on to the show ( The reason we are here):

Ever wonder what hard drives have been attached to an xp machine. Well if restore points have been enabled then wonder no more. There is a file called drivetable.txt under the root restore point directory. This file contains a list of hard drives that are attached when the computer boots up (from what I can tell so far). Now the cool thing about this is that under each restore point directory there is also a copy of the drivetable.txt file at the time the restore point was taken. Now hopefully you can see where I am going with this. Since each restore point is a point in time you should be able to see when a hard drive was attached and not attached based on date/time of the restore and be able to create a time line of attached hard drives to the computer. This works with USB hard drives as well.

Feedback? Good or Bad who cares I know I am not always right and I will admit it. If I have to be wrong to learn something then I can eat a little humble pie.

7 comments:

H. Carvey said...

Mark,

Good to see you blogging!

H

Anonymous said...

Yay a new blog!

Benjamin Wright said...

Mark:
Knowing e-discovery is inevitable, an enterprise can use technology proactively to make its e-records more benign. What do you think? --Ben
http://hack-igations.blogspot.com/2008/05/nix-smoking-gun-e-discovery.html

Unknown said...

Hi Mark,
I was investigating a case for a class I am taking when I found your blog. I found 4 Restore Point drivetable.txt files. All exactly alike. Then there was an additional drivetable.txt file with no restore point associated with it. It had the drive I had been seeking on it. The current configuration does not have that drive on it. What does it all mean?
It should be noted that Windows had been reinstalled just prior to all the RPs.
Also, could you say something about the format. I did find that the volser is the last field in the table, but what are those other pesky fields?

Anonymous said...

How well does Generic Viagra work? Studies show that Generic Viagra UK improves erections in more than 80% of men taking Generic Cheap Cialis 100 mg versus 24% of men taking a sugar pill.No other ED tablet is proven to work better.

click here said...

Thank you again for all the knowledge you distribute,Good post. I was very interested in the article, it's quite inspiring I should admit. I like visiting you site since I always come across interesting articles like this one.Great Job, I greatly appreciate that.Do Keep sharing! Regards,

Ryan said...

eDiscovery just keeps getting more and more complex, which is why I leave it up to the professionals, like FTI.