Keep in mind that some programs (such as printer software) create folders directly on the root of the partition.Ĭory Altheide, Harlan Carvey, in Digital Forensics with Open Source Tools, 2011 Application Support
#Get program files for mac windows#
In Windows Vista and Windows 7, a folder called ProgramData is also located on the root of c: and contains application-specific data for Windows programs such as Media Player and Windows Defender. Finding a program folder in this location, and examining the date-time stamps on the folder and related files, can give an examiner an indication of when the program was installed (i.e., File Created dates) and when the program was last used (i.e., Last Accessed or Last Written dates remember prefetch!). This folder holds files and folders created when an application is installed, and is often used as the location from which a program executes (for example, c:\program files\microsoft office\office12\winword.exe). The first and most obvious location is the c:\program files folder. In addition to prefetch and link (e.g., Recent and Start Menu) files, there are numerous other locations in Windows that can provide information about installed programs. Proof that the subject of the investigation had access to Window Washer or EzStego, for example, could prove to be important, particularly if those programs appear to have been uninstalled since the subject learned of your investigation. The programs installed on an examined system can often have a bearing on an investigation as well. Pittman, Dave Shaver, in Handbook of Digital Forensics and Investigation, 2010 Installed Programs
0 kommentar(er)
