Abstract:
This paper deals with two completely unrelated topics under Microsoft Windows with a main focus on Microsoft Windows XP, MS Windows Vista, MS Windows 7, MS Windows Server 2003 and MS Windows Server 2008. The first part is about the automatic creation of thumbnails when working with images under Windows and the differences between various Windows versions. Furthermore it is shown how to restrict the size of these thumbnail caches or how to avoid creating them. This might save disk space and lets you cover your tracks, which is a very important fact in computer forensics. The second part deals with different timestamps under Windows with an NTFS-Filesystem and how they change when performing various actions (create, open, copy, rename, unzip, etc). Additionally it shows how a self-written program in C# helps collecting and analyzing this data.
Screenshot:
