Home > Archive > microsoft.public.certification > April 2004 > pagefile.sys





You are viewing an archived Text-only version of the thread. To view this thread in it's original format and/or if you want to reply to this thread please [click here]

Author pagefile.sys
elvis

2004-04-22, 3:24 pm

The suspects machine (Windows XP) was involved in a yahoo IM chat with our U.C. officers. The chat started at 3:11:10PM and went on until 6:01:21PM. The suspect was arrested at 8:00PM when he arrived at a meeting place. A search warrant was obtained an
d a computer from a local college was seized. This is where the suspect was chatting from. I have a P2P connection established. And a yahoo profile site of our U.C. officer visited by the suspect. These timestamps are in the correct time frame of when the
chats occurred and are in line with the suspects BIOS time. However, in the pagefile.sys folder I have found numerous remnants of the chat. The time stamp on on the last written and last accessed of the pagefile.sys folder are 8:54:32AM. I am concerned a
bout a defense attorney questioning why these stamps are not in line with time of the chat. I don't see how the timezone of where the yahoo server would be relevant as the remnants of the chats are being stored in the pagefile.sys folder on the suspects H
ard Drive. Why wouldn't the time stamp be the same as when the chats were occurring? Please feel free to contact me offline.

Colin Nash [MVP]

2004-04-24, 1:23 am

8:53AM is when he booted up his computer that morning.

Try it on your own computer-- look at what time your pagefile.sys was last
accessed. It will probably be whenever you booted up the system.

(I'm assuming you are following the procedure of making an exact duplicate
of the drive and collecting your data off that and not booting up with the
suspect's drive!! Umm I worked at a police agency for a while... not as an
officer but they showed me stuff )

This does seem a little weird to post here though...


--
Colin Nash
Microsoft MVP
Windows Printing/Imaging/Hardware





"elvis" <lancepowser(removethis)@yahoo.com> wrote in message
news:14582AED-5B14-4CE7-8B3C-ED666C791D2D@microsoft.com...
> The suspects machine (Windows XP) was involved in a yahoo IM chat with
our U.C. officers. The chat started at 3:11:10PM and went on until
6:01:21PM. The suspect was arrested at 8:00PM when he arrived at a meeting
place. A search warrant was obtained and a computer from a local college was
seized. This is where the suspect was chatting from. I have a P2P connection
established. And a yahoo profile site of our U.C. officer visited by the
suspect. These timestamps are in the correct time frame of when the chats
occurred and are in line with the suspects BIOS time. However, in the
pagefile.sys folder I have found numerous remnants of the chat. The time
stamp on on the last written and last accessed of the pagefile.sys folder
are 8:54:32AM. I am concerned about a defense attorney questioning why these
stamps are not in line with time of the chat. I don't see how the timezone
of where the yahoo server would be relevant as the remnants of the chats are
being stored in the pagefile.sys folder on the suspects Hard Drive. Why
wouldn't the time stamp be the same as when the chats were occurring? Please
feel free to contact me offline.
>


Andrew K.

2004-04-25, 1:23 pm

i don't trust u.
u are not a cop.
or u are very stupid cop which should fired ASAP.
because u posted here "closed doors" information.
or u wanna say some PD in america have no any MCP for solving this idiot's
problem?

"elvis" <lancepowser(removethis)@yahoo.com> wrote in message
news:14582AED-5B14-4CE7-8B3C-ED666C791D2D@microsoft.com...
> The suspects machine (Windows XP) was involved in a yahoo IM chat with
our U.C. officers. The chat started at 3:11:10PM and went on until
6:01:21PM. The suspect was arrested at 8:00PM when he arrived at a meeting
place. A search warrant was obtained and a computer from a local college was
seized. This is where the suspect was chatting from. I have a P2P connection
established. And a yahoo profile site of our U.C. officer visited by the
suspect. These timestamps are in the correct time frame of when the chats
occurred and are in line with the suspects BIOS time. However, in the
pagefile.sys folder I have found numerous remnants of the chat. The time
stamp on on the last written and last accessed of the pagefile.sys folder
are 8:54:32AM. I am concerned about a defense attorney questioning why these
stamps are not in line with time of the chat. I don't see how the timezone
of where the yahoo server would be relevant as the remnants of the chats are
being stored in the pagefile.sys folder on the suspects Hard Drive. Why
wouldn't the time stamp be the same as when the chats were occurring? Please
feel free to contact me offline.
>

peter walker

2004-04-26, 8:24 am

you're a hardass

"elvis" <lancepowser(removethis)@yahoo.com> wrote in message
news:14582AED-5B14-4CE7-8B3C-ED666C791D2D@microsoft.com...
> The suspects machine (Windows XP) was involved in a yahoo IM chat with
our U.C. officers. The chat started at 3:11:10PM and went on until
6:01:21PM. The suspect was arrested at 8:00PM when he arrived at a meeting
place. A search warrant was obtained and a computer from a local college was
seized. This is where the suspect was chatting from. I have a P2P connection
established. And a yahoo profile site of our U.C. officer visited by the
suspect. These timestamps are in the correct time frame of when the chats
occurred and are in line with the suspects BIOS time. However, in the
pagefile.sys folder I have found numerous remnants of the chat. The time
stamp on on the last written and last accessed of the pagefile.sys folder
are 8:54:32AM. I am concerned about a defense attorney questioning why these
stamps are not in line with time of the chat. I don't see how the timezone
of where the yahoo server would be relevant as the remnants of the chats are
being stored in the pagefile.sys folder on the suspects Hard Drive. Why
wouldn't the time stamp be the same as when the chats were occurring? Please
feel free to contact me offline.
>


Colin Nash [MVP]

2004-04-29, 12:30 am

Still an interesting question though...


"Andrew K." <someone@microsoft.com> wrote in message
news:uDYqsNuKEHA.1120@TK2MSFTNGP11.phx.gbl...
> i don't trust u.
> u are not a cop.
> or u are very stupid cop which should fired ASAP.
> because u posted here "closed doors" information.
> or u wanna say some PD in america have no any MCP for solving this idiot's
> problem?
>
> "elvis" <lancepowser(removethis)@yahoo.com> wrote in message
> news:14582AED-5B14-4CE7-8B3C-ED666C791D2D@microsoft.com...
with[color=blue]
> our U.C. officers. The chat started at 3:11:10PM and went on until
> 6:01:21PM. The suspect was arrested at 8:00PM when he arrived at a meeting
> place. A search warrant was obtained and a computer from a local college
was
> seized. This is where the suspect was chatting from. I have a P2P
connection
> established. And a yahoo profile site of our U.C. officer visited by the
> suspect. These timestamps are in the correct time frame of when the chats
> occurred and are in line with the suspects BIOS time. However, in the
> pagefile.sys folder I have found numerous remnants of the chat. The time
> stamp on on the last written and last accessed of the pagefile.sys folder
> are 8:54:32AM. I am concerned about a defense attorney questioning why
these
> stamps are not in line with time of the chat. I don't see how the timezone
> of where the yahoo server would be relevant as the remnants of the chats
are
> being stored in the pagefile.sys folder on the suspects Hard Drive. Why
> wouldn't the time stamp be the same as when the chats were occurring?
Please
> feel free to contact me offline.
>


Sponsored Links





Free Braindumps | MCSE braindumps software forum

Copyright 2003 - 2008 examnotes.net