In my last post I talked a little bit about the IDTEMP folder, which appears only when a user is logged into IDrive. After conducting further tests, I have found that there are more files generated in this folder based on certain actions performed in IDrive, which you can see in the image below.
 |
| IDTEMP Folder Artifacts |
Outfile_Authlist.txt
I talked a little bit about the “Outfile_Authlist.txt” file in my last post, but I have found more information about this file in my update.
This file is generated after viewing the restore tab in IDrive. This file is updated every time a user opens
the contents of a folder in the restore tab.
For instance, if the user is navigating through to the Pictures folder
(PC_NAME\C\Users\username\Pictures\), the last folder that the user selected,
will show up in this file as fname. Within
this file, an investigator will find a list of file(s)/folder(s) that are
currently selected in the backup window to be restored. The investigator will also find specific
details about these file(s)/folder(s) such as: the item type, directory (D) or
file (F), size, file version, modification time, whether or not there is a
thumbnail associated with the file, and the full name (fname) of the
files/folders that are currently active in the restore window. For files, an investigator can also view the
file size and the file version of the file.
 |
| Outfile_Authlist.txt |
OutputFile_Delete.txt
The
“OutputFile_Delete.txt” file is generated after deleting files from the IDrive
backup set. Within this file, an
investigator will find a detailed list about the files that were deleted from
the IDrive backup set. These files will
contain details about the type of operation performed (item op=”deleted”), the
file name and path of the file(s)/folder(s) deleted (fname), and the total
number of items that were deleted.
 |
| OutputFile_Delete.txt |
OutputFile_Search.txt
The
“OutputFile_Search.txt” file is generated after a user views the contents of
the IDrive trash. Within this file, an
investigator will find a detailed list about the files that are currently in
the trash. The contents of this file
include: the last modification time, the size, the file version, whether or not
the file(s)/folder(s) are in the trash, the reference ID number, the filename
and path, and the total number of items located within the trash.
 |
| OutputFile_Search.txt |
OutputFile_MTO.txt
The
“OutputFile_MTO.txt” file is generated after a user moves delete files from the
IDrive trash to their original location in the backup set. This file contains similar data to the
“OutputFile_Delete.txt” file. An
investigator will see that the files were moved successfully (item op=”moved
successfully”), the filename and path of the file(s)/folder(s) being moved
(fname), and the total number of items moved.
 |
| OutputFile_MTO.txt |
No comments:
Post a Comment