Re: pagefile.sys

8:53AM is when he booted up his computer that morning.

Try it on your own computer-- look at what time your pagefile.sys was last
accessed. It will probably be whenever you booted up the system.

(I'm assuming you are following the procedure of making an exact duplicate
of the drive and collecting your data off that and not booting up with the
suspect's drive!! Umm I worked at a police agency for a while... not as an
officer but they showed me stuff )

This does seem a little weird to post here though...


--
Colin Nash
Microsoft MVP
Windows Printing/Imaging/Hardware





"elvis" <lancepowser(removethis)@yahoo.com> wrote in message
news:14582AED-5B14-4CE7-8B3C-...
> The suspects machine (Windows XP) was involved in a yahoo IM chat with
our U.C. officers. The chat started at 3:11:10PM and went on until
6:01:21PM. The suspect was arrested at 8:00PM when he arrived at a meeting
place. A search warrant was obtained and a computer from a local college was
seized. This is where the suspect was chatting from. I have a P2P connection
established. And a yahoo profile site of our U.C. officer visited by the
suspect. These timestamps are in the correct time frame of when the chats
occurred and are in line with the suspects BIOS time. However, in the
pagefile.sys folder I have found numerous remnants of the chat. The time
stamp on on the last written and last accessed of the pagefile.sys folder
are 8:54:32AM. I am concerned about a defense attorney questioning why these
stamps are not in line with time of the chat. I don't see how the timezone
of where the yahoo server would be relevant as the remnants of the chats are
being stored in the pagefile.sys folder on the suspects Hard Drive. Why
wouldn't the time stamp be the same as when the chats were occurring? Please
feel free to contact me offline.
>

Colin Nash [MVP]