Emailing Adult Material

1. Connect OnScene Investigator
   
   
   
   
2. Perform email search
   
   
   
   
3. Copy email files such as, outlook.pst, inbox.mdb, note.nsf and other relevant files
   
   
   
   
4. Open email files and search for images
   
   
   
5. Check the folders in \Local Settings\Temporary Internet Files\Content.Outlook (or Content.MSO) 
   
   
   
   
6. If evidence is found create an image of the drive to an external USB hard drive
   
   
   
   

1. Connect OnScene Investigator
   
   
   
   
2. Open hard drive and browse to
   Internet Explorer -[username]\Local Settings\Temporary Internet Files\Content.IE5
   Mozilla - \Documents and Settings\[username]\Local Settings\Application Data\Mozilla\Firefox\Profiles\[profilename]\Cache
   
   
   
3. Set OnScene Investigator to thumbnail view  and search for incriminating images
   
   
   
   
4. Perform browser history search using OnScene LHF to create a report on the users internet history
   
   
   
   
5. If evidence is found create an image of the drive to an external USB hard drive
   

   
   
    
   

IP (Intellectual Property) Theft

1. Connect OnScene Investigator
   
   
   
   
2. Search for keywords that match the data theft
   
   
   
   
3. Check for links to hotmail, gmail, yahoo mail and other various webmail access
   
   
   
   
4. Check the cache for getmsg{#}, compose, gmail, inboxlight[#] cached page
   
5. Check the folders in \Local Settings\Temporary Internet Files\Content.Outlook for documents viewed in Outlook
   
   
   
   
6. If evidence is found, create an image of the drive to an external USB hard drive
   
   
   
   

 Cyber-Stalking/Harrasment

1. Connect OnScene Investigator
   
   
   
   
2. Perform email search
   
   
   
   
3. Copy email files such as, outlook.pst, inbox.mdb, note.nsf and other relevant files
   
   
   
   
4. Open the copy of outlook.pst and search for incriminating emails
   
   
   
   
5. Perform browser history search using OnScene LHF to create a report on the users internet history
   
   
   
   
6. Check for access to hotmail, gmail, yahoo mail and other various webmail access
   
   
   
   
7. Check the cache for getmsg, compose, gmail, inboxlight cached page
   
   
   
   
8. Check the folders in \Local Settings\Temporary Internet Files\Content.Outlook for documents viewed in Outlook
   
   
   
   
9. Open hard drive with Windows explorer
   
   
   
   
10. Navigate to Content.IE and view cache as thumbnails to search for incriminating images (eg, pictures of victim)
    
    
    
    
11. If evidence is found create an image of the drive to an external USB hard drive
    
    
    
    

 Data Misuse (corporate crime)

1. Connect OnScene Investigator
   
   
   
   
2. Perform email search
   
   
   
   
3. Copy email files such as, outlook.pst, inbox.mdb, note.nsf  and other relevant files
   
   
   
   
4. Open outlook.pst and search for incriminating emails
   
   
   
   
5. Perform search for common document types (Word, Excel, Quickbooks, etc)
   
   
   
   
6. Check if .lnk files are available that point to the stolen data being copied to or from a removable drive
   
   
   
   
7. Copy files to investigator’s computer and/or create an image of the drive to an external USB hard drive.
   
   
   
   
   

 Using Peer-to-Peer clients

1. Connect OnScene Investigator
   
   
   
   
2. Search for P2P applications
3. Check common download folders
   
   
   
   
4. <Perform search for common download file types
   
   
   
   
    
5. If files are found, open with Windows explorer, check contents of downloaded files
   
   
   
   
6. If evidence is found, create an image of the drive to an external USB hard drive