How Those Pesky Pop-Ups Can Help Your Digital Forensics Case

Digital forensics has been described as explaining what someone was doing at their keyboard. Forensic examiners will look at a variety of files and metadata to walk through every website visited, email drafted, and file touched. I’m going to explain an often overlooked place where we can see what that person at the keyboard was doing with files on a computer.

Have you ever opened a document, made some changes, then attempted to close the document without saving it? You’ll see the pop-up screen asking if you want to save the file. Here is an example of that pop-up.

This is a great reminder because if we didn’t save it, we would lose all the work we just put into it.

There is another benefit to this friendly reminder. That pop-up screen is captured by your computer and stored in a log that your forensics examiner can study. The log is called OAlerts, and It looks like this:

How could this be useful to you? Let’s say the opposing side is claiming their client never knew this file existed. If that file was opened and changed in any way, then closed without saving, it would be logged. That would indicate the user had knowledge of the file.

Even a small change like changing the cell width of an excel spreadsheet or adding then deleting a line in a word document would trigger your computer to think it is a change that needs to be saved. So closing without saving would prompt the pop-up and it would be logged.

There’s more. Some interactions with files that have digital certificates are in the OAlerts log. If you try to open a file on a thumb drive while that thumb drive is not attached, it will be in the OAlerts log. In Outlook, when you move folders you will see a pop-up asking you to confirm the move. This is logged, too.  

When you discuss your matter with your digital forensics professional, let them know what you’re looking for and they’ll know where to look.