WEBVTT

0:00:09.720000 --> 0:00:14.620000
 Let's talk a little bit
 about temporary files.

0:00:14.620000 --> 0:00:17.140000
 So what is a temporary file?

0:00:17.140000 --> 0:00:21.060000
 Simply put, temporary files are created
 by an application or operating

0:00:21.060000 --> 0:00:25.880000
 system for a short period of time, with
 the intent to delete them after

0:00:25.880000 --> 0:00:27.420000
 the task is completed.

0:00:27.420000 --> 0:00:31.440000
 Temporary files can be used for many
 things, including autosave or version

0:00:31.440000 --> 0:00:36.160000
 in history. The operating system also
 uses temporary files to offload

0:00:36.160000 --> 0:00:41.420000
 RAM data temporarily, which
 is called swapping.

0:00:41.420000 --> 0:00:47.080000
 Temporary files are intended
 to be temporary.

0:00:47.080000 --> 0:00:51.140000
 Many may be available for analysis
 at the time of acquisition.

0:00:51.140000 --> 0:00:53.140000
 It really kind of depends on what's
 going on with the system.

0:00:53.140000 --> 0:00:57.620000
 And that's sometimes why you see us
 recommend pull the plug for Inzicks,

0:00:57.620000 --> 0:01:02.920000
 because if we were to just walk up to
 the computer, pull the plug on it,

0:01:02.920000 --> 0:01:05.680000
 that's powered down completely
 and unexpectedly.

0:01:05.680000 --> 0:01:08.840000
 And then do forensics on the
 hard disk, do an acquisition.

0:01:08.840000 --> 0:01:12.880000
 We're going to see what temporary files
 exist at the moment of power off.

0:01:12.880000 --> 0:01:16.180000
 And the same thing with
 that memory swap file.

0:01:16.180000 --> 0:01:21.100000
 What happens when we do a clean and
 orderly shutdown of a computer is

0:01:21.100000 --> 0:01:24.720000
 that a lot of times those temporary files
 might get cleaned up and deleted

0:01:24.720000 --> 0:01:28.820000
 when we shut it down or
 when we booted back up.

0:01:28.820000 --> 0:01:33.940000
 So just realize and think that temporary
 files are always going in and

0:01:33.940000 --> 0:01:37.300000
 out and they're always moving around
 being created and deleted.

0:01:37.300000 --> 0:01:42.080000
 So if you want to include temporary
 files as part of your forensics, you

0:01:42.080000 --> 0:01:46.080000
 may need to do something special such
 as a live acquisition or pull the

0:01:46.080000 --> 0:01:48.760000
 plug forensics to make sure you get
 those temporary files and get the

0:01:48.760000 --> 0:01:55.700000
 right ones. And when we talk about
 this, these files can be a treasure

0:01:55.700000 --> 0:02:01.560000
 trove of evidence, especially since most
 users don't even know they exist.

0:02:01.560000 --> 0:02:06.740000
 The operating system creates so many
 of them during normal usage and they

0:02:06.740000 --> 0:02:08.500000
 don't all get cleaned up.

0:02:08.500000 --> 0:02:12.820000
 Many tools out there exist to help you
 support reading and indexing the