Monday, 21 July 2008

C\Documents and Settings\All Users\Application Data\Microsoft\WIA\{6BDD1FC6-810F-11D0-BEC7-08002BE2092F}\0000

My current case had a number of lets say incriminating photographs stored at this location. I was not sure what the WIA folder was. I have found that WIA  is an abbreviation of Windows Image Acquisition and is used to allow graphics software to communicate with imaging hardware.

The {6BDD1FC6-810F-11D0-BEC7-08002BE2092F} part of the path is a class GUID which features in the registry key HKLM\SYSTEM\CurrentControlSet\Control\Class\{6BDD1FC6-810F-11D0-BEC7-08002BE2092F}. Microsoft use this key to store information about installed still image devices. I searched the System registry hive for this class GUID and found that this key contained details of Trust 360 USB 2.0 SpaceCam. It appears that this webcam has a snapshot button which causes the bundled Photoimpression software to cache pictures into the WIA folders.  The 0000 in the path appears to be used to distinguish the device.  If another still image device is used it would use folder 0001 and so on.

Having checked the registry of a few other boxes I have found references to digital cameras and scanners. Possibly a good source of evidence.

The moral of the story - search your suspects registry for any strange GUIDs you come across!

2 comments:

Keydet89 said...

Great stuff! What did you find in the Registry with respect to this? Did the software itself have any MRU lists?

Keydet89 said...

Here's a GUID reference:
http://msdn.microsoft.com/en-us/library/bb663135.aspx

Another excellent reference:
How the Windows Image Acquisition Service Stores Images from a USB Camera in Preview
http://support.microsoft.com/kb/286066

Registry Entries for Still Image Devices
http://msdn.microsoft.com/en-us/library/ms791870.aspx