What did they take when they left? Part 1 - Detecting CD Burning

Dear Reader,

We've been discussing server level analysis for the last couple posts but there is plenty to talk about on the desktop. This will be a multi part series discussing different artifacts that we can recover that give us provable facts regarding a user's activity. It is easy to speculate on actions based on speculative data such as access data or related files or dll's accessed on a system but it is always better to rely on a repeatable process that creates a specific artifact each time to explain a user's action.

We only do cases that either lead to civil litigation or are in the process of civil litigation (no criminal work). One of our most common requests is the question, before this employee left did they take any documents with them. There are several places on a system we check to determine if a user has taken a document from the system in some fashion (CD, USB Drive, Emailed out, printed, etc…) and in this post we will discuss how to determine if a user has burned a CD. If you are examining a Windows XP or Windows Server 2003 (I have not been able to test this on Vista or server 2008 yet) image then the system event log will contain eventids 7036 and 7035 as it was generated by the Service Control Manager and will contain in the description a string starting with The IMAPI CD-Burning Service. There will be one such set of entries showing the service starting and stopping on each reboot but any entry not close to a reboot will indicate that a CD is being burned from this system.

An example of a burning entry, yes my machine is named HOSS:

12/11/2008		3:04:13 PM	Service Control Manager	Information	None	7036	N/A
12/11/2008		3:04:13 PM	Service Control Manager	Information	None	7035	NT AUTHORITY\SYSTEM
12/11/2008		3:04:22 PM	Service Control Manager	Information	None	7036	N/A
HOSS	The IMAPI CD-Burning COM Service service entered the running state.
HOSS	The IMAPI CD-Burning COM Service service was successfully sent a start control.
HOSS	The IMAPI CD-Burning COM Service service entered the stopped state.

Sorry for the bad editing here, the full row will not fit in this blog template. The line starts with the date and then continues in the block below. There is one date for each of the IMAPI entries.

If those three entries are not part of a reboot/startup sequence then you have found a user burning a CD. These entries do not have to be in uninterrupted sequence as you see here, but there should be a start and a stop to show a successful burn. This is not just for CDs burned by Windows directly, third party applications will also call this service when burning a CD. You can estimate the size of the data burned to the disk by determining the number of minutes spent burning (the time between the start and stop of the service) multiplied by the write speed of the CDROM. This also applies to DVDs.

I will not discuss how to determine if a CD was accessed in this post as that is material for Part 2 – What was accessed from external drives.

Update: As per the comments below, more activities than just booting and burning will cause these event log entries to show up. I will be doing some more testing to find a better answer.

The Glycemic Index: A Critical Evaluation

The glycemic index (GI) is a measure of how much an individual food elevates blood sugar when it's eaten. To measure it, investigators feed a person a food that contains a fixed amount of carbohydrate, and measure their blood glucose response over time. Then they determine the area under the glucose curve and compare it to a standard food such as white bread or pure glucose.

Each food must contain the same total amount of carbohydrate, so you might have to eat a big plate of carrots to compare with a slice of bread. You end up with a number that reflects the food's ability to elevate glucose when eaten in isolation. It depends in large part on how quickly the carbohydrate is digested/absorbed, with higher numbers usually resulting from faster absorption.

The GI is a standby of modern nutritional advice. It's easy to believe in because processed foods tend to have a higher glycemic index than minimally processed foods, high blood sugar is bad, and chronically high insulin is bad. Yet many people have criticized the concept.  Why?

Blood sugar responses to a carbohydrate-containing foods vary greatly from person to person. For example, I can eat a medium potato and a big slice of white bread (roughly 60 g carbohydrate) with nothing else and only see a modest spike in my blood sugar. I barely break 100 mg/dL and I'm back at fasting glucose levels within an hour and a half. You can see a graph of this experiment here. That's what happens when you have a well-functioning pancreas and insulin-sensitive tissues. Your body shunts glucose into the tissues almost as rapidly as it enters the bloodstream. Someone with impaired glucose tolerance might have gone up to 170 mg/dL for two and a half hours on the same meal.

The other factor is that foods aren't eaten in isolation. Fat, protein, acidity and other factors slow carbohydrate absorption in the context of a normal meal, to the point where the GI of the individual foods become much less pronounced.

Researchers have conducted a number of controlled trials comparing low-GI diets to high-GI diets. I've done an informal literature review to see what the overall findings are. I'm only interested in long-term studies-- 10 weeks or longer-- and I've excluded studies using subjects with metabolic disorders such as diabetes.  

The question I'm asking with this review is, what are the health effects of a low-glycemic index diet on a healthy normal-weight or overweight person? I found a total of seven studies on PubMed in which investigators varied GI while keeping total carbohydrate about the same, for 10 weeks or longer. I'll present them out of chronological order because they flow better that way.  

One issue with this literature that I want to highlight before we proceed is that most of these studies weren't properly controlled to isolate the effects of GI independent of other factors.  Low GI foods are often whole foods with more fiber, more nutrients, and a higher satiety value per calorie than high GI foods.

Study #1. Investigators put overweight women on a 12-week diet of either high-GI or low-GI foods with an equal amount of total carbohydrate. Both were unrestricted in calories. Body composition and total food intake were the same on both diets. Despite the diet advice aimed at changing GI, the investigators found that both groups' glucose and insulin curves were the same!

Study #2. Investigators divided 129 overweight young adults into four different diet groups for 12 weeks. Diet #1: high GI, high carbohydrate (60%). Diet #2: low GI, high carbohydrate. Diet #3: high GI, high-protein (28%). Diet #4: low GI, high protein. The high-protein diets were also a bit higher in fat. Although the differences were small and mostly not statistically significant, participants on diet #3 improved the most overall in my opinion. They lost the most weight, and had the greatest decrease in fasting insulin and calculated insulin resistance. Diet #2 came out modestly ahead of diet #1 on fat loss and fasting insulin.

Study #3. At 18 months, this is by far the longest trial. Investigators assigned 203 healthy Brazilian women to either a low-GI or high-GI energy-restricted diet. The difference in GI between the two diets was substantial; the high-GI diet was supposed to be double the low-GI diet. This was accomplished by a number of differences between diets, including different types of rice and higher bean consumption in the low-GI group.  Weight loss was a meager 1/3 pound greater in the low-GI group, a difference that was not statistically significant at 18 months. Changes in estimated insulin sensitivity were not statistically significant.

Study #4. The FUNGENUT study. In this 12-week intervention, investigators divided 47 subjects with the metabolic syndrome into two diet groups. One was a high-glycemic, high-wheat group; the other was a low-glycemic, high-rye group. After 12 weeks, there was an improvement in the insulinogenic index (a marker of early insulin secretion in response to carbohydrate) in the rye group but not the wheat group. Glucose tolerance was essentially the same in both groups.

What makes this study unique is they went on to look at changes in gene expression in subcutaneous fat tissue before and after the diets. They found a decrease in the expression of stress and inflammation-related genes in the rye group, and an increase in stress and inflammation genes in the wheat group. They interpreted this as being the result of the different GIs of the two diets.

Further research will have to determine whether the result they observed is due to the glycemic differences of the two diets or something else.

Study #5. Investigators divided 18 subjects with elevated cardiovascular disease risk markers into two diets differing in their GI, for 12 weeks. The low-glycemic group lost 4 kg (statistically significant), while the high-glycemic group lost 1.5 kg (not statistically significant).  In addition, the low-GI group ended up with lower 24-hour blood glucose measurements.  This study was a bit strange because of the fact that the high-GI group started off 14 kg heavier than the low-GI group, and the way the data are reported is difficult to understand.  Perhaps these limitations, along with the study's incongruence with other controlled trails, are what inspired the authors to describe it as a pilot study.

Study #6. 45 overweight females were divided between high-GI and low-GI diets for 10 weeks. The low-GI group lost a small amount more fat than the high-GI group, but the difference wasn't significant. The low-GI group also had a 10% drop in LDL cholesterol.

Study #7. This was the second-longest trial, at 4 months. 34 subjects with impaired glucose tolerance were divided into three diet groups. Diet #1: high-carbohydrate (60%), high-GI. Diet #2: high-carbohydrate, low-GI. Diet #3: "low-carbohydrate" (49%), "high-fat" (monounsaturated from olive and canola oil). The diet #1 group lost the most weight, followed by diet #2, while diet #3 gained weight. The differences were small but statistically significant. The insulin and triglyceride response to a test meal improved in diet group #1 but not #2. The insulin response also improved in group #3. The high-GI group came out looking pretty good. 

[Update 10/2011-- please see this post for a recent example of a 6 month controlled trial including 720 participants that tested the effect of glycemic index modification on body fatness and health markers-- it is consistent with the conclusion below]

Overall, these studies do not support the idea that lowering the glycemic index of carbohydrate foods is useful for weight loss, insulin or glucose control, or anything else besides complicating your life.  I'll keep my finger on the pulse of this research as it expands, but for the time being I don't see the glycemic index per se as a significant way to combat fat gain or metabolic disease.