I work in a state hospital that houses sexual predators. They have a network of computers that allow them to access the Nexis Lexis web site for legal research only. It is secured by IPFire firewall and Squid proxy and url filter.
The predators do not have individual accounts, but many users use a generic login that is limited to a specific computer. The only way we have to identify who was using a computer at a specific time is to examine video footage to see who was on a specific computer at a specific time.
I found a massive amount of child pornography that has been copied to various folders, either looked at or copied, then the folders deletd. Autopsy finds the orphaned files quite well, but given that we do not have individual accounts for them, I am really in need of the SID that is shown as below:
In a report, preferably with each photo thumbnail as in this picture.
This way we can pinpoint exactly which computer put the files there, and via video of the PC, which predator has the thumbdrive.
I hope these pictures show up, and I hope someone can help.