Forensic Implications

While this method attempts to hide activity by isolating it and removing the container, the acts of creating and deleting partitions are significant system events that can leave traces:

• Event Logs: Windows often logs volume management operations. Key logs to check include:

  • System Log: Look for events related to the Virtual Disk Service (VDS), Partition Management, or diskpart.exe usage. Specific Event IDs might vary but relate to volume creation, formatting, and deletion.

  • Ntfs Log (Operational): Applications and Services Logs > Microsoft > Windows > Ntfs > Operational. Event ID 4 might indicate volume mounting/dismounting. Event ID 501 might log journal deletion if the partition was NTFS and its journal was explicitly deleted before partition removal (less common).

• Disk Management Tools: Simply opening Disk Management (diskmgmt.msc) might reveal unallocated space where a partition recently existed.

• SetupAPI Logs: C:\Windows\INF\setupapi.dev.log sometimes contains detailed logs about device installation and removal, which might include disk/volume related events.

• (Advanced) Low-Level Disk Analysis: Specialized forensic tools analyzing the raw disk structure might sometimes find remnants or metadata related to deleted partition tables or filesystem structures in unallocated space, but this is typically beyond standard screensharing.

Finding recent event log entries indicating partition creation and deletion, especially correlating with gameplay or screenshare times, is highly suspicious.