The ntuser-dat-Report.txt file generated from the NTUSER.dat Hive file sections of interest listsoft v.20080324 List the contents of the Software key in the NTUSER.DAT hive file, in order by LastWrite time. Fri Oct 1 14:17:01 2010Z Microsoft Thu Sep 30 17:31:02 2010Z Adobe Thu Sep 30 17:11:22 2010Z Macromedia Fri Sep 17 17:53:34 2010Z JavaSoft Fri Sep 17 16:45:11 2010Z OpenOffice.org Fri Sep 17 16:44:32 2010Z Netscape Fri Sep 17 16:41:34 2010Z VB and VBA Program Settings Fri Sep 17 16:38:34 2010Z HardDriveEraser Fri Sep 17 15:54:05 2010Z WinRAR SFX Fri Sep 17 15:40:39 2010Z Google Fri Sep 17 15:39:09 2010Z ALWIL Software Fri Sep 17 15:39:09 2010Z MozillaPlugins Thu Sep 16 15:47:44 2010Z AppDataLow Thu Sep 16 15:38:24 2010Z Policies MountPoints2 Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 LastWrite Time Fri Oct 1 13:59:32 2010 (UTC) Remote Drives: Volumes: Fri Oct 1 14:07:43 2010 (UTC) {e8fee801-cd63-11df-b483-001d6005034b} Fri Oct 1 11:49:56 2010 (UTC) {c8274d68-ccac-11df-9d0d-001d6005034b} Thu Sep 30 17:04:48 2010 (UTC) {c8274d6f-ccac-11df-9d0d-001d6005034b} Mon Sep 20 18:48:20 2010 (UTC) {c21c3b82-c1b4-11df-8520-806e6f6e6963} {c21c3b83-c1b4-11df-8520-806e6f6e6963} {c21c3b84-c1b4-11df-8520-806e6f6e6963} {c21c3b85-c1b4-11df-8520-806e6f6e6963} Mon Sep 20 18:27:50 2010 (UTC) {aaa8f891-c4e4-11df-ba4f-806e6f6e6963} {aaa8f892-c4e4-11df-ba4f-806e6f6e6963} Fri Sep 17 17:00:36 2010 (UTC) {c21c3b74-c1b4-11df-8520-806e6f6e6963} Thu Sep 16 15:46:44 2010 (UTC) {c21c3b70-c1b4-11df-8520-806e6f6e6963} {c21c3b71-c1b4-11df-8520-806e6f6e6963} Drives: Thu Sep 30 16:26:03 2010 (UTC) - Z Thu Sep 16 15:38:27 2010 (UTC) - CPC Analysis Tip: Correlate the Volume entries to those found in the MountedDevices entries that begin with "\??\Volume". RecentDocs **All values printed in MRUList\MRUListEx order. Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs LastWrite Time Fri Oct 1 14:34:10 2010 (UTC) 6 = Answers 41 = filelist.txt 37 = 301 File Data Examination Challenge 35 = 301 – Encrypted Device Image.doc 40 = TrueCrypt Keypassword.txt 43 = AllfilesDIRfilelist.txt 42 = afnetfilesDIR.txt 18 = Keypass.txt 5 = System and Security 38 = Passwords.txt 39 = Documents 32 = 301 – File Data Examination.doc 36 = Keypass.rtf 34 = files 33 = forensics (1).pdf 28 = 201 File Data Examination Challenge - Copy 31 = 201 File Data Examination Challenge 27 = 201 – File Data Examination.doc 30 = 401 Shadow Volume Challenge 29 = 401 - Shadow Volume Challenge.doc 26 = *.txt 25 = letter.doc Metadata Information.txt 19 = 2011 DF Challenge Data (D:) 24 = eula.1028.txt 21 = IMAGES 23 = self made.jpg 22 = Images with NO Metadata.rtf 20 = Data Exam Images with Metadata.txt 17 = New Text Document.txt 0 = Appearance and Personalization 16 = SppGroupCache 15 = RP13 14 = change.log 4 = Docs 13 = Prgs 12 = dcfldd-1.3.4.x86win32.zip 8 = Obfuscating the path to forensic examination.odt 9 = Hard Drive Eraser.odt 11 = Artifacts Direct, indirect Computer Forensics- Antiforensics_net.htm 10 = BH2005-Catch_Me_If_You_Can.ppt 1 = Network and Internet 7 = All Control Panel Items 3 = Homegroup PW.xps 2 = HomeGroup Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.doc LastWrite Time Fri Oct 1 11:53:56 2010 (UTC) MRUListEx = 3,2,0,1 3 = 301 – Encrypted Device Image.doc 2 = 301 – File Data Examination.doc 0 = 201 – File Data Examination.doc 1 = 401 - Shadow Volume Challenge.doc Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.htm LastWrite Time Fri Sep 17 16:52:16 2010 (UTC) MRUListEx = 0 0 = Artifacts Direct, indirect Computer Forensics- Antiforensics_net.htm Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.jpg LastWrite Time Thu Sep 30 16:31:50 2010 (UTC) MRUListEx = 0 0 = self made.jpg Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.log LastWrite Time Tue Sep 21 13:41:25 2010 (UTC) MRUListEx = 0 0 = change.log Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.odt LastWrite Time Fri Sep 17 17:44:04 2010 (UTC) MRUListEx = 0,1 0 = Obfuscating the path to forensic examination.odt 1 = Hard Drive Eraser.odt Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.pdf LastWrite Time Thu Sep 30 17:31:32 2010 (UTC) MRUListEx = 0 0 = forensics (1).pdf Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.ppt LastWrite Time Fri Sep 17 16:52:06 2010 (UTC) MRUListEx = 0 0 = BH2005-Catch_Me_If_You_Can.ppt Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.rtf LastWrite Time Thu Sep 30 17:44:12 2010 (UTC) MRUListEx = 1,0 1 = Keypass.rtf 0 = Images with NO Metadata.rtf Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.txt LastWrite Time Fri Oct 1 14:34:10 2010 (UTC) MRUListEx = 8,7,0,9,2,6,5,4,3,1 8 = filelist.txt 7 = TrueCrypt Keypassword.txt 0 = AllfilesDIRfilelist.txt 9 = afnetfilesDIR.txt 2 = Keypass.txt 6 = Passwords.txt 5 = letter.doc Metadata Information.txt 4 = eula.1028.txt 3 = Data Exam Images with Metadata.txt 1 = New Text Document.txt Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.xps LastWrite Time Thu Sep 16 15:47:14 2010 (UTC) MRUListEx = 0 0 = Homegroup PW.xps Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.zip LastWrite Time Fri Sep 17 17:53:40 2010 (UTC) MRUListEx = 0 0 = dcfldd-1.3.4.x86win32.zip Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\Folder LastWrite Time Fri Oct 1 14:34:10 2010 (UTC) MRUListEx = 16,17,4,18,15,12,14,13,11,9,10,0,8,7,3,6,1,5,2 16 = Answers 17 = 301 File Data Examination Challenge 4 = System and Security 18 = Documents 15 = files 12 = 201 File Data Examination Challenge - Copy 14 = 201 File Data Examination Challenge 13 = 401 Shadow Volume Challenge 11 = *.txt 9 = 2011 DF Challenge Data (D:) 10 = IMAGES 0 = Appearance and Personalization 8 = SppGroupCache 7 = RP13 3 = Docs 6 = Prgs 1 = Network and Internet 5 = All Control Panel Items 2 = HomeGroup UserAssist Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist LastWrite Time Thu Sep 16 15:39:37 2010 (UTC) {CEBFF5CD-ACE2-4F4F-9178-9926F41749EA} Fri Oct 1 14:34:10 2010 Z {D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\NOTEPAD.EXE (19) Fri Oct 1 14:31:16 2010 Z {D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\cmd.exe (13) Fri Oct 1 13:59:53 2010 Z Microsoft.AutoGenerated.{935761F8-94E4-FFA7-A8C0-F1AB2CDEC750} (2) Fri Oct 1 11:51:59 2010 Z {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\OpenOffice.org 3\program\\swriter.exe (6) Fri Oct 1 11:12:10 2010 Z TrueCryptFoundation.TrueCrypt (5) Thu Sep 30 17:40:15 2010 Z {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\OpenOffice.org 3\program\swriter.exe (5) Thu Sep 30 17:06:28 2010 Z {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Windows NT\Accessories\WORDPAD.EXE (2) Thu Sep 30 16:55:50 2010 Z {D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\rundll32.exe (2) Thu Sep 30 16:52:13 2010 Z Microsoft.Windows.MediaCenter (15) Thu Sep 30 16:52:03 2010 Z Microsoft.Windows.MediaPlayer32 (1) Thu Sep 30 16:18:36 2010 Z Chrome (2) Thu Sep 30 16:11:44 2010 Z C:\Users\Wolfe\Downloads\TrueCrypt Setup 7.0a.exe (1) Fri Sep 17 18:30:25 2010 Z Microsoft.InternetExplorer.Default (12) Fri Sep 17 17:11:01 2010 Z {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Evidence Eliminator\Ee.exe (2) Fri Sep 17 17:05:24 2010 Z {D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\SystemPropertiesProtection.exe (2) Fri Sep 17 16:58:27 2010 Z {D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\recdisc.exe (1) Fri Sep 17 16:54:43 2010 Z C:\Users\Wolfe\Documents\timestomp.exe (1) Fri Sep 17 16:54:34 2010 Z C:\Users\Wolfe\Documents\slacker.exe (1) Fri Sep 17 16:52:15 2010 Z {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Internet Explorer\iexplore.exe (1) Fri Sep 17 16:49:18 2010 Z {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\OpenOffice.org 3\program\\simpress.exe (1) Fri Sep 17 16:43:25 2010 Z D:\OOo_3.2.1_Win_x86_install-wJRE_en-US.exe (1) Fri Sep 17 16:39:38 2010 Z D:\Prgs\EvidenceEliminator-6.01.exe (1) Fri Sep 17 16:38:42 2010 Z D:\Prgs\ew_demo.exe (1) Fri Sep 17 16:38:25 2010 Z D:\Prgs\HardDriveEraser.exe (1) Fri Sep 17 15:55:53 2010 Z {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Porn Terminator\Proof_concept.exe (3) Fri Sep 17 15:54:01 2010 Z D:\Prgs\PornTerminator(Demo).exe (2) Fri Sep 17 15:31:29 2010 Z D:\Prgs\setup_av_free.exe (1) Thu Sep 16 19:12:13 2010 Z {D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\control.exe (1) Thu Sep 16 15:37:50 2010 Z Microsoft.Windows.GettingStarted (14) {D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\calc.exe (12) Microsoft.Windows.StickyNotes (11) {D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\SnippingTool.exe (10) {D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\mspaint.exe (9) Microsoft.Windows.RemoteDesktop (8) {D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\magnify.exe (7) {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Microsoft Games\Solitaire\solitaire.exe (6) {F4E57C4B-2036-45F0-A9AB-443BCFE33D9F} Fri Oct 1 14:31:16 2010 Z {9E3995AB-1F9C-4F13-B827-48B24B6C7174}\TaskBar\Command Prompt.lnk (5) Fri Oct 1 13:59:53 2010 Z C:\Users\Wolfe\Desktop\Computer Management.lnk (1) Fri Oct 1 11:12:10 2010 Z C:\Users\Public\Desktop\TrueCrypt.lnk (5) Fri Oct 1 11:06:28 2010 Z {0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Administrative Tools\Computer Management.lnk (1) Thu Sep 30 17:06:28 2010 Z {0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Accessories\Wordpad.lnk (1) Thu Sep 30 16:52:13 2010 Z {0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Media Center.lnk (15) Thu Sep 30 16:52:03 2010 Z {0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Windows Media Player.lnk (1) Thu Sep 30 16:18:36 2010 Z C:\Users\Public\Desktop\Google Chrome.lnk (2) Tue Sep 21 13:40:14 2010 Z C:\Users\Wolfe\Desktop\cmd - Shortcut.lnk (8) Mon Sep 20 10:22:17 2010 Z C:\Users\Wolfe\Desktop\Processes - Shortcut.lnk (4) Fri Sep 17 18:30:25 2010 Z {9E3995AB-1F9C-4F13-B827-48B24B6C7174}\TaskBar\Internet Explorer.lnk (12) Fri Sep 17 17:11:01 2010 Z {0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Evidence Eliminator\Evidence Eliminator.lnk (2) Fri Sep 17 16:58:27 2010 Z {0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Maintenance\Create Recovery Disc.lnk (1) Fri Sep 17 15:55:53 2010 Z C:\Users\Public\Desktop\Porn Terminator Demo.lnk (3) Thu Sep 16 19:12:13 2010 Z {0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Maintenance\Backup and Restore Center.lnk (1) Thu Sep 16 15:37:50 2010 Z {0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Accessories\Welcome Center.lnk (14) {0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Accessories\Calculator.lnk (12) {0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Accessories\Sticky Notes.lnk (11) {0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Accessories\Snipping Tool.lnk (10) {0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Accessories\Paint.lnk (9) {0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Accessories\Remote Desktop Connection.lnk (8) {A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\Accessories\Accessibility\Magnify.lnk (7) ::{ED228FDF-9EA8-4870-83B1-96B02CFE0D52}\{00D8862B-6453-4957-A821-3D98D74C76BE} (6) Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket LastWrite Time Fri Oct 1 11:02:31 2010 (UTC) LastEnum : 0,{c21c3b70-c1b4-11df-8520-806e6f6e6963} {aaa8f891-c4e4-11df-ba4f-806e6f6e6963} [Mon Sep 20 18:29:41 2010] (UTC) NukeOnDelete 0 {aaa8f892-c4e4-11df-ba4f-806e6f6e6963} [Mon Sep 20 18:29:41 2010] (UTC) NukeOnDelete 0 {c21c3b70-c1b4-11df-8520-806e6f6e6963} [Thu Sep 30 16:09:22 2010] (UTC) NukeOnDelete 0 {c21c3b71-c1b4-11df-8520-806e6f6e6963} [Fri Oct 1 14:33:57 2010] (UTC) NukeOnDelete 0 {c21c3b81-c1b4-11df-8520-806e6f6e6963} [Tue Sep 21 13:39:47 2010] (UTC) NukeOnDelete 0 {c8274d6f-ccac-11df-9d0d-001d6005034b} [Thu Sep 30 16:31:20 2010] (UTC) NukeOnDelete 0 Software\Microsoft\Windows\CurrentVersion\Run LastWrite Time Fri Sep 17 16:41:38 2010 (UTC) Evidence Eliminator -> C:\Program Files\Evidence Eliminator\EEStartupLauncher.exe The SAM-Report.txt file generated form the SAM hive file sections of interest User Information ------------------------- Username : Wolfe [1000] Full Name : User Comment : Account Type : Default Admin User Account Created : Thu Sep 16 15:38:15 2010 Z Password Hint : what it is Last Login Date : Fri Oct 1 13:58:22 2010 Z Pwd Reset Date : Thu Sep 16 15:38:15 2010 Z Pwd Fail Date : Thu Sep 30 18:26:41 2010 Z Login Count : 21 --> Password does not expire --> Password not required --> Normal user account Username : Master of Disaster [1003] Full Name : Master of Disaster User Comment : Account Type : Custom Limited Acct Account Created : Thu Sep 30 18:02:18 2010 Z Last Login Date : Fri Oct 1 10:58:21 2010 Z Pwd Reset Date : Never Pwd Fail Date : Never Login Count : 3 --> Password does not expire --> Normal user account The Security-Report.txt file from the Security hive had no relevant information Microsoft\Windows NT\CurrentVersion\ProfileList LastWrite Time Thu Sep 30 18:05:03 2010 (UTC) Path : C:\Users\Wolfe SID : S-1-5-21-2454118320-1537452945-2807297798-1000 LastWrite : Fri Oct 1 14:34:56 2010 (UTC) LoadTime : Thu Jan 1 00:00:00 1970 (UTC) Path : C:\Users\Master of Disaster SID : S-1-5-21-2454118320-1537452945-2807297798-1003 LastWrite : Fri Oct 1 11:00:59 2010 (UTC) LoadTime : Thu Jan 1 00:00:00 1970 (UTC) Uninstall Microsoft\Windows\CurrentVersion\Uninstall Thu Sep 30 17:17:36 2010 (UTC) Adobe Reader 9.3.4 v.9.3.4 Thu Sep 30 17:15:11 2010 (UTC) Times Reader v.2.054 Times Reader v.2.054 Thu Sep 30 17:14:02 2010 (UTC) Adobe AIR v.2.0.3.13070 Adobe AIR v.2.0.3.13070 Thu Sep 30 17:12:40 2010 (UTC) McAfee Security Scan Plus v.2.0.181.2 Thu Sep 30 16:41:33 2010 (UTC) Google Chrome v.6.0.472.63 Thu Sep 30 16:12:03 2010 (UTC) TrueCrypt v.7.0a Fri Sep 17 17:56:06 2010 (UTC) Java Auto Updater v.2.0.2.4 Fri Sep 17 17:55:23 2010 (UTC) Java(TM) 6 Update 21 v.6.0.210 Fri Sep 17 17:55:01 2010 (UTC) {26A24AE4-039D-4CA4-87B4-2F83216021FB} Fri Sep 17 16:45:11 2010 (UTC) OpenOffice.org 3.2 v.3.2.9502 Fri Sep 17 16:39:57 2010 (UTC) Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 v.9.0.21022 Fri Sep 17 15:36:45 2010 (UTC) Google Update Helper v.1.2.183.23 Fri Sep 17 15:36:38 2010 (UTC) avast! Free Antivirus v.5.0.677.0 Fri Sep 17 15:36:13 2010 (UTC) Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 v.9.0.30729.4148 Fri Sep 17 15:34:00 2010 (UTC) Adobe Flash Player 10 ActiveX v.10.1.82.76 Fri Sep 17 15:33:56 2010 (UTC) Google Toolbar for Internet Explorer v.1.0.0 Fri Sep 17 15:33:55 2010 (UTC) Google Toolbar for Internet Explorer Fri Sep 17 10:29:57 2010 (UTC) Microsoft Silverlight v.4.0.50826.0 Thu Sep 16 17:06:54 2010 (UTC) DXM_Runtime MPlayer2 Tue Jul 14 04:41:12 2009 (UTC) AddressBook Connection Manager DirectDrawEx Fontcore IE40 IE4Data IE5BAKEX IEData MobileOptionPack SchedulingAgent WIC App Paths Microsoft\Windows\CurrentVersion\App Paths Thu Sep 30 17:17:26 2010 (UTC) AcroRd32.exe [C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe] Fri Sep 17 17:55:23 2010 (UTC) javaws.exe [C:\Program Files\Java\jre6\bin\javaws.exe] Fri Sep 17 16:45:10 2010 (UTC) sbase.exe [C:\Program Files\OpenOffice.org 3\program\sbase.exe] scalc.exe [C:\Program Files\OpenOffice.org 3\program\scalc.exe] sdraw.exe [C:\Program Files\OpenOffice.org 3\program\sdraw.exe] simpress.exe [C:\Program Files\OpenOffice.org 3\program\simpress.exe] smath.exe [C:\Program Files\OpenOffice.org 3\program\smath.exe] soffice.exe [C:\Program Files\OpenOffice.org 3\program\soffice.exe] swriter.exe [C:\Program Files\OpenOffice.org 3\program\swriter.exe] unopkg.exe [C:\Program Files\OpenOffice.org 3\program\unopkg.exe] Fri Sep 17 15:39:03 2010 (UTC) chrome.exe [C:\Program Files\Google\Chrome\Application\chrome.exe] Fri Sep 17 15:36:32 2010 (UTC) AvastUI.exe [C:\Program Files\Alwil Software\Avast5\AvastUI.exe] Thu Sep 16 18:05:03 2010 (UTC) cmmgr32.exe [] IEXPLORE.EXE [C:\Program Files\Internet Explorer\IEXPLORE.EXE] Tue Jul 14 07:51:40 2009 (UTC) dvdmaker.exe [%ProgramFiles%\DVD Maker\dvdmaker.exe] Journal.exe [%ProgramFiles%\Windows Journal\Journal.exe] mip.exe [%CommonProgramFiles%\Microsoft Shared\Ink\mip.exe] SnippingTool.exe [%SystemRoot%\system32\SnippingTool.exe] TabTip.exe [%CommonProgramFiles%\microsoft shared\ink\TabTip.exe] Tue Jul 14 04:41:12 2009 (UTC) install.exe [] migwiz.exe [] mplayer2.exe [%ProgramFiles%\Windows Media Player\wmplayer.exe] pbrush.exe [%SystemRoot%\System32\mspaint.exe] PowerShell.exe [%SystemRoot%\system32\WindowsPowerShell\v1.0\PowerShell.exe] setup.exe [] sidebar.exe ["%ProgramFiles%\Windows Sidebar\sidebar.exe"] table30.exe [] wab.exe [%ProgramFiles%\Windows Mail\wab.exe] wabmig.exe [%ProgramFiles%\Windows Mail\wabmig.exe] wmplayer.exe [%ProgramFiles%\Windows Media Player\wmplayer.exe] WORDPAD.EXE ["%ProgramFiles%\Windows NT\Accessories\WORDPAD.EXE"] WRITE.EXE ["%ProgramFiles%\Windows NT\Accessories\WORDPAD.EXE"] The System-Report.txt file from the system file hive sections of interest mountdev v.20080324 Get MountedDevices key information from the System hive file. MountedDevices LastWrite time = Fri Oct 1 13:59:13 2010Z \DosDevices\C: Drive Signature = 10 15 63 cb \??\Volume{c21c3b6f-c1b4-11df-8520-806e6f6e6963} Drive Signature = 10 15 63 cb \??\Volume{c21c3b70-c1b4-11df-8520-806e6f6e6963} Drive Signature = 10 15 63 cb \??\Volume{c21c3b71-c1b4-11df-8520-806e6f6e6963} Drive Signature = 47 ee 93 c6 \??\Volume{c21c3b81-c1b4-11df-8520-806e6f6e6963} Drive Signature = 1b 8d 8e 4e \DosDevices\D: Drive Signature = 47 ee 93 c6 \DosDevices\G: Drive Signature = 47 c3 dc fc \??\Volume{aaa8f891-c4e4-11df-ba4f-806e6f6e6963} Drive Signature = 47 c3 dc fc \??\Volume{aaa8f892-c4e4-11df-ba4f-806e6f6e6963} Drive Signature = 47 c3 dc fc Device: \??\IDE#CdRomSONY_DVD_RW_DRU-840A____________________SS00____#5&20f2915f&0&0.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} \??\Volume{c21c3b74-c1b4-11df-8520-806e6f6e6963} \DosDevices\F: Device: _??_USBSTOR#Disk&Ven_Kingston&Prod_DataTraveler_2.0&Rev_1.00#0000000025&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} \??\Volume{c8274d68-ccac-11df-9d0d-001d6005034b} Device: _??_USBSTOR#Disk&Ven_Generic&Prod_USB_SD_Reader&Rev_1.00#058F00016378&2#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} \??\Volume{c21c3b84-c1b4-11df-8520-806e6f6e6963} \DosDevices\J: Device: \??\FDC#GENERIC_FLOPPY_DRIVE#5&2a92a121&0&0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} \??\Volume{c21c3b75-c1b4-11df-8520-806e6f6e6963} \DosDevices\A: Device: _??_USBSTOR#Disk&Ven_Generic&Prod_USB_CF_Reader&Rev_1.01#058F00016378&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} \??\Volume{c21c3b82-c1b4-11df-8520-806e6f6e6963} \DosDevices\H: Device: _??_USBSTOR#Disk&Ven_Memorex&Prod_TD_Classic_003B&Rev_PMAP#0778102C0441&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} \DosDevices\E: \??\Volume{e8fee801-cd63-11df-b483-001d6005034b} Device: TrueCryptVolumeZ \??\Volume{c8274d6f-ccac-11df-9d0d-001d6005034b} #{7207c3bf-cd4c-11df-a8cf-001d6005034b} Device: _??_USBSTOR#Disk&Ven_Generic&Prod_USB_xD#SM_Reader&Rev_1.02#058F00016378&3#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} \??\Volume{c21c3b85-c1b4-11df-8520-806e6f6e6963} \DosDevices\K: Device: _??_USBSTOR#Disk&Ven_Generic&Prod_USB_MS_Reader&Rev_1.03#058F00016378&1#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} \??\Volume{c21c3b83-c1b4-11df-8520-806e6f6e6963} \DosDevices\I: IDE ControlSet001\Enum\IDE LastWrite Time Fri Oct 1 06:39:27 2010 (UTC) CdRomSONY_DVD_RW_DRU-840A____________________SS00____ [Fri Oct 1 06:39:27 2010] 5&20f2915f&0&0.0.0 [Fri Oct 1 13:57:54 2010 (UTC)] FriendlyName : SONY DVD RW DRU-840A ATA Device DiskST31500341AS____________________________CC1H____ [Fri Oct 1 06:39:27 2010] 5&3003bd5e&0&0.1.0 [Fri Oct 1 06:39:27 2010 (UTC)] FriendlyName : ST31500341AS ATA Device DiskWDC_WD800AAJS-00L7A0____________________01.03E01 [Fri Oct 1 06:39:27 2010] 5&3003bd5e&0&0.0.0 [Fri Oct 1 13:57:55 2010 (UTC)] FriendlyName : WDC WD800AAJS-00L7A0 ATA Device 5&3003bd5e&0&0.1.0 [Fri Oct 1 06:39:27 2010 (UTC)] FriendlyName : WDC WD800AAJS-00L7A0 ATA Device DiskWDC_WD800JD-22MSA1______________________10.01E01 [Fri Oct 1 06:39:27 2010] 5&3003bd5e&0&0.0.0 [Fri Oct 1 06:39:27 2010 (UTC)] FriendlyName : WDC WD800JD-22MSA1 ATA Device DevClasses - Disks ControlSet001\Control\DeviceClasses\{53f56307-b6bf-11d0-94f2-00a0c91efb8b} Fri Oct 1 13:58:04 2010 (UTC) DiskWDC_WD800AAJS-00L7A0____________________01.03E01,5&3003bd5e&0&0.0.0 Tue Sep 21 13:39:11 2010 (UTC) DiskST31500341AS____________________________CC1H____,5&3003bd5e&0&0.1.0 Mon Sep 20 18:29:10 2010 (UTC) DiskWDC_WD800AAJS-00L7A0____________________01.03E01,5&3003bd5e&0&0.1.0 DiskWDC_WD800JD-22MSA1______________________10.01E01,5&3003bd5e&0&0.0.0 @usbport.inf,%usb\root_hub.devicedesc%;USB Root Hub [ROOT_HUB\4&1c5b443c&0] Class : USB Service : usbhub Mfg : @usbport.inf,%generic.mfg%;(Standard USB Host Controller) @usbport.inf,%usb\root_hub.devicedesc%;USB Root Hub [ROOT_HUB\4&34aece3e&0] Class : USB Service : usbhub Mfg : @usbport.inf,%generic.mfg%;(Standard USB Host Controller) @usbport.inf,%usb\root_hub.devicedesc%;USB Root Hub [ROOT_HUB\4&765d3eb&0] Class : USB Service : usbhub Mfg : @usbport.inf,%generic.mfg%;(Standard USB Host Controller) @usbport.inf,%usb\root_hub.devicedesc%;USB Root Hub [ROOT_HUB\4&e097488&0] Class : USB Service : usbhub Mfg : @usbport.inf,%generic.mfg%;(Standard USB Host Controller) @usbport.inf,%usb\root_hub20.devicedesc%;USB Root Hub [ROOT_HUB20\4&353844c7&0] Class : USB Service : usbhub Mfg : @usbport.inf,%generic.mfg%;(Standard USB Host Controller) @usb.inf,%usb\class_09.devicedesc%;Generic USB Hub [VID_0409&PID_005A\5&10ef021e&0&5] Class : USB Service : usbhub Location Information: Port_#0005.Hub_#0005 Mfg : @usb.inf,%generichub.mfg%;(Generic USB Hub) HASP HL 3.21 [VID_0529&PID_0001\6&1cf8c0bd&0&4] Location Information: Port_#0004.Hub_#0006 @usbstor.inf,%genericbulkonly.devicedesc%;USB Mass Storage Device [VID_058F&PID_0001\058F00016378] Class : USB Service : USBSTOR Location Information: Port_#0006.Hub_#0005 Mfg : @usbstor.inf,%generic.mfg%;Compatible USB storage device @usbstor.inf,%genericbulkonly.devicedesc%;USB Mass Storage Device [VID_0951&PID_1603\0000000025] Class : USB Service : USBSTOR Location Information: Port_#0001.Hub_#0006 Mfg : @usbstor.inf,%generic.mfg%;Compatible USB storage device @usbstor.inf,%genericbulkonly.devicedesc%;USB Mass Storage Device [VID_12F7&PID_1D00\0778102C0441] Class : USB Service : USBSTOR Location Information: Port_#0001.Hub_#0006 Mfg : @usbstor.inf,%generic.mfg%;Compatible USB storage device ---------------------------------------- USBStor ControlSet001\Enum\USBStor Disk&Ven_Generic&Prod_USB_CF_Reader&Rev_1.01 [Fri Oct 1 06:39:27 2010] S/N: 058F00016378&0 [Fri Oct 1 13:58:11 2010] FriendlyName : Generic USB CF Reader USB Device Disk&Ven_Generic&Prod_USB_MS_Reader&Rev_1.03 [Fri Oct 1 06:39:27 2010] S/N: 058F00016378&1 [Fri Oct 1 13:58:11 2010] FriendlyName : Generic USB MS Reader USB Device Disk&Ven_Generic&Prod_USB_SD_Reader&Rev_1.00 [Fri Oct 1 06:39:27 2010] S/N: 058F00016378&2 [Fri Oct 1 13:58:11 2010] FriendlyName : Generic USB SD Reader USB Device Disk&Ven_Generic&Prod_USB_xD/SM_Reader&Rev_1.02 [Fri Oct 1 06:39:27 2010] S/N: 058F00016378&3 [Fri Oct 1 13:58:11 2010] FriendlyName : Generic USB xD/SM Reader USB Device Disk&Ven_Kingston&Prod_DataTraveler_2.0&Rev_1.00 [Fri Oct 1 06:39:27 2010] S/N: 0000000025&0 [Fri Oct 1 11:12:19 2010] FriendlyName : Kingston DataTraveler 2.0 USB Device Disk&Ven_Memorex&Prod_TD_Classic_003B&Rev_PMAP [Fri Oct 1 13:59:11 2010] S/N: 0778102C0441&0 [Fri Oct 1 13:59:12 2010] FriendlyName : Memorex TD Classic 003B USB Device ---------------------------------------- DevClasses - Disks ControlSet001\Control\DeviceClasses\{53f56307-b6bf-11d0-94f2-00a0c91efb8b} Fri Oct 1 13:59:12 2010 (UTC) Disk&Ven_Memorex&Prod_TD_Classic_003B&Rev_PMAP,0778102C0441&0 Fri Oct 1 13:58:11 2010 (UTC) Disk&Ven_Generic&Prod_USB_CF_Reader&Rev_1.01,058F00016378&0 Disk&Ven_Generic&Prod_USB_MS_Reader&Rev_1.03,058F00016378&1 Disk&Ven_Generic&Prod_USB_SD_Reader&Rev_1.00,058F00016378&2 Disk&Ven_Generic&Prod_USB_xD,SM_Reader&Rev_1.02 Fri Oct 1 11:12:19 2010 (UTC) Disk&Ven_Kingston&Prod_DataTraveler_2.0&Rev_1.00,0000000025&0