Open elaOnMars opened 2 years ago
Hi,
I've observed, that the muicache sample on slide NIST_Data_Leakage_01_Registry_Correction.pptx uses the wrong inode number. (Slide 52, last page).
Would it be correct like the following?
`┌──(root㉿forensiclinux)-[/FORENSIC/lab_data_leaks_Win] └─# fls -rF -o 206848 cfreds_2015_data_leakage_pc.dd|grep -i usrclass.dat$ r/r 63765-128-3: Users/admin11/AppData/Local/Microsoft/Windows/UsrClass.dat r/r 13929-128-3: Users/informant/AppData/Local/Microsoft/Windows/UsrClass.dat r/r 70107-128-3: Users/temporary/AppData/Local/Microsoft/Windows/UsrClass.dat
┌──(root㉿forensiclinux)-[/FORENSIC/lab_data_leaks_Win] └─# icat -o 206848 cfreds_2015_data_leakage_pc.dd 13929 > usrclass_informant.dat
┌──(root㉿forensiclinux)-[/FORENSIC/lab_data_leaks_Win] └─# rip.pl -r usrclass_informant.dat -p muicache Launching muicache v.20200525 muicache v.20200525 (NTUSER.DAT,USRCLASS.DAT) Gets EXEs from user's MUICache key
Software\Microsoft\Windows\ShellNoRoam\MUICache not found.
Local Settings\Software\Microsoft\Windows\Shell\MUICache LastWrite Time 2015-03-25 15:29:12Z
C:\Windows\system32\WFS.exe (Microsoft Windows Fax and Scan) C:\Program Files\Internet Explorer\iexplore.exe (Internet Explorer) C:\Users\informant\Desktop\Download\IE11-Windows6.1-x64-en-us.exe (Internet Explorer 11 Setup utility) C:\Windows\System32\xpsrchvw.exe (XPS Viewer) `
Hi,
I've observed, that the muicache sample on slide NIST_Data_Leakage_01_Registry_Correction.pptx uses the wrong inode number. (Slide 52, last page).
Would it be correct like the following?
`┌──(root㉿forensiclinux)-[/FORENSIC/lab_data_leaks_Win] └─# fls -rF -o 206848 cfreds_2015_data_leakage_pc.dd|grep -i usrclass.dat$
r/r 63765-128-3: Users/admin11/AppData/Local/Microsoft/Windows/UsrClass.dat r/r 13929-128-3: Users/informant/AppData/Local/Microsoft/Windows/UsrClass.dat r/r 70107-128-3: Users/temporary/AppData/Local/Microsoft/Windows/UsrClass.dat
┌──(root㉿forensiclinux)-[/FORENSIC/lab_data_leaks_Win] └─# icat -o 206848 cfreds_2015_data_leakage_pc.dd 13929 > usrclass_informant.dat
┌──(root㉿forensiclinux)-[/FORENSIC/lab_data_leaks_Win] └─# rip.pl -r usrclass_informant.dat -p muicache
Launching muicache v.20200525 muicache v.20200525 (NTUSER.DAT,USRCLASS.DAT) Gets EXEs from user's MUICache key
Software\Microsoft\Windows\ShellNoRoam\MUICache not found.
Local Settings\Software\Microsoft\Windows\Shell\MUICache LastWrite Time 2015-03-25 15:29:12Z
C:\Windows\system32\WFS.exe (Microsoft Windows Fax and Scan) C:\Program Files\Internet Explorer\iexplore.exe (Internet Explorer) C:\Users\informant\Desktop\Download\IE11-Windows6.1-x64-en-us.exe (Internet Explorer 11 Setup utility) C:\Windows\System32\xpsrchvw.exe (XPS Viewer) `