diff --git a/Core/src/org/sleuthkit/autopsy/appservices/AutopsyService.java b/Core/src/org/sleuthkit/autopsy/appservices/AutopsyService.java index 3e67e6a442..8102b01e13 100644 --- a/Core/src/org/sleuthkit/autopsy/appservices/AutopsyService.java +++ b/Core/src/org/sleuthkit/autopsy/appservices/AutopsyService.java @@ -90,6 +90,7 @@ public interface AutopsyService { private final Case theCase; private final ProgressIndicator progressIndicator; private volatile boolean cancelRequested; + private final boolean isNewCase; /** * Constructs the context for the creation/opening/upgrading of @@ -100,9 +101,23 @@ public interface AutopsyService { * case-level resources */ public CaseContext(Case theCase, ProgressIndicator progressIndicator) { + this(theCase, progressIndicator, false); + } + + /** + * Constructs the context for the creation/opening/upgrading of + * case-level resources by a service. + * + * @param theCase The case. + * @param progressIndicator A progress indicator for the opening of the + * case-level resources. + * @param isNewCase True if theCase is a new case. + */ + public CaseContext(Case theCase, ProgressIndicator progressIndicator, boolean isNewCase) { this.theCase = theCase; this.progressIndicator = progressIndicator; this.cancelRequested = false; + this.isNewCase = isNewCase; } /** @@ -145,6 +160,16 @@ public interface AutopsyService { public boolean cancelRequested() { return this.cancelRequested; } + + /** + * Indicates whether or the case is a new case in the process of being + * created. + * + * @return True if it is a new case. + */ + public boolean isNewCase() { + return this.isNewCase; + } } /** diff --git a/Core/src/org/sleuthkit/autopsy/casemodule/AddImageTask.java b/Core/src/org/sleuthkit/autopsy/casemodule/AddImageTask.java index 17980cd0cd..a1443bde31 100644 --- a/Core/src/org/sleuthkit/autopsy/casemodule/AddImageTask.java +++ b/Core/src/org/sleuthkit/autopsy/casemodule/AddImageTask.java @@ -132,7 +132,6 @@ class AddImageTask implements Runnable { List errorMessages = new ArrayList<>(); List newDataSources = new ArrayList<>(); try { - currentCase.getSleuthkitCase().acquireSingleUserCaseWriteLock(); synchronized (tskAddImageProcessLock) { if (!tskAddImageProcessStopped) { tskAddImageProcess = currentCase.getSleuthkitCase().makeAddImageProcess(timeZone, true, ignoreFatOrphanFiles, imageWriterPath); @@ -147,7 +146,6 @@ class AddImageTask implements Runnable { commitOrRevertAddImageProcess(currentCase, errorMessages, newDataSources); progressMonitor.setProgress(100); } finally { - currentCase.getSleuthkitCase().releaseSingleUserCaseWriteLock(); DataSourceProcessorCallback.DataSourceProcessorResult result; if (criticalErrorOccurred) { result = DataSourceProcessorResult.CRITICAL_ERRORS; diff --git a/Core/src/org/sleuthkit/autopsy/casemodule/Case.java b/Core/src/org/sleuthkit/autopsy/casemodule/Case.java index e6190cc75f..184a3280b8 100644 --- a/Core/src/org/sleuthkit/autopsy/casemodule/Case.java +++ b/Core/src/org/sleuthkit/autopsy/casemodule/Case.java @@ -1958,7 +1958,7 @@ public class Case { checkForCancellation(); openCaseLevelServices(progressIndicator); checkForCancellation(); - openAppServiceCaseResources(progressIndicator); + openAppServiceCaseResources(progressIndicator, true); checkForCancellation(); openCommunicationChannels(progressIndicator); return null; @@ -2007,7 +2007,7 @@ public class Case { checkForCancellation(); openCaseLevelServices(progressIndicator); checkForCancellation(); - openAppServiceCaseResources(progressIndicator); + openAppServiceCaseResources(progressIndicator, false); checkForCancellation(); openCommunicationChannels(progressIndicator); checkForCancellation(); @@ -2518,7 +2518,7 @@ public class Case { "# {0} - service name", "Case.serviceOpenCaseResourcesProgressIndicator.cancellingMessage=Cancelling opening case resources by {0}...", "# {0} - service name", "Case.servicesException.notificationTitle={0} Error" }) - private void openAppServiceCaseResources(ProgressIndicator progressIndicator) throws CaseActionException { + private void openAppServiceCaseResources(ProgressIndicator progressIndicator, boolean isNewCase) throws CaseActionException { /* * Each service gets its own independently cancellable/interruptible * task, running in a named thread managed by an executor service, with @@ -2550,7 +2550,7 @@ public class Case { appServiceProgressIndicator = new LoggingProgressIndicator(); } appServiceProgressIndicator.start(Bundle.Case_progressMessage_preparing()); - AutopsyService.CaseContext context = new AutopsyService.CaseContext(this, appServiceProgressIndicator); + AutopsyService.CaseContext context = new AutopsyService.CaseContext(this, appServiceProgressIndicator, isNewCase); String threadNameSuffix = service.getServiceName().replaceAll("[ ]", "-"); //NON-NLS threadNameSuffix = threadNameSuffix.toLowerCase(); TaskThreadFactory threadFactory = new TaskThreadFactory(String.format(CASE_RESOURCES_THREAD_NAME, threadNameSuffix)); diff --git a/Core/src/org/sleuthkit/autopsy/casemodule/services/TagNameDefinition.java b/Core/src/org/sleuthkit/autopsy/casemodule/services/TagNameDefinition.java index 0c65f3c58d..a84367ad22 100755 --- a/Core/src/org/sleuthkit/autopsy/casemodule/services/TagNameDefinition.java +++ b/Core/src/org/sleuthkit/autopsy/casemodule/services/TagNameDefinition.java @@ -57,11 +57,11 @@ final class TagNameDefinition implements Comparable { private static final String TAG_SETTING_VERSION_KEY = "CustomTagNameVersion"; private static final int TAG_SETTINGS_VERSION = 1; - private static final String CATEGORY_ONE_NAME = "CAT-1: Child Exploitation (Illegal)"; - private static final String CATEGORY_TWO_NAME = "CAT-2: Child Exploitation (Non-Illegal/Age Difficult)"; - private static final String CATEGORY_THREE_NAME = "CAT-3: CGI/Animation (Child Exploitive)"; - private static final String CATEGORY_FOUR_NAME = "CAT-4: Exemplar/Comparison (Internal Use Only)"; - private static final String CATEGORY_FIVE_NAME = "CAT-5: Non-pertinent"; + private static final String CATEGORY_ONE_NAME = "Child Exploitation (Illegal)"; + private static final String CATEGORY_TWO_NAME = "Child Exploitation (Non-Illegal/Age Difficult)"; + private static final String CATEGORY_THREE_NAME = "CGI/Animation (Child Exploitive)"; + private static final String CATEGORY_FOUR_NAME = "Exemplar/Comparison (Internal Use Only)"; + private static final String CATEGORY_FIVE_NAME = "Non-pertinent"; private final String displayName; private final String description; @@ -70,6 +70,7 @@ final class TagNameDefinition implements Comparable { private static final Map STANDARD_TAGS_DEFINITIONS = new HashMap<>(); private static final Map PROJECT_VIC_TAG_DEFINITIONS = new HashMap<>(); + private static final List OLD_CATEGORY_TAG_NAMES = new ArrayList<>(); static { STANDARD_TAGS_DEFINITIONS.put(Bundle.TagNameDefinition_predefTagNames_bookmark_text(), new TagNameDefinition(Bundle.TagNameDefinition_predefTagNames_bookmark_text(), "", TagName.HTML_COLOR.NONE, TskData.FileKnown.UNKNOWN)); @@ -81,6 +82,14 @@ final class TagNameDefinition implements Comparable { PROJECT_VIC_TAG_DEFINITIONS.put(CATEGORY_THREE_NAME, new TagNameDefinition(CATEGORY_THREE_NAME, "", TagName.HTML_COLOR.YELLOW, TskData.FileKnown.BAD)); PROJECT_VIC_TAG_DEFINITIONS.put(CATEGORY_FOUR_NAME, new TagNameDefinition(CATEGORY_FOUR_NAME, "", TagName.HTML_COLOR.PURPLE, TskData.FileKnown.UNKNOWN)); PROJECT_VIC_TAG_DEFINITIONS.put(CATEGORY_FIVE_NAME, new TagNameDefinition(CATEGORY_FIVE_NAME, "", TagName.HTML_COLOR.FUCHSIA, TskData.FileKnown.UNKNOWN)); + + OLD_CATEGORY_TAG_NAMES.add("CAT-1: " + CATEGORY_ONE_NAME); + OLD_CATEGORY_TAG_NAMES.add("CAT-2: " + CATEGORY_TWO_NAME); + OLD_CATEGORY_TAG_NAMES.add("CAT-3: " + CATEGORY_THREE_NAME); + OLD_CATEGORY_TAG_NAMES.add("CAT-4: " + CATEGORY_FOUR_NAME); + OLD_CATEGORY_TAG_NAMES.add("CAT-5: " + CATEGORY_FIVE_NAME); + OLD_CATEGORY_TAG_NAMES.add("CAT-0: Uncategorized"); + } /** @@ -115,6 +124,33 @@ final class TagNameDefinition implements Comparable { return strList; } + /** + * Returns the bookmark tag display string. + * + * @return + */ + static String getBookmarkDisplayString() { + return Bundle.TagNameDefinition_predefTagNames_bookmark_text(); + } + + /** + * Returns the Follow Up tag display string. + * + * @return + */ + static String getFollowUpDisplayString() { + return Bundle.TagNameDefinition_predefTagNames_followUp_text(); + } + + /** + * Returns the Notable tag display string. + * + * @return + */ + static String getNotableDisplayString() { + return Bundle.TagNameDefinition_predefTagNames_notableItem_text(); + } + /** * Gets the display name for the tag name. * @@ -300,6 +336,7 @@ final class TagNameDefinition implements Comparable { if (version == null) { String tagsProperty = ModuleSettings.getConfigSetting(TAGS_SETTINGS_NAME, TAG_NAMES_SETTING_KEY); if (tagsProperty == null || tagsProperty.isEmpty()) { + ModuleSettings.setConfigSetting(TAGS_SETTINGS_NAME, TAG_SETTING_VERSION_KEY, Integer.toString(TAG_SETTINGS_VERSION)); return; } @@ -339,7 +376,8 @@ final class TagNameDefinition implements Comparable { List tagStrings = new ArrayList<>(); List standardTags = getStandardTagNames(); for (TagNameDefinition def : definitions) { - if (!standardTags.contains(def.getDisplayName())) { + if (!standardTags.contains(def.getDisplayName()) && + !OLD_CATEGORY_TAG_NAMES.contains(def.getDisplayName())) { tagStrings.add(def.toSettingsFormat()); } } diff --git a/Core/src/org/sleuthkit/autopsy/casemodule/services/TagsManager.java b/Core/src/org/sleuthkit/autopsy/casemodule/services/TagsManager.java index 8af7cd7efa..565d761b47 100755 --- a/Core/src/org/sleuthkit/autopsy/casemodule/services/TagsManager.java +++ b/Core/src/org/sleuthkit/autopsy/casemodule/services/TagsManager.java @@ -1,7 +1,7 @@ /* * Autopsy Forensic Browser * - * Copyright 2011-2018 Basis Technology Corp. + * Copyright 2011-2020 Basis Technology Corp. * Contact: carrier sleuthkit org * * Licensed under the Apache License, Version 2.0 (the "License"); @@ -55,7 +55,7 @@ public class TagsManager implements Closeable { private static final Logger LOGGER = Logger.getLogger(TagsManager.class.getName()); private final SleuthkitCase caseDb; - static String DEFAULT_TAG_SET_NAME = "Project VIC (United States)"; + private static String DEFAULT_TAG_SET_NAME = "Project VIC"; static { @@ -184,7 +184,62 @@ public class TagsManager implements Closeable { * @return list of predefined tag names */ public static List getStandardTagNames() { - return TagNameDefinition.getStandardTagNames(); + List tagList = new ArrayList<>(); + + for (TagNameDefinition tagNameDef : TagNameDefinition.getStandardTagNameDefinitions()) { + tagList.add(tagNameDef.getDisplayName()); + } + + try { + List tagSetList = Case.getCurrentCaseThrows().getSleuthkitCase().getTaggingManager().getTagSets(); + for (TagSet tagSet : tagSetList) { + if (tagSet.getName().equals(DEFAULT_TAG_SET_NAME)) { + for (TagName tagName : tagSet.getTagNames()) { + tagList.add(tagName.getDisplayName()); + } + } + } + } catch (NoCurrentCaseException | TskCoreException ex) { + LOGGER.log(Level.SEVERE, "Failed to get Project VIC tags from the database.", ex); + } + + return tagList; + } + + /** + * Returns the name of the Category TagSet. + * + * @return Name of category TagSet. + */ + public static String getCategoryTagSetName() { + return DEFAULT_TAG_SET_NAME; + } + + /** + * Returns the bookmark tag display string. + * + * @return + */ + public static String getBookmarkDisplayString() { + return TagNameDefinition.getBookmarkDisplayString(); + } + + /** + * Returns the Follow Up tag display string. + * + * @return + */ + public static String getFollowUpDisplayString() { + return TagNameDefinition.getFollowUpDisplayString(); + } + + /** + * Returns the Notable tag display string. + * + * @return + */ + public static String getNotableDisplayString() { + return TagNameDefinition.getNotableDisplayString(); } /** diff --git a/Core/src/org/sleuthkit/autopsy/datasourceprocessors/AddRawImageTask.java b/Core/src/org/sleuthkit/autopsy/datasourceprocessors/AddRawImageTask.java index e85f1ac3d5..27e1b75344 100644 --- a/Core/src/org/sleuthkit/autopsy/datasourceprocessors/AddRawImageTask.java +++ b/Core/src/org/sleuthkit/autopsy/datasourceprocessors/AddRawImageTask.java @@ -146,8 +146,7 @@ final class AddRawImageTask implements Runnable { return; } imageFilePaths.add(imageFilePath); - try { - caseDatabase.acquireSingleUserCaseWriteLock(); + try { /* * Get Image that will be added to case */ @@ -187,9 +186,6 @@ final class AddRawImageTask implements Runnable { errorMessages.add(errorMessage); logger.log(Level.SEVERE, errorMessage, ex); criticalErrorOccurred = true; - } finally { - caseDatabase.releaseSingleUserCaseWriteLock(); } - } } diff --git a/Core/src/org/sleuthkit/autopsy/logicalimager/dsp/AddMultipleImagesTask.java b/Core/src/org/sleuthkit/autopsy/logicalimager/dsp/AddMultipleImagesTask.java index 54bf3590db..bedf15bdae 100644 --- a/Core/src/org/sleuthkit/autopsy/logicalimager/dsp/AddMultipleImagesTask.java +++ b/Core/src/org/sleuthkit/autopsy/logicalimager/dsp/AddMultipleImagesTask.java @@ -116,30 +116,25 @@ class AddMultipleImagesTask implements Runnable { * Try to add the input image files as images. */ List corruptedImageFilePaths = new ArrayList<>(); - try { - currentCase.getSleuthkitCase().acquireSingleUserCaseWriteLock(); - progressMonitor.setIndeterminate(true); - for (String imageFilePath : imageFilePaths) { - synchronized (tskAddImageProcessLock) { - if (!tskAddImageProcessStopped) { - addImageProcess = currentCase.getSleuthkitCase().makeAddImageProcess(timeZone, false, false, ""); - } else { - return; - } - } - run(imageFilePath, corruptedImageFilePaths, errorMessages); - commitOrRevertAddImageProcess(imageFilePath, errorMessages, newDataSources); - synchronized (tskAddImageProcessLock) { - if (tskAddImageProcessStopped) { - errorMessages.add(Bundle.AddMultipleImagesTask_cancelled()); - result = DataSourceProcessorResult.CRITICAL_ERRORS; - newDataSources = emptyDataSources; - return; - } + progressMonitor.setIndeterminate(true); + for (String imageFilePath : imageFilePaths) { + synchronized (tskAddImageProcessLock) { + if (!tskAddImageProcessStopped) { + addImageProcess = currentCase.getSleuthkitCase().makeAddImageProcess(timeZone, false, false, ""); + } else { + return; + } + } + run(imageFilePath, corruptedImageFilePaths, errorMessages); + commitOrRevertAddImageProcess(imageFilePath, errorMessages, newDataSources); + synchronized (tskAddImageProcessLock) { + if (tskAddImageProcessStopped) { + errorMessages.add(Bundle.AddMultipleImagesTask_cancelled()); + result = DataSourceProcessorResult.CRITICAL_ERRORS; + newDataSources = emptyDataSources; + return; } } - } finally { - currentCase.getSleuthkitCase().releaseSingleUserCaseWriteLock(); } /* @@ -153,8 +148,6 @@ class AddMultipleImagesTask implements Runnable { try { progressMonitor.setProgressText(Bundle.AddMultipleImagesTask_addingFileAsLogicalFile(corruptedImageFilePaths.toString())); - caseDatabase.acquireSingleUserCaseWriteLock(); - Image dataSource = caseDatabase.addImageInfo(0, corruptedImageFilePaths, timeZone); newDataSources.add(dataSource); List fileRanges = new ArrayList<>(); @@ -177,8 +170,6 @@ class AddMultipleImagesTask implements Runnable { } catch (TskCoreException ex) { errorMessages.add(Bundle.AddMultipleImagesTask_errorAddingImgWithoutFileSystem(deviceId, ex.getLocalizedMessage())); criticalErrorOccurred = true; - } finally { - caseDatabase.releaseSingleUserCaseWriteLock(); } } diff --git a/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/AddMemoryImageTask.java b/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/AddMemoryImageTask.java index bcae2b3153..7262d9f53e 100644 --- a/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/AddMemoryImageTask.java +++ b/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/AddMemoryImageTask.java @@ -146,30 +146,25 @@ final class AddMemoryImageTask implements Runnable { progressMonitor.setProgressText(Bundle.AddMemoryImageTask_progressMessage_addingImageFile( memoryImagePath)); SleuthkitCase caseDatabase = Case.getCurrentCaseThrows().getSleuthkitCase(); - caseDatabase.acquireSingleUserCaseWriteLock(); - try { - /* - * Verify the memory image file exists. - */ - File imageFile = Paths.get(memoryImagePath).toFile(); - if (!imageFile.exists()) { - throw new TskCoreException(Bundle.AddMemoryImageTask_exceptionMessage_noImageFile(memoryImagePath, deviceId)); - } - /* - * Add the data source. - * - * NOTE: The object id for device passed to - * SleuthkitCase.addImageInfo is hard-coded to zero for now. This - * will need to be changed when a Device abstraction is added to the - * SleuthKit data model. - */ - Image dataSource = caseDatabase.addImageInfo(0, new ArrayList<>(Arrays.asList(memoryImagePath)), timeZone); - return dataSource; - - } finally { - caseDatabase.releaseSingleUserCaseWriteLock(); + /* + * Verify the memory image file exists. + */ + File imageFile = Paths.get(memoryImagePath).toFile(); + if (!imageFile.exists()) { + throw new TskCoreException(Bundle.AddMemoryImageTask_exceptionMessage_noImageFile(memoryImagePath, deviceId)); } + + /* + * Add the data source. + * + * NOTE: The object id for device passed to + * SleuthkitCase.addImageInfo is hard-coded to zero for now. This + * will need to be changed when a Device abstraction is added to the + * SleuthKit data model. + */ + Image dataSource = caseDatabase.addImageInfo(0, new ArrayList<>(Arrays.asList(memoryImagePath)), timeZone); + return dataSource; } /** diff --git a/ImageGallery/src/org/sleuthkit/autopsy/imagegallery/ImageGalleryController.java b/ImageGallery/src/org/sleuthkit/autopsy/imagegallery/ImageGalleryController.java index 5ab3b8c84b..9505c22c98 100644 --- a/ImageGallery/src/org/sleuthkit/autopsy/imagegallery/ImageGalleryController.java +++ b/ImageGallery/src/org/sleuthkit/autopsy/imagegallery/ImageGalleryController.java @@ -57,6 +57,7 @@ import org.sleuthkit.autopsy.casemodule.NoCurrentCaseException; import org.sleuthkit.autopsy.casemodule.events.ContentTagAddedEvent; import org.sleuthkit.autopsy.casemodule.events.ContentTagDeletedEvent; import org.sleuthkit.autopsy.casemodule.events.DataSourceDeletedEvent; +import org.sleuthkit.autopsy.casemodule.services.TagsManager; import org.sleuthkit.autopsy.coreutils.History; import org.sleuthkit.autopsy.coreutils.Logger; import org.sleuthkit.autopsy.coreutils.ThreadConfined; @@ -74,6 +75,7 @@ import org.sleuthkit.autopsy.ingest.IngestManager; import org.sleuthkit.autopsy.ingest.ModuleDataEvent; import org.sleuthkit.autopsy.ingest.events.DataSourceAnalysisEvent; import org.sleuthkit.autopsy.modules.filetypeid.FileTypeDetector; +import org.sleuthkit.autopsy.modules.filetypeid.FileTypeDetector.FileTypeDetectorInitException; import org.sleuthkit.datamodel.AbstractFile; import org.sleuthkit.datamodel.BlackboardArtifact; import org.sleuthkit.datamodel.Content; @@ -108,8 +110,6 @@ public final class ImageGalleryController { Case.Events.CONTENT_TAG_DELETED, Case.Events.DATA_SOURCE_DELETED ); - - private static final String CATEGORY_TAG_SET_PREFIX = "Project VIC"; /* * There is an image gallery controller per case. It is created during the @@ -725,19 +725,19 @@ public final class ImageGalleryController { private static boolean isDrawableAndNotKnown(AbstractFile abstractFile) throws FileTypeDetector.FileTypeDetectorInitException { return (abstractFile.getKnown() != TskData.FileKnown.KNOWN) && FileTypeUtils.isDrawable(abstractFile); } - + /** * Returns the TagSet with the image gallery categories. - * + * * @return Category TagSet. - * - * @throws TskCoreException + * + * @throws TskCoreException */ private TagSet getCategoryTagSet() throws TskCoreException { List tagSetList = getCaseDatabase().getTaggingManager().getTagSets(); if (tagSetList != null && !tagSetList.isEmpty()) { for (TagSet set : tagSetList) { - if (set.getName().startsWith(CATEGORY_TAG_SET_PREFIX)) { + if (set.getName().equals(TagsManager.getCategoryTagSetName())) { return set; } } diff --git a/ImageGallery/src/org/sleuthkit/autopsy/imagegallery/actions/CategorizeAction.java b/ImageGallery/src/org/sleuthkit/autopsy/imagegallery/actions/CategorizeAction.java index 13703f417b..6eaddeef9d 100644 --- a/ImageGallery/src/org/sleuthkit/autopsy/imagegallery/actions/CategorizeAction.java +++ b/ImageGallery/src/org/sleuthkit/autopsy/imagegallery/actions/CategorizeAction.java @@ -82,7 +82,6 @@ public class CategorizeAction extends Action { this.tagName = tagName; setGraphic(getGraphic(tagName)); setEventHandler(actionEvent -> addCatToFiles(selectedFileIDs)); - setAccelerator(new KeyCodeCombination(KeyCode.getKeyCode(getCategoryNumberFromTagName(tagName)))); } static public Menu getCategoriesMenu(ImageGalleryController controller) { @@ -94,16 +93,6 @@ public class CategorizeAction extends Action { controller.queueDBTask(new CategorizeDrawableFileTask(ids, tagName, createUndo)); } - private String getCategoryNumberFromTagName(TagName tagName) { - String displayName = tagName.getDisplayName(); - if (displayName.contains("CAT")) { - String[] split = displayName.split(":"); - split = split[0].split("-"); - return split[1]; - } - return ""; - } - /** * Instances of this class implement a context menu user interface for * selecting a category diff --git a/ImageGallery/src/org/sleuthkit/autopsy/imagegallery/datamodel/Bundle.properties-MERGED b/ImageGallery/src/org/sleuthkit/autopsy/imagegallery/datamodel/Bundle.properties-MERGED index 6686b27994..b10e8bbb17 100755 --- a/ImageGallery/src/org/sleuthkit/autopsy/imagegallery/datamodel/Bundle.properties-MERGED +++ b/ImageGallery/src/org/sleuthkit/autopsy/imagegallery/datamodel/Bundle.properties-MERGED @@ -13,6 +13,4 @@ DrawableAttribute.name=Name DrawableAttribute.path=Path DrawableAttribute.tags=Tags DrawableAttribute.width=Width -DrawableTagsManager.bookMark=Bookmark -DrawableTagsManager.followUp=Follow Up VideoFile.getMedia.progress=writing temporary file to disk diff --git a/ImageGallery/src/org/sleuthkit/autopsy/imagegallery/datamodel/CategoryManager.java b/ImageGallery/src/org/sleuthkit/autopsy/imagegallery/datamodel/CategoryManager.java index 5eaf8b4ad7..491b10b650 100644 --- a/ImageGallery/src/org/sleuthkit/autopsy/imagegallery/datamodel/CategoryManager.java +++ b/ImageGallery/src/org/sleuthkit/autopsy/imagegallery/datamodel/CategoryManager.java @@ -38,7 +38,6 @@ import org.sleuthkit.autopsy.casemodule.events.ContentTagAddedEvent; import org.sleuthkit.autopsy.casemodule.events.ContentTagDeletedEvent; import org.sleuthkit.autopsy.casemodule.events.ContentTagDeletedEvent.DeletedContentTagInfo; import org.sleuthkit.autopsy.coreutils.Logger; -import org.sleuthkit.autopsy.datamodel.DhsImageCategory; import org.sleuthkit.autopsy.imagegallery.ImageGalleryController; import org.sleuthkit.datamodel.ContentTag; import org.sleuthkit.datamodel.TagName; @@ -62,9 +61,7 @@ public class CategoryManager { private static final Logger LOGGER = Logger.getLogger(CategoryManager.class.getName()); /** - * the DrawableDB that backs the category counts cache. The counts are - * initialized from this, and the counting of CAT-0 is always delegated to - * this db. + * the DrawableDB that backs the category counts cache. */ private final DrawableDB drawableDb; diff --git a/ImageGallery/src/org/sleuthkit/autopsy/imagegallery/datamodel/DrawableTagsManager.java b/ImageGallery/src/org/sleuthkit/autopsy/imagegallery/datamodel/DrawableTagsManager.java index ec06c6e343..abf2c02586 100644 --- a/ImageGallery/src/org/sleuthkit/autopsy/imagegallery/datamodel/DrawableTagsManager.java +++ b/ImageGallery/src/org/sleuthkit/autopsy/imagegallery/datamodel/DrawableTagsManager.java @@ -29,7 +29,6 @@ import javafx.scene.Node; import javafx.scene.image.Image; import javafx.scene.image.ImageView; import org.apache.commons.lang3.concurrent.BasicThreadFactory; -import org.openide.util.NbBundle; import org.sleuthkit.autopsy.casemodule.events.ContentTagAddedEvent; import org.sleuthkit.autopsy.casemodule.events.ContentTagDeletedEvent; import org.sleuthkit.autopsy.casemodule.services.TagsManager; @@ -44,8 +43,6 @@ import org.sleuthkit.datamodel.TskCoreException; * Manages Tags, Tagging, and the relationship between Categories and Tags in * the autopsy Db. Delegates some work to the backing autopsy TagsManager. */ -@NbBundle.Messages({"DrawableTagsManager.followUp=Follow Up", - "DrawableTagsManager.bookMark=Bookmark"}) public final class DrawableTagsManager { private static final Logger logger = Logger.getLogger(DrawableTagsManager.class.getName()); @@ -78,8 +75,8 @@ public final class DrawableTagsManager { public DrawableTagsManager(ImageGalleryController controller) throws TskCoreException { this.autopsyTagsManager = controller.getCase().getServices().getTagsManager(); - followUpTagName = getTagName(Bundle.DrawableTagsManager_followUp()); - bookmarkTagName = getTagName(Bundle.DrawableTagsManager_bookMark()); + followUpTagName = getTagName(TagsManager.getFollowUpDisplayString()); + bookmarkTagName = getTagName(TagsManager.getBookmarkDisplayString()); this.controller = controller; compareByDisplayName = new Comparator() { diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java index 7a04ceb4c0..365f71c81a 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java @@ -1497,11 +1497,11 @@ class ExtractRegistry extends Extract { line = line.trim(); // Reading to the SECTION DIVIDER to get next section of records to process. Dates appear to have // multiple spaces in them that makes it harder to parse so next section will be easier to parse - while (!line.contains(SECTION_DIVIDER)) { + while (!line.contains(SECTION_DIVIDER) && !line.contains("MSOffice version not found.")) { line = reader.readLine(); } line = reader.readLine(); - while (!line.contains(SECTION_DIVIDER)) { + while (!line.contains(SECTION_DIVIDER) && !line.contains("MSOffice version not found.")) { // record has the following format // 1294283922|REG|||OfficeDocs2010 - F:\Windows_time_Rules_xp.doc String tokens[] = line.split("\\|"); @@ -1551,7 +1551,7 @@ class ExtractRegistry extends Extract { line = line.trim(); usedTime = Long.valueOf(0); if (!line.contains("**") && !line.contains("----------") && !line.contains("LastWrite") - && !line.contains(SECTION_DIVIDER) && !line.isEmpty()) { + && !line.contains(SECTION_DIVIDER) && !line.isEmpty() && !line.contains("TrustRecords")) { // Columns are // Date : / // Split line on " : " which is the record delimiter between position and file diff --git a/thirdparty/rr-full/Base.pm b/thirdparty/rr-full/Base.pm new file mode 100644 index 0000000000..81b60eec20 --- /dev/null +++ b/thirdparty/rr-full/Base.pm @@ -0,0 +1,1119 @@ +package Parse::Win32Registry::Base; + +use strict; +use warnings; + +use base qw(Exporter); + +use Carp; +use Encode; +use Time::Local qw(timegm); + +our @EXPORT_OK = qw( + warnf + iso8601 + hexdump + format_octets + unpack_windows_time + unpack_string + unpack_unicode_string + unpack_guid + unpack_sid + unpack_ace + unpack_acl + unpack_security_descriptor + unpack_series + make_multiple_subkey_iterator + make_multiple_value_iterator + make_multiple_subtree_iterator + compare_multiple_keys + compare_multiple_values + REG_NONE + REG_SZ + REG_EXPAND_SZ + REG_BINARY + REG_DWORD + REG_DWORD_BIG_ENDIAN + REG_LINK + REG_MULTI_SZ + REG_RESOURCE_LIST + REG_FULL_RESOURCE_DESCRIPTOR + REG_RESOURCE_REQUIREMENTS_LIST + REG_QWORD +); + +our %EXPORT_TAGS = ( + all => [@EXPORT_OK], +); + +use constant REG_NONE => 0; +use constant REG_SZ => 1; +use constant REG_EXPAND_SZ => 2; +use constant REG_BINARY => 3; +use constant REG_DWORD => 4; +use constant REG_DWORD_BIG_ENDIAN => 5; +use constant REG_LINK => 6; +use constant REG_MULTI_SZ => 7; +use constant REG_RESOURCE_LIST => 8; +use constant REG_FULL_RESOURCE_DESCRIPTOR => 9; +use constant REG_RESOURCE_REQUIREMENTS_LIST => 10; +use constant REG_QWORD => 11; + +our $WARNINGS = 0; + +our $CODEPAGE = 'cp1252'; + +sub warnf { + my $message = shift; + warn sprintf "$message\n", @_ if $WARNINGS; +} + +sub hexdump { + my $data = shift; # packed binary data + my $start = shift || 0; # starting value for displayed offset + + return '' if !defined($data); + + my $output = ''; + + my $fake_start = $start & ~0xf; + my $end = length($data); + + my $pos = 0; + if ($fake_start < $start) { + $output .= sprintf '%8x ', $fake_start; + my $indent = $start - $fake_start; + $output .= ' ' x $indent; + my $row = substr($data, $pos, 16 - $indent); + my $len = length($row); + $output .= join(' ', unpack('H2' x $len, $row)); + if ($indent + $len < 16) { + my $padding = 16 - $len - $indent; + $output .= ' ' x $padding; + } + $output .= ' '; + $output .= ' ' x $indent; + $row =~ tr/\x20-\x7e/./c; + $output .= $row; + $output .= "\n"; + $pos += $len; + } + while ($pos < $end) { + $output .= sprintf '%8x ', $start + $pos; + my $row = substr($data, $pos, 16); + my $len = length($row); + $output .= join(' ', unpack('H2' x $len, $row)); + if ($len < 16) { + my $padding = 16 - $len; + $output .= ' ' x $padding; + } + $output .= ' '; + $row =~ tr/\x20-\x7e/./c; + $output .= $row; + $output .= "\n"; + $pos += 16; + } + + return $output; +} + +sub format_octets { + my $data = shift; # packed binary data + my $col = shift || 0; # starting column, e.g. length of initial string + + return "\n" if !defined($data); + + my $output = ''; + + $col = 76 if $col > 76; + my $max_octets = int((76 - $col) / 3) + 1; + + my $end = length($data); + my $pos = 0; + my $num_octets = $end - $pos; + $num_octets = $max_octets if $num_octets > $max_octets; + while ($pos < $end) { + $output .= join(',', unpack("x$pos(H2)$num_octets", $data)); + $pos += $num_octets; + $num_octets = $end - $pos; + $num_octets = 25 if $num_octets > 25; + if ($num_octets > 0) { + $output .= ",\\\n "; + } + } + $output .= "\n"; + return $output; +} + +sub unpack_windows_time { + my $data = shift; + + if (!defined $data) { + return; + } + + if (length($data) < 8) { + return; + } + + # The conversion uses real numbers + # as 32-bit perl does not provide 64-bit integers. + # The equation can be found in several places on the Net. + # My thanks go to Dan Sully for Audio::WMA's _fileTimeToUnixTime + # which shows a perl implementation of it. + my ($lo, $hi) = unpack("VV", $data); +# my $filetime = $high * 2 ** 32 + $low; +# my $epoch_time = int(($filetime - 116444736000000000) / 10000000); + + my $epoch_time; + + if ($lo == 0 && $hi == 0) { + $epoch_time = 0; + } else { + $lo -= 0xd53e8000; + $hi -= 0x019db1de; + $epoch_time = int($hi*429.4967296 + $lo/1e7); + }; + $epoch_time = 0 if ($epoch_time < 0); + + + # adjust the UNIX epoch time to the local OS's epoch time + # (see perlport's Time and Date section) + # my $epoch_offset = timegm(0, 0, 0, 1, 0, 70); + # $epoch_time += $epoch_offset; + + if ($epoch_time < 0 || $epoch_time > 0x7fffffff) { + $epoch_time = undef; + } + + return wantarray ? ($epoch_time, 8) : $epoch_time; +} + +sub iso8601 { + my $time = shift; + my $tz = shift; + + if (!defined $time) { + return '(undefined)'; + } + + if (!defined $tz || $tz ne 'Z') { + $tz = 'Z' + } + + # On Windows, gmtime will return undef if $time < 0 or > 0x7fffffff + if ($time < 0 || $time > 0x7fffffff) { + return '(undefined)'; + } + my ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday) = gmtime $time; + + # The final 'Z' indicates UTC ("zero meridian") + return sprintf '%04d-%02d-%02dT%02d:%02d:%02d%s', + 1900+$year, 1+$mon, $mday, $hour, $min, $sec, $tz; +} + +sub unpack_string { + my $data = shift; + + if (!defined $data) { + return; + } + + my $str; + my $str_len; + if ((my $end = index($data, "\0")) != -1) { + $str = substr($data, 0, $end); + $str_len = $end + 1; # include the final null in the length + } + else { + $str = $data; + $str_len = length($data); + } + + return wantarray ? ($str, $str_len) : $str; +} + +sub unpack_unicode_string { + my $data = shift; + + if (!defined $data) { + return; + } + + my $str_len = 0; + foreach my $v (unpack('v*', $data)) { + $str_len += 2; + last if $v == 0; # include the final null in the length + } + my $str = decode('UCS-2LE', substr($data, 0, $str_len)); + + # The decode function from Encode may create invalid unicode characters + # which cause subsequent warnings (e.g. during regex matching). + # For example, characters in the 0xd800 to 0xdfff range of the + # basic multilingual plane (0x0000 to 0xffff) are 'surrogate pairs' + # and are expected to appear as a 'high surrogate' (0xd800 to 0xdbff) + # followed by a 'low surrogate' (0xdc00 to 0xdfff). + + # remove any final null + if (length($str) > 0 && substr($str, -1, 1) eq "\0") { + chop $str; + } + + return wantarray ? ($str, $str_len) : $str; +} + +sub unpack_guid { + my $guid = Parse::Win32Registry::GUID->new($_[0]); + return if !defined $guid; + return wantarray ? ($guid, $guid->get_length) : $guid; +} + +sub unpack_sid { + my $sid = Parse::Win32Registry::SID->new($_[0]); + return if !defined $sid; + return wantarray ? ($sid, $sid->get_length) : $sid; +} + +sub unpack_ace { + my $ace = Parse::Win32Registry::ACE->new($_[0]); + return if !defined $ace; + return wantarray ? ($ace, $ace->get_length) : $ace; +} + +sub unpack_acl { + my $acl = Parse::Win32Registry::ACL->new($_[0]); + return if !defined $acl; + return wantarray ? ($acl, $acl->get_length) : $acl; +} + +sub unpack_security_descriptor { + my $sd = Parse::Win32Registry::SecurityDescriptor->new($_[0]); + return if !defined $sd; + return wantarray ? ($sd, $sd->get_length) : $sd; +} + +sub unpack_series { + my $function = shift; + my $data = shift; + + if (!defined $function || !defined $data) { + croak "Usage: unpack_series(\\\&unpack_function, \$data)"; + } + + my $pos = 0; + my @items = (); + while (my ($item, $item_len) = $function->(substr($data, $pos))) { + push @items, $item; + $pos += $item_len; + } + return @items; +} + +sub make_multiple_subkey_iterator { + my @keys = @_; + + # check @keys contains keys + if (@keys == 0 || + grep { defined && !UNIVERSAL::isa($_, 'Parse::Win32Registry::Key') } + @keys) { + croak 'Usage: make_multiple_subkey_iterator($key1, $key2, ...)'; + } + + my %subkeys_seen = (); + my @subkeys_queue; + for (my $i = 0; $i < @keys; $i++) { + my $key = $keys[$i]; + next if !defined $key; + foreach my $subkey ($key->get_list_of_subkeys) { + my $name = $subkey->get_name; + $subkeys_seen{$name}[$i] = $subkey; + } + } + foreach my $name (sort keys %subkeys_seen) { + # make sure number of subkeys matches number of keys + if (@{$subkeys_seen{$name}} != @keys) { + @{$subkeys_seen{$name}}[@keys - 1] = undef; + } + push @subkeys_queue, $subkeys_seen{$name}; + } + + return Parse::Win32Registry::Iterator->new(sub { + my $subkeys = shift @subkeys_queue; + if (defined $subkeys) { + return $subkeys; + } + else { + return; + } + }); +} + +sub make_multiple_value_iterator { + my @keys = @_; + + # check @keys contains keys + if (@keys == 0 || + grep { defined && !UNIVERSAL::isa($_, 'Parse::Win32Registry::Key') } + @keys) { + croak 'Usage: make_multiple_value_iterator($key1, $key2, ...)'; + } + + my %values_seen = (); + my @values_queue; + for (my $i = 0; $i < @keys; $i++) { + my $key = $keys[$i]; + next if !defined $key; + foreach my $value ($key->get_list_of_values) { + my $name = $value->get_name; + $values_seen{$name}[$i] = $value; + } + } + foreach my $name (sort keys %values_seen) { + # make sure number of values matches number of keys + if (@{$values_seen{$name}} != @keys) { + @{$values_seen{$name}}[@keys - 1] = undef; + } + push @values_queue, $values_seen{$name}; + } + + return Parse::Win32Registry::Iterator->new(sub { + my $values = shift @values_queue; + if (defined $values) { + return $values; + } + else { + return; + } + }); +} + +sub make_multiple_subtree_iterator { + my @keys = @_; + + # check @keys contains keys + if (@keys == 0 || + grep { defined && !UNIVERSAL::isa($_, 'Parse::Win32Registry::Key') } + @keys) { + croak 'Usage: make_multiple_subtree_iterator($key1, $key2, ...)'; + } + + my @start_keys = (\@keys); + push my (@subkey_iters), Parse::Win32Registry::Iterator->new(sub { + return shift @start_keys; + }); + my $value_iter; + my $subkeys; # used to remember subkeys while iterating values + + return Parse::Win32Registry::Iterator->new(sub { + if (defined $value_iter && wantarray) { + my $values = $value_iter->(); + if (defined $values) { + return ($subkeys, $values); + } + } + while (@subkey_iters > 0) { + $subkeys = $subkey_iters[-1]->(); # depth-first + if (defined $subkeys) { + push @subkey_iters, make_multiple_subkey_iterator(@$subkeys); + $value_iter = make_multiple_value_iterator(@$subkeys); + return $subkeys; + } + pop @subkey_iters; # iter finished, so remove it + } + return; + }); +} + +sub compare_multiple_keys { + my @keys = @_; + + # check @keys contains keys + if (@keys == 0 || + grep { defined && !UNIVERSAL::isa($_, 'Parse::Win32Registry::Key') } + @keys) { + croak 'Usage: compare_multiple_keys($key1, $key2, ...)'; + } + + my @changes = (); + + my $benchmark_key; + foreach my $key (@keys) { + my $diff = ''; + # Skip comparison for the first value + if (@changes > 0) { + $diff = _compare_keys($benchmark_key, $key); + } + $benchmark_key = $key; + push @changes, $diff; + } + return @changes; +} + +sub compare_multiple_values { + my @values = @_; + + # check @values contains values + if (@values == 0 || + grep { defined && !UNIVERSAL::isa($_, 'Parse::Win32Registry::Value') } + @values) { + croak 'Usage: compare_multiple_values($value1, $value2, ...)'; + } + + my @changes = (); + + my $benchmark_value; + foreach my $value (@values) { + my $diff = ''; + # Skip comparison for the first value + if (@changes > 0) { + $diff = _compare_values($benchmark_value, $value); + } + $benchmark_value = $value; + push @changes, $diff; + } + return @changes; +} + +sub _compare_keys { + my ($key1, $key2) = @_; + + if (!defined $key1 && !defined $key2) { + return ''; # 'MISSING' + } + elsif (defined $key1 && !defined $key2) { + return 'DELETED'; + } + elsif (!defined $key1 && defined $key2) { + return 'ADDED'; + } + + my $timestamp1 = $key1->get_timestamp; + my $timestamp2 = $key2->get_timestamp; + if ($key1->get_name ne $key2->get_name) { + return 'CHANGED'; + } + elsif (defined $timestamp1 && defined $timestamp2) { + if ($timestamp1 < $timestamp2) { + return 'NEWER'; + } + elsif ($timestamp1 > $timestamp2) { + return 'OLDER'; + } + } + else { + return ''; # comment out to check values... + my $value_iter = make_multiple_value_iterator($key1, $key2); + while (my ($val1, $val2) = $value_iter->get_next) { + if (_compare_values($val1, $val2) ne '') { + return 'VALUES'; + } + } + return ''; + } +} + +sub _compare_values { + my ($val1, $val2) = @_; + + if (!defined $val1 && !defined $val2) { + return ''; # 'MISSING' + } + elsif (defined $val1 && !defined $val2) { + return 'DELETED'; + } + elsif (!defined $val1 && defined $val2) { + return 'ADDED'; + } + + my $data1 = $val1->get_data; + my $data2 = $val2->get_data; + if ($val1->get_name ne $val2->get_name || + $val1->get_type != $val2->get_type || + defined $data1 ne defined $data2 || + (defined $data1 && defined $data2 && $data1 ne $data2)) { + return 'CHANGED'; + } + else { + return ''; + } +} + + +package Parse::Win32Registry::Iterator; + +use Carp; + +sub new { + my $class = shift; + my $self = shift; + + my $type = ref $self; + croak 'Missing iterator subroutine' if $type ne 'CODE' + && $type ne __PACKAGE__; + + bless $self, $class; + return $self; +} + +sub get_next { + $_[0]->(); +} + + +package Parse::Win32Registry::GUID; + +sub new { + my $class = shift; + my $data = shift; + + if (!defined $data) { + return; + } + + if (length($data) < 16) { + return; + } + + my $guid = sprintf '{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}', + unpack('VvvC2C6', $data); + + my $self = { + _guid => $guid, + _length => 16, + }; + bless $self, $class; + + return $self; +} + +sub as_string { + my $self = shift; + + return $self->{_guid}; +} + +sub get_length { + my $self = shift; + + return $self->{_length}; +} + + +package Parse::Win32Registry::SID; + +sub new { + my $class = shift; + my $data = shift; + + if (!defined $data) { + return; + } + + # 0x00 byte = revision + # 0x01 byte = number of sub authorities + # 0x07 byte = identifier authority + # 0x08 dword = 1st sub authority + # 0x0c dword = 2nd sub authority + # ... + + if (length($data) < 8) { + return; + } + + my ($rev, $num_sub_auths, $id_auth) = unpack('CCx5C', $data); + + if ($num_sub_auths == 0) { + return; + } + + my $sid_len = 8 + 4 * $num_sub_auths; + + if (length($data) < $sid_len) { + return; + } + + my @sub_auths = unpack("x8V$num_sub_auths", $data); + my $sid = "S-$rev-$id_auth-" . join('-', @sub_auths); + + my $self = { + _sid => $sid, + _length => $sid_len, + }; + bless $self, $class; + + return $self; +} + +# See KB243330 for a list of well known sids +our %WellKnownSids = ( + 'S-1-0-0' => 'Nobody', + 'S-1-1-0' => 'Everyone', + 'S-1-3-0' => 'Creator Owner', + 'S-1-3-1' => 'Creator Group', + 'S-1-3-2' => 'Creator Owner Server', + 'S-1-3-3' => 'Creator Group Server', + 'S-1-5-1' => 'Dialup', + 'S-1-5-2' => 'Network', + 'S-1-5-3' => 'Batch', + 'S-1-5-4' => 'Interactive', + 'S-1-5-5-\\d+-\\d+' => 'Logon Session', + 'S-1-5-6' => 'Service', + 'S-1-5-7' => 'Anonymous', + 'S-1-5-8' => 'Proxy', + 'S-1-5-9' => 'Enterprise Domain Controllers', + 'S-1-5-10' => 'Principal Self', + 'S-1-5-11' => 'Authenticated Users', + 'S-1-5-12' => 'Restricted Code', + 'S-1-5-13' => 'Terminal Server Users', + 'S-1-5-18' => 'Local System', + 'S-1-5-19' => 'Local Service', + 'S-1-5-20' => 'Network Service', + 'S-1-5-\\d+-\\d+-\\d+-\\d+-500' => 'Administrator', + 'S-1-5-\\d+-\\d+-\\d+-\\d+-501' => 'Guest', + 'S-1-5-\\d+-\\d+-\\d+-\\d+-502' => 'KRBTGT', + 'S-1-5-\\d+-\\d+-\\d+-\\d+-512' => 'Domain Admins', + 'S-1-5-\\d+-\\d+-\\d+-\\d+-513' => 'Domain Users', + 'S-1-5-\\d+-\\d+-\\d+-\\d+-514' => 'Domain Guests', + 'S-1-5-\\d+-\\d+-\\d+-\\d+-515' => 'Domain Computers', + 'S-1-5-\\d+-\\d+-\\d+-\\d+-516' => 'Domain Controllers', + 'S-1-5-\\d+-\\d+-\\d+-\\d+-517' => 'Cert Publishers', + 'S-1-5-\\d+-\\d+-\\d+-\\d+-518' => 'Schema Admins', + 'S-1-5-\\d+-\\d+-\\d+-\\d+-519' => 'Enterprise Admins', + 'S-1-5-\\d+-\\d+-\\d+-\\d+-520' => 'Group Policy Creator Owners', + 'S-1-5-\\d+-\\d+-\\d+-\\d+-533' => 'RAS and IAS Servers', + 'S-1-5-32-544' => 'Administrators', + 'S-1-5-32-545' => 'Users', + 'S-1-5-32-546' => 'Guest', + 'S-1-5-32-547' => 'Power Users', + 'S-1-5-32-548' => 'Account Operators', + 'S-1-5-32-549' => 'Server Operators', + 'S-1-5-32-550' => 'Print Operators', + 'S-1-5-32-551' => 'Backup Operators', + 'S-1-5-32-552' => 'Replicators', + 'S-1-16-4096' => 'Low Integrity Level', + 'S-1-16-8192' => 'Medium Integrity Level', + 'S-1-16-12288' => 'High Integrity Level', + 'S-1-16-16384' => 'System Integrity Level', +); + +sub get_name { + my $self = shift; + + my $sid = $self->{_sid}; + + foreach my $regexp (keys %WellKnownSids) { + if ($sid =~ m/^$regexp$/) { + return $WellKnownSids{$regexp}; + } + } + return; +} + +sub as_string { + my $self = shift; + + return $self->{_sid}; +} + +sub get_length { + my $self = shift; + + return $self->{_length}; +} + + +package Parse::Win32Registry::ACE; + +sub new { + my $class = shift; + my $data = shift; + + if (!defined $data) { + return; + } + + # 0x00 byte = type + # 0x01 byte = flags + # 0x02 word = length + + # Types: + # ACCESS_ALLOWED_ACE_TYPE = 0 + # ACCESS_DENIED_ACE_TYPE = 1 + # SYSTEM_AUDIT_ACE_TYPE = 2 + # SYSTEM_MANDATORY_LABEL_ACE_TYPE = x011 + + # Flags: + # OBJECT_INHERIT_ACE = 0x01 + # CONTAINER_INHERIT_ACE = 0x02 + # NO_PROPAGATE_INHERIT_ACE = 0x04 + # INHERIT_ONLY_ACE = 0x08 + # INHERITED_ACE = 0x10 + # SUCCESSFUL_ACCESS_ACE_FLAG = 0x40 (Audit Success) + # FAILED_ACCESS_ACE_FLAG = 0x80 (Audit Failure) + + if (length($data) < 4) { + return; + } + + my ($type, $flags, $ace_len) = unpack('CCv', $data); + + if (length($data) < $ace_len) { + return; + } + + # The data following the header varies depending on the type. + # For ACCESS_ALLOWED_ACE, ACCESS_DENIED_ACE, SYSTEM_AUDIT_ACE + # the header is followed by an access mask and a sid. + # 0x04 dword = access mask + # 0x08 = SID + + # Only the following types are currently unpacked: + # 0 (ACCESS_ALLOWED_ACE), 1 (ACCESS_DENIED_ACE), 2 (SYSTEM_AUDIT_ACE) + if ($type >= 0 && $type <= 2 || $type == 0x11) { + my $access_mask = unpack('x4V', $data); + my $sid = Parse::Win32Registry::SID->new(substr($data, 8, + $ace_len - 8)); + + # Abandon ace if sid is invalid + if (!defined $sid) { + return; + } + + # Abandon ace if not the expected length + if (($sid->get_length + 8) != $ace_len) { + return; + } + + my $self = { + _type => $type, + _flags => $flags, + _mask => $access_mask, + _trustee => $sid, + _length => $ace_len, + }; + bless $self, $class; + + return $self; + } + else { + return; + } +} + +our @Types = qw( + ACCESS_ALLOWED + ACCESS_DENIED + SYSTEM_AUDIT + SYSTEM_ALARM + ALLOWED_COMPOUND + ACCESS_ALLOWED_OBJECT + ACCESS_DENIED_OBJECT + SYSTEM_AUDIT_OBJECT + SYSTEM_ALARM_OBJECT + ACCESS_ALLOWED_CALLBACK + ACCESS_DENIED_CALLBACK + ACCESS_ALLOWED_CALLBACK_OBJECT + ACCESS_DENIED_CALLBACK_OBJECT + SYSTEM_AUDIT_CALLBACK + SYSTEM_ALARM_CALLBACK + SYSTEM_AUDIT_CALLBACK_OBJECT + SYSTEM_ALARM_CALLBACK_OBJECT + SYSTEM_MANDATORY_LABEL +); + +sub _look_up_ace_type { + my $type = shift; + + if (exists $Types[$type]) { + return $Types[$type]; + } + else { + return ''; + } +} + +sub get_type { + return $_[0]->{_type}; +} + +sub get_type_as_string { + return _look_up_ace_type($_[0]->{_type}); +} + +sub get_flags { + return $_[0]->{_flags}; +} + +sub get_access_mask { + return $_[0]->{_mask}; +} + +sub get_trustee { + return $_[0]->{_trustee}; +} + +sub as_string { + my $self = shift; + + my $sid = $self->{_trustee}; + my $string = sprintf '%s 0x%02x 0x%08x %s', + _look_up_ace_type($self->{_type}), + $self->{_flags}, + $self->{_mask}, + $sid->as_string; + my $name = $sid->get_name; + $string .= " [$name]" if defined $name; + return $string; +} + +sub get_length { + my $self = shift; + + return $self->{_length}; +} + + +package Parse::Win32Registry::ACL; + +use Carp; + +sub new { + my $class = shift; + my $data = shift; + + if (!defined $data) { + return; + } + + # 0x00 byte = revision + # 0x01 + # 0x02 word = length + # 0x04 word = number of aces + # 0x06 + # 0x08 = first ace (variable length) + # ... = second ace (variable length) + # ... + + if (length($data) < 8) { + return; + } + + my ($rev, $acl_len, $num_aces) = unpack('Cxvv', $data); + + if (length($data) < $acl_len) { + return; + } + + my $pos = 8; + my @acl = (); + foreach (my $num = 0; $num < $num_aces; $num++) { + my $ace = Parse::Win32Registry::ACE->new(substr($data, $pos, + $acl_len - $pos)); + # Abandon acl if any single ace is undefined + return if !defined $ace; + push @acl, $ace; + $pos += $ace->get_length; + } + + # Abandon acl if not expected length, but don't use + # $pos != $acl_len as some acls contain unused space. + if ($pos > $acl_len) { + return; + } + + my $self = { + _acl => \@acl, + _length => $acl_len, + }; + bless $self, $class; + + return $self; +} + +sub get_list_of_aces { + my $self = shift; + + return @{$self->{_acl}}; +} + +sub as_string { + croak 'Usage: ACLs do not have an as_string method; use as_stanza instead'; +} + +sub as_stanza { + my $self = shift; + + my $stanza = ''; + foreach my $ace (@{$self->{_acl}}) { + $stanza .= 'ACE: '. $ace->as_string . "\n"; + } + return $stanza; +} + +sub get_length { + my $self = shift; + + return $self->{_length}; +} + + +package Parse::Win32Registry::SecurityDescriptor; + +use Carp; + +sub new { + my $class = shift; + my $data = shift; + + if (!defined $data) { + return; + } + + # Unpacks "self-relative" security descriptors + + # 0x00 word = revision + # 0x02 word = control flags + # 0x04 dword = offset to owner sid + # 0x08 dword = offset to group sid + # 0x0c dword = offset to sacl + # 0x10 dword = offset to dacl + + # Offsets are relative to the start of the security descriptor + + # Control Flags: + # SE_OWNER_DEFAULTED 0x0001 + # SE_GROUP_DEFAULTED 0x0002 + # SE_DACL_PRESENT 0x0004 + # SE_DACL_DEFAULTED 0x0008 + # SE_SACL_PRESENT 0x0010 + # SE_SACL_DEFAULTED 0x0020 + # SE_DACL_AUTO_INHERIT_REQ 0x0100 + # SE_SACL_AUTO_INHERIT_REQ 0x0200 + # SE_DACL_AUTO_INHERITED 0x0400 + # SE_SACL_AUTO_INHERITED 0x0800 + # SE_DACL_PROTECTED 0x1000 + # SE_SACL_PROTECTED 0x2000 + # SE_RM_CONTROL_VALID 0x4000 + # SE_SELF_RELATIVE 0x8000 + + if (length($data) < 20) { + return; + } + + my ($rev, + $flags, + $offset_to_owner, + $offset_to_group, + $offset_to_sacl, + $offset_to_dacl) = unpack('vvVVVV', $data); + + my %sd = (); + my $sd_len = 20; + + my $self = {}; + if ($offset_to_owner > 0 && $offset_to_owner < length($data)) { + my $owner = Parse::Win32Registry::SID->new(substr($data, + $offset_to_owner)); + return if !defined $owner; + $self->{_owner} = $owner; + if ($offset_to_owner + $owner->get_length > $sd_len) { + $sd_len = $offset_to_owner + $owner->get_length; + } + } + if ($offset_to_group > 0 && $offset_to_group < length($data)) { + my $group = Parse::Win32Registry::SID->new(substr($data, + $offset_to_group)); + return if !defined $group; + $self->{_group} = $group; + if ($offset_to_group + $group->get_length > $sd_len) { + $sd_len = $offset_to_group + $group->get_length; + } + } + if ($offset_to_sacl > 0 && $offset_to_sacl < length($data)) { + my $sacl = Parse::Win32Registry::ACL->new(substr($data, + $offset_to_sacl)); + return if !defined $sacl; + $self->{_sacl} = $sacl; + if ($offset_to_sacl + $sacl->get_length > $sd_len) { + $sd_len = $offset_to_sacl + $sacl->get_length; + } + } + if ($offset_to_dacl > 0 && $offset_to_dacl < length($data)) { + my $dacl = Parse::Win32Registry::ACL->new(substr($data, + $offset_to_dacl)); + return if !defined $dacl; + $self->{_dacl} = $dacl; + if ($offset_to_dacl + $dacl->get_length > $sd_len) { + $sd_len = $offset_to_dacl + $dacl->get_length; + } + } + $self->{_length} = $sd_len; + bless $self, $class; + + return $self; +} + +sub get_owner { + my $self = shift; + + return $self->{_owner}; +} + +sub get_group { + my $self = shift; + + return $self->{_group}; +} + +sub get_sacl { + my $self = shift; + + return $self->{_sacl}; +} + +sub get_dacl { + my $self = shift; + + return $self->{_dacl}; +} + +sub as_string { + croak 'Usage: Security Descriptors do not have an as_string method; use as_stanza instead'; +} + +sub as_stanza { + my $self = shift; + + my $stanza = ''; + if (defined(my $owner = $self->{_owner})) { + $stanza .= 'Owner SID: ' . $owner->as_string; + my $name = $owner->get_name; + $stanza .= " [$name]" if defined $name; + $stanza .= "\n"; + } + if (defined(my $group = $self->{_group})) { + $stanza .= 'Group SID: ' . $group->as_string; + my $name = $group->get_name; + $stanza .= " [$name]" if defined $name; + $stanza .= "\n"; + } + if (defined(my $sacl = $self->{_sacl})) { + foreach my $ace ($sacl->get_list_of_aces) { + $stanza .= 'SACL ACE: ' . $ace->as_string . "\n"; + } + } + if (defined(my $dacl = $self->{_dacl})) { + foreach my $ace ($dacl->get_list_of_aces) { + $stanza .= 'DACL ACE: ' . $ace->as_string . "\n"; + } + } + return $stanza; +} + +sub get_length { + my $self = shift; + + return $self->{_length}; +} + +1; diff --git a/thirdparty/rr-full/File.pm b/thirdparty/rr-full/File.pm new file mode 100644 index 0000000000..f02424df18 --- /dev/null +++ b/thirdparty/rr-full/File.pm @@ -0,0 +1,355 @@ +package Parse::Win32Registry::WinNT::File; + +use strict; +use warnings; + +use base qw(Parse::Win32Registry::File); + +use Carp; +use Encode; +use File::Basename; +use Parse::Win32Registry::Base qw(:all); +use Parse::Win32Registry::WinNT::Key; + +use constant REGF_HEADER_LENGTH => 0x200; +use constant OFFSET_TO_FIRST_HBIN => 0x1000; + +sub new { + my $class = shift; + my $filename = shift or croak "No filename specified"; + + open my $fh, '<', $filename or croak "Unable to open '$filename': $!"; + + # 0x00 dword = 'regf' signature + # 0x04 dword = seq1 + # 0x08 dword = seq2 + # 0x0c qword = timestamp + # 0x14 dword = major version + # 0x18 dword = minor version + # 0x1c dword = type (0 = registry file, 1 = log file) + # 0x20 dword = (1) + # 0x24 dword = offset to root key + # 0x28 dword = total length of all hbins (excludes header) + # 0x2c dword = (1) + # 0x30 = embedded filename + + # Extracted offsets are always relative to first hbin + + my $bytes_read = sysread($fh, my $regf_header, REGF_HEADER_LENGTH); + if ($bytes_read != REGF_HEADER_LENGTH) { + warnf('Could not read registry file header'); + return; + } + + my ($regf_sig, + $seq1, + $seq2, + $timestamp, + $major_version, + $minor_version, + $type, + $offset_to_root_key, + $total_hbin_length, + $embedded_filename, + $reorg_timestamp, + ) = unpack('a4VVa8VVVx4VVx4a64x56a8', $regf_header); + +# Updated 20200219 +#---------------------------------------------------------------------------- + $bytes_read = sysread($fh, my $re_org, 8, 168); + if ($bytes_read != 8) { + warnf('Could not read re_org timestamp'); + return; + } +#---------------------------------------------------------------------------- + $offset_to_root_key += OFFSET_TO_FIRST_HBIN; + + if ($regf_sig ne 'regf') { + warnf('Invalid registry file signature'); + return; + } + + $embedded_filename = unpack('Z*', decode('UCS-2LE', $embedded_filename)); + + # The header checksum is the xor of the first 127 dwords. + # The checksum is stored in the 128th dword, at offset 0x1fc (508). + my $checksum = 0; + foreach my $x (unpack('V127', $regf_header)) { + $checksum ^= $x; + } + my $embedded_checksum = unpack('x508V', $regf_header); + if ($checksum != $embedded_checksum) { + warnf('Invalid checksum for registry file header'); + } + + my $self = {}; + $self->{_filehandle} = $fh; + $self->{_filename} = $filename; + $self->{_length} = (stat $fh)[7]; + $self->{_offset_to_root_key} = $offset_to_root_key; + $self->{_timestamp} = unpack_windows_time($timestamp); +#---------------------------------------------------------------------------- + $self->{_reorg_timestamp} = unpack_windows_time($reorg_timestamp); +#---------------------------------------------------------------------------- + $self->{_embedded_filename} = $embedded_filename; + $self->{_seq1} = $seq1; + $self->{_seq2} = $seq2; + $self->{_version} = "$major_version.$minor_version"; + $self->{_type} = $type; + $self->{_total_hbin_length} = $total_hbin_length; + $self->{_embedded_checksum} = $embedded_checksum; + $self->{_security_cache} = {}; # comment out to disable cache + bless $self, $class; + + return $self; +} + +sub get_root_key { + my $self = shift; + + my $offset_to_root_key = $self->{_offset_to_root_key}; + + my $root_key = Parse::Win32Registry::WinNT::Key->new($self, + $offset_to_root_key); + return $root_key; +} + +sub get_virtual_root_key { + my $self = shift; + my $fake_root = shift; + + my $root_key = $self->get_root_key; + return if !defined $root_key; + + if (!defined $fake_root) { + # guess virtual root from filename + my $filename = basename $self->{_filename}; + + if ($filename =~ /NTUSER/i) { + $fake_root = 'HKEY_CURRENT_USER'; + } + elsif ($filename =~ /USRCLASS/i) { + $fake_root = 'HKEY_CLASSES_ROOT'; + } + elsif ($filename =~ /SOFTWARE/i) { + $fake_root = 'HKEY_LOCAL_MACHINE\SOFTWARE'; + } + elsif ($filename =~ /SYSTEM/i) { + $fake_root = 'HKEY_LOCAL_MACHINE\SYSTEM'; + } + elsif ($filename =~ /SAM/i) { + $fake_root = 'HKEY_LOCAL_MACHINE\SAM'; + } + elsif ($filename =~ /SECURITY/i) { + $fake_root = 'HKEY_LOCAL_MACHINE\SECURITY'; + } + else { + $fake_root = 'HKEY_UNKNOWN'; + } + } + + $root_key->{_name} = $fake_root; + $root_key->{_key_path} = $fake_root; + + return $root_key; +} + +sub get_timestamp { + my $self = shift; + + return $self->{_timestamp}; +} + +sub get_timestamp_as_string { + my $self = shift; + + return iso8601($self->{_timestamp}); +} + +# Added 20200219 +#--------------------------------------------------------- +sub get_version { + my $self = shift; + return $self->{_version}; +} + +sub get_reorg_timestamp { + my $self = shift; + return $self->{_reorg_timestamp}; +} + +sub get_seq1 { + my $self = shift; + return $self->{_seq1}; +} + +sub get_seq2 { + my $self = shift; + return $self->{_seq2}; +} + +sub is_dirty { + my $self = shift; + if ($self->{_seq1} == $self->{_seq2}) { + return 0; + } + else { + return 1; + } +} + +sub get_type { + my $self = shift; + if ($self->{_type} == 0) { + return "Registry file"; + } + elsif ($self->{_type} == 1) { + return "Log file"; + } + else { + return "Unknown (".$self->{_type}.")"; + } +} +#--------------------------------------------------------- + +sub get_embedded_filename { + my $self = shift; + + return $self->{_embedded_filename}; +} + +sub get_block_iterator { + my $self = shift; + + my $offset_to_next_hbin = OFFSET_TO_FIRST_HBIN; + my $end_of_file = $self->{_length}; + + return Parse::Win32Registry::Iterator->new(sub { + if ($offset_to_next_hbin > $end_of_file) { + return; # no more hbins + } + if (my $hbin = Parse::Win32Registry::WinNT::Hbin->new($self, + $offset_to_next_hbin)) + { + return unless $hbin->get_length > 0; + $offset_to_next_hbin += $hbin->get_length; + return $hbin; + } + else { + return; # no more hbins + } + }); +} + +*get_hbin_iterator = \&get_block_iterator; + +sub _dump_security_cache { + my $self = shift; + + if (defined(my $cache = $self->{_security_cache})) { + foreach my $offset (sort { $a <=> $b } keys %$cache) { + my $security = $cache->{$offset}; + printf '0x%x %s\n', $offset, $security->as_string; + } + } +} + + +package Parse::Win32Registry::WinNT::Hbin; + +use strict; +use warnings; + +use base qw(Parse::Win32Registry::Entry); + +use Carp; +use Parse::Win32Registry::Base qw(:all); +use Parse::Win32Registry::WinNT::Entry; + +use constant HBIN_HEADER_LENGTH => 0x20; + +sub new { + my $class = shift; + my $regfile = shift; + my $offset = shift; + + croak 'Missing registry file' if !defined $regfile; + croak 'Missing offset' if !defined $offset; + + my $fh = $regfile->get_filehandle; + + # 0x00 dword = 'hbin' signature + # 0x04 dword = offset from first hbin to this hbin + # 0x08 dword = length of this hbin / relative offset to next hbin + # 0x14 qword = timestamp (first hbin only) + + # Extracted offsets are always relative to first hbin + + sysseek($fh, $offset, 0); + my $bytes_read = sysread($fh, my $hbin_header, HBIN_HEADER_LENGTH); + if ($bytes_read != HBIN_HEADER_LENGTH) { + return; + } + + my ($sig, + $offset_to_hbin, + $length, + $timestamp) = unpack('a4VVx8a8x4', $hbin_header); + + if ($sig ne 'hbin') { + return; + } + + my $self = {}; + $self->{_regfile} = $regfile; + $self->{_offset} = $offset; + $self->{_length} = $length; + $self->{_header_length} = HBIN_HEADER_LENGTH; + $self->{_allocated} = 1; + $self->{_tag} = $sig; + $self->{_timestamp} = unpack_windows_time($timestamp); + bless $self, $class; + + return $self; +} + +sub get_timestamp { + my $self = shift; + + return $self->{_timestamp}; +} + +sub get_timestamp_as_string { + my $self = shift; + + return iso8601($self->{_timestamp}); +} + +sub get_entry_iterator { + my $self = shift; + + my $regfile = $self->{_regfile}; + my $offset = $self->{_offset}; + my $length = $self->{_length}; + + my $offset_to_next_entry = $offset + HBIN_HEADER_LENGTH; + my $end_of_hbin = $offset + $length; + + return Parse::Win32Registry::Iterator->new(sub { + if ($offset_to_next_entry >= $end_of_hbin) { + return; # no more entries + } + if (my $entry = Parse::Win32Registry::WinNT::Entry->new($regfile, + $offset_to_next_entry)) + { + return unless $entry->get_length > 0; + $offset_to_next_entry += $entry->get_length; + return $entry; + } + else { + return; # no more entries + } + }); +} + +1; diff --git a/thirdparty/rr-full/Key.pm b/thirdparty/rr-full/Key.pm new file mode 100644 index 0000000000..1263deb41a --- /dev/null +++ b/thirdparty/rr-full/Key.pm @@ -0,0 +1,464 @@ +package Parse::Win32Registry::WinNT::Key; + +use strict; +use warnings; + +use base qw(Parse::Win32Registry::Key); + +use Carp; +use Encode; +use Parse::Win32Registry::Base qw(:all); +use Parse::Win32Registry::WinNT::Value; +use Parse::Win32Registry::WinNT::Security; + +use constant NK_HEADER_LENGTH => 0x50; +use constant OFFSET_TO_FIRST_HBIN => 0x1000; + +sub new { + my $class = shift; + my $regfile = shift; + my $offset = shift; # offset to nk record relative to start of file + my $parent_key_path = shift; # parent key path (optional) + + croak 'Missing registry file' if !defined $regfile; + croak 'Missing offset' if !defined $offset; + + my $fh = $regfile->get_filehandle; + + # 0x00 dword = key length (negative = allocated) + # 0x04 word = 'nk' signature + # 0x06 word = flags + # 0x08 qword = timestamp + # 0x10 + # 0x14 dword = offset to parent + # 0x18 dword = number of subkeys + # 0x1c + # 0x20 dword = offset to subkey list (lf, lh, ri, li) + # 0x24 + # 0x28 dword = number of values + # 0x2c dword = offset to value list + # 0x30 dword = offset to security + # 0x34 dword = offset to class name + # 0x38 dword = max subkey name length + # 0x3c dword = max class name length + # 0x40 dword = max value name length + # 0x44 dword = max value data length + # 0x48 + # 0x4c word = key name length + # 0x4e word = class name length + # 0x50 = key name [for key name length bytes] + + # Extracted offsets are always relative to first hbin + + sysseek($fh, $offset, 0); + my $bytes_read = sysread($fh, my $nk_header, NK_HEADER_LENGTH); + if ($bytes_read != NK_HEADER_LENGTH) { + warnf('Could not read key at 0x%x', $offset); + return; + } + + my ($length, + $sig, + $flags, + $timestamp, +# added 20190127 + $access_bits, + $offset_to_parent, + $num_subkeys, + $offset_to_subkey_list, + $num_values, + $offset_to_value_list, + $offset_to_security, + $offset_to_class_name, + $largest_subkey_name_length, + $name_length, + $class_name_length, +# added 20190127 + ) = unpack('Va2va8VVVx4Vx4VVVVVx16vv', $nk_header); +# ) = unpack('Va2va8x4VVx4Vx4VVVVx20vv', $nk_header); + + $offset_to_parent += OFFSET_TO_FIRST_HBIN + if $offset_to_parent != 0xffffffff; + $offset_to_subkey_list += OFFSET_TO_FIRST_HBIN + if $offset_to_subkey_list != 0xffffffff; + $offset_to_value_list += OFFSET_TO_FIRST_HBIN + if $offset_to_value_list != 0xffffffff; + $offset_to_security += OFFSET_TO_FIRST_HBIN + if $offset_to_security != 0xffffffff; + $offset_to_class_name += OFFSET_TO_FIRST_HBIN + if $offset_to_class_name != 0xffffffff; + + my $allocated = 0; + if ($length > 0x7fffffff) { + $allocated = 1; + $length = (0xffffffff - $length) + 1; + } + # allocated should be true + + if ($length < NK_HEADER_LENGTH) { + warnf('Invalid value entry length at 0x%x', $offset); + return; + } + + if ($sig ne 'nk') { + warnf('Invalid signature for key at 0x%x', $offset); + return; + } + + $bytes_read = sysread($fh, my $name, $name_length); + if ($bytes_read != $name_length) { + warnf('Could not read name for key at 0x%x', $offset); + return; + } + + if ($flags & 0x20) { + $name = decode($Parse::Win32Registry::Base::CODEPAGE, $name); + } + else { + $name = decode('UCS-2LE', $name); + } + + my $key_path = (defined $parent_key_path) + ? "$parent_key_path\\$name" + : "$name"; + + my $class_name; + if ($offset_to_class_name != 0xffffffff) { + sysseek($fh, $offset_to_class_name + 4, 0); + $bytes_read = sysread($fh, $class_name, $class_name_length); + if ($bytes_read != $class_name_length) { + warnf('Could not read class name at 0x%x', $offset_to_class_name); + $class_name = undef; + } + else { + $class_name = decode('UCS-2LE', $class_name); + } + } + + my $self = {}; + $self->{_regfile} = $regfile; + $self->{_offset} = $offset; + $self->{_length} = $length; + $self->{_allocated} = $allocated; + $self->{_tag} = $sig; + $self->{_name} = $name; + $self->{_name_length} = $name_length; + $self->{_key_path} = $key_path; + $self->{_flags} = $flags; + $self->{_offset_to_parent} = $offset_to_parent; + $self->{_num_subkeys} = $num_subkeys; + $self->{_offset_to_subkey_list} = $offset_to_subkey_list; + $self->{_num_values} = $num_values; + $self->{_offset_to_value_list} = $offset_to_value_list; + $self->{_timestamp} = unpack_windows_time($timestamp); +# added 20190127 + $self->{_access_bits} = $access_bits; + $self->{_largest_subkey_name_length} = $largest_subkey_name_length; + $self->{_offset_to_security} = $offset_to_security; + $self->{_offset_to_class_name} = $offset_to_class_name; + $self->{_class_name_length} = $class_name_length; + $self->{_class_name} = $class_name; + bless $self, $class; + + return $self; +} + +sub get_timestamp { + my $self = shift; + + return $self->{_timestamp}; +} + +sub get_timestamp_as_string { + my $self = shift; + + return iso8601($self->get_timestamp); +} + +# added 20190127 +sub get_access_bits { + my $self = shift; + return $self->{_access_bits}; +} + +sub get_largest_subkey_name_length { + my $self = shift; + return $self->{_largest_subkey_name_length}; +} + + +sub get_class_name { + my $self = shift; + + return $self->{_class_name}; +} + +sub is_root { + my $self = shift; + + my $flags = $self->{_flags}; + return $flags & 4 || $flags & 8; +} + +sub get_parent { + my $self = shift; + + my $regfile = $self->{_regfile}; + my $offset_to_parent = $self->{_offset_to_parent}; + my $key_path = $self->{_key_path}; + + return if $self->is_root; + + my $grandparent_key_path; + my @keys = split /\\/, $key_path, -1; + if (@keys > 2) { + $grandparent_key_path = join('\\', @keys[0..$#keys-2]); + } + + return Parse::Win32Registry::WinNT::Key->new($regfile, + $offset_to_parent, + $grandparent_key_path); +} + +sub get_security { + my $self = shift; + + my $regfile = $self->{_regfile}; + my $offset_to_security = $self->{_offset_to_security}; + my $key_path = $self->{_key_path}; + + if ($offset_to_security == 0xffffffff) { + return; + } + + return Parse::Win32Registry::WinNT::Security->new($regfile, + $offset_to_security, + $key_path); +} + +sub as_string { + my $self = shift; + + my $string = $self->get_path . ' [' . $self->get_timestamp_as_string . ']'; + return $string; +} + +sub parse_info { + my $self = shift; + + my $info = sprintf '0x%x nk len=0x%x alloc=%d "%s" par=0x%x keys=%d,0x%x vals=%d,0x%x sec=0x%x class=0x%x', + $self->{_offset}, + $self->{_length}, + $self->{_allocated}, + $self->{_name}, + $self->{_offset_to_parent}, + $self->{_num_subkeys}, $self->{_offset_to_subkey_list}, + $self->{_num_values}, $self->{_offset_to_value_list}, + $self->{_offset_to_security}, + $self->{_offset_to_class_name}; + if (defined $self->{_class_name}) { + $info .= sprintf ',len=0x%x', $self->{_class_name_length}; + } + return $info; +} + +sub _get_offsets_to_subkeys { + my $self = shift; + + # Offset is passed as a parameter for recursive lists such as 'ri' + my $offset_to_subkey_list = shift || $self->{_offset_to_subkey_list}; + + my $regfile = $self->{_regfile}; + my $fh = $regfile->get_filehandle; + + return if $offset_to_subkey_list == 0xffffffff + || $self->{_num_subkeys} == 0; + + sysseek($fh, $offset_to_subkey_list, 0); + my $bytes_read = sysread($fh, my $subkey_list_header, 8); + if ($bytes_read != 8) { + warnf('Could not read subkey list header at 0x%x', + $offset_to_subkey_list); + return; + } + + # 0x00 dword = subkey list length (negative = allocated) + # 0x04 word = 'lf' signature + # 0x06 word = number of entries + # 0x08 dword = offset to 1st subkey + # 0x0c dword = first four characters of the key name + # 0x10 dword = offset to 2nd subkey + # 0x14 dword = first four characters of the key name + # ... + + # 0x00 dword = subkey list length (negative = allocated) + # 0x04 word = 'lh' signature + # 0x06 word = number of entries + # 0x08 dword = offset to 1st subkey + # 0x0c dword = hash of the key name + # 0x10 dword = offset to 2nd subkey + # 0x14 dword = hash of the key name + # ... + + # 0x00 dword = subkey list length (negative = allocated) + # 0x04 word = 'ri' signature + # 0x06 word = number of entries in ri list + # 0x08 dword = offset to 1st lf/lh/li list + # 0x0c dword = offset to 2nd lf/lh/li list + # 0x10 dword = offset to 3rd lf/lh/li list + # ... + + # 0x00 dword = subkey list length (negative = allocated) + # 0x04 word = 'li' signature + # 0x06 word = number of entries in li list + # 0x08 dword = offset to 1st subkey + # 0x0c dword = offset to 2nd subkey + # ... + + # Extracted offsets are always relative to first hbin + + my @offsets_to_subkeys = (); + + my ($length, + $sig, + $num_entries, + ) = unpack('Va2v', $subkey_list_header); + + my $subkey_list_length; + if ($sig eq 'lf' || $sig eq 'lh') { + $subkey_list_length = 2 * 4 * $num_entries; + } + elsif ($sig eq 'ri' || $sig eq 'li') { + $subkey_list_length = 4 * $num_entries; + } + else { + warnf('Invalid signature for subkey list at 0x%x', + $offset_to_subkey_list); + return; + } + + $bytes_read = sysread($fh, my $subkey_list, $subkey_list_length); + if ($bytes_read != $subkey_list_length) { + warnf('Could not read subkey list at 0x%x', + $offset_to_subkey_list); + return; + } + + if ($sig eq 'lf') { + foreach my $offset (unpack("(Vx4)$num_entries", $subkey_list)) { + push @offsets_to_subkeys, OFFSET_TO_FIRST_HBIN + $offset; + } + } + elsif ($sig eq 'lh') { + foreach my $offset (unpack("(Vx4)$num_entries", $subkey_list)) { + push @offsets_to_subkeys, OFFSET_TO_FIRST_HBIN + $offset; + } + } + elsif ($sig eq 'ri') { + foreach my $offset (unpack("V$num_entries", $subkey_list)) { + my $offsets_ref = + $self->_get_offsets_to_subkeys(OFFSET_TO_FIRST_HBIN + $offset); + if (defined $offsets_ref && ref $offsets_ref eq 'ARRAY') { + push @offsets_to_subkeys, @{ $offsets_ref }; + } + } + } + elsif ($sig eq 'li') { + foreach my $offset (unpack("V$num_entries", $subkey_list)) { + push @offsets_to_subkeys, OFFSET_TO_FIRST_HBIN + $offset; + } + } + + return \@offsets_to_subkeys; +} + +sub get_subkey_iterator { + my $self = shift; + + my $regfile = $self->{_regfile}; + my $key_path = $self->{_key_path}; + + my @offsets_to_subkeys = (); + if ($self->{_num_subkeys} > 0) { + my $offsets_to_subkeys_ref = $self->_get_offsets_to_subkeys; + if (defined $offsets_to_subkeys_ref) { + @offsets_to_subkeys = @{$self->_get_offsets_to_subkeys}; + } + } + + return Parse::Win32Registry::Iterator->new(sub { + while (defined(my $offset_to_subkey = shift @offsets_to_subkeys)) { + my $subkey = Parse::Win32Registry::WinNT::Key->new($regfile, + $offset_to_subkey, $key_path); + if (defined $subkey) { + return $subkey; + } + } + return; # no more offsets to subkeys + }); +} + +sub _get_offsets_to_values { + my $self = shift; + + my $regfile = $self->{_regfile}; + my $fh = $regfile->get_filehandle; + my $offset_to_value_list = $self->{_offset_to_value_list}; + + my $num_values = $self->{_num_values}; + return if $num_values == 0; + # Actually, this could probably just fall through + # as unpack("x4V0", ...) would return an empty array. + + my @offsets_to_values = (); + + # 0x00 dword = value list length (negative = allocated) + # 0x04 dword = 1st offset + # 0x08 dword = 2nd offset + # ... + + # Extracted offsets are always relative to first hbin + + sysseek($fh, $offset_to_value_list, 0); + my $value_list_length = 0x4 + $num_values * 4; + my $bytes_read = sysread($fh, my $value_list, $value_list_length); + if ($bytes_read != $value_list_length) { + warnf("Could not read value list at 0x%x", + $offset_to_value_list); + return; + } + + foreach my $offset (unpack("x4V$num_values", $value_list)) { + push @offsets_to_values, OFFSET_TO_FIRST_HBIN + $offset; + } + + return \@offsets_to_values; +} + +sub get_value_iterator { + my $self = shift; + + my $regfile = $self->{_regfile}; + my $key_path = $self->{_key_path}; + + my @offsets_to_values = (); + if ($self->{_num_values} > 0) { + my $offsets_to_values_ref = $self->_get_offsets_to_values; + if (defined $offsets_to_values_ref) { + @offsets_to_values = @{$self->_get_offsets_to_values}; + } + } + + return Parse::Win32Registry::Iterator->new(sub { + while (defined(my $offset_to_value = shift @offsets_to_values)) { + my $value = Parse::Win32Registry::WinNT::Value->new($regfile, + $offset_to_value); + if (defined $value) { + return $value; + } + } + return; # no more offsets to values + }); +} + +1; diff --git a/thirdparty/rr-full/README.md b/thirdparty/rr-full/README.md new file mode 100644 index 0000000000..942ee5f5df --- /dev/null +++ b/thirdparty/rr-full/README.md @@ -0,0 +1,51 @@ +RegRipper2.8 +============ + +RegRipper version 2.8 + +This is the GitHub repository for RegRipper version 2.8 + +Note: This tool does NOT automatically process hive transaction logs. If you need +to incorporate data from hive transaction logs into your analysis, consider merging +the data via Maxim Suhanov's yarp + registryFlush.py, or via Eric Zimmerman's rla.exe. + +Updates 20200220 +- Added warning that tool does not automatically process Registry hive transaction logs +- Added check for dirty hives +- Modified C:\Perl\site\lib\Parse\Win32Registry\WinNT\File.pm + - if you're using the Perl version of this tool (Linux, Mac) be sure to copy File.pm + from the repository and replace the appropriate file + +Updates 20200104 +- Fixed issue with processing of key LastWrite times +- Modified C:\Perl\site\lib\Parse\Win32Registry\WinNT\Base.pm + - if you're using the Perl version of this tool (Linux, Mac) be sure to copy Base.pm + from the repository and replace the appropriate file + +Updates 20190128 +- added Time::Local module + - this allows plugins to be written that parse string-based date/time stamps, converting + them to epochs (for timelining, etc.) +- modified C:\Perl\site\lib\Parse\Win32Registry\WinNT\Key.pm + - extract access_bits and largest_subkey_name_length values from Key node structure + - call 'get_access_bits()', 'get_largest_subkey_name_length()' to retrieve the values for parsing/display + - IAW https://github.com/msuhanov/regf/blob/master/Windows%20registry%20file%20format%20specification.md + +Note: The modifications to Key.pm are 'compiled' into the EXE versions of RegRipper. In order to fully take +advantage of them with the .pl versions: +- got to \Perl\site\lib\Parse\Win32Registry\WinNT\ +- rename Key.pm to Key_old.pm +- copy Key.pm from this distro to the folder + +Updates 20200104 +Based on how key LastWrite times were being converted from FILETIME objects to Unix epoch format, the function +appears to have 'broke' as of 1 Jan 2020. As such, I modified/fixed the code, and have updated the compiled +EXEs for the tools. I've also provided an updated Base.pm file, with instructions below as to how to update +your local copy of the file. + +- Navigate to the \site\lib\Parse\Win32Registry\ folder in your Perl installation, and remove any restrictions + or attributes from Base.pm (i.e., 'attrib -r Base.pm') +- Rename Base.pm to Base_old.pm +- Copy the Base.pm from this repository +======= + diff --git a/thirdparty/rr-full/license.md b/thirdparty/rr-full/license.md new file mode 100644 index 0000000000..08d0c5adca --- /dev/null +++ b/thirdparty/rr-full/license.md @@ -0,0 +1,22 @@ +Permission is hereby granted, free of charge, to any person obtaining a copy of this software and +associated documentation files (the "Software"), to deal in the Software without restriction, including +without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to +the following conditions: + +The above copyright notice and this permission notice shall be included in all copies or substantial +portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT +LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. +IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, +WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE +SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + +This project is licensed under terms of the MIT License - +https://opensource.org/licenses/MIT + +See also: +https://en.wikipedia.org/wiki/MIT_License + +Questions, comments, etc., can be sent to keydet89 at yahoo dot com. \ No newline at end of file diff --git a/thirdparty/rr-full/license.txt b/thirdparty/rr-full/license.txt index c6ac555d59..1660cbd2ea 100644 --- a/thirdparty/rr-full/license.txt +++ b/thirdparty/rr-full/license.txt @@ -1,12 +1,22 @@ -This software is released AS-IS, with no statements or guarantees as to -its effectiveness or stability. While it shouldn't cause any problems -whatsoever with your system, there's always the chance that someone may find -a way to blame a system crash or loss of data on software like this...you've -been warned! +Permission is hereby granted, free of charge, to any person obtaining a copy of this software and +associated documentation files (the "Software"), to deal in the Software without restriction, including +without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to +the following conditions: -This software is released under the GNU Public License - -http://www.gnu.org/copyleft/gpl.html +The above copyright notice and this permission notice shall be included in all copies or substantial +portions of the Software. -Specifically, GPL v2.0: http://www.gnu.org/licenses/gpl-2.0.html +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT +LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. +IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, +WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE +SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + +This project is licensed under terms of the MIT License - +https://opensource.org/licenses/MIT + +See also: +https://en.wikipedia.org/wiki/MIT_License Questions, comments, etc., can be sent to keydet89 at yahoo dot com. \ No newline at end of file diff --git a/thirdparty/rr-full/plugins/all b/thirdparty/rr-full/plugins/all index 57843dc607..2e320acc2e 100644 --- a/thirdparty/rr-full/plugins/all +++ b/thirdparty/rr-full/plugins/all @@ -1,17 +1,10 @@ -# 20161213 *ALL* Plugins that apply on any HIVES, alphabetical order -baseline -del -del_tln -fileless -findexes -installedcomp -installer -malware -null -regtime -regtime_tln -rlo -sizes -uninstall -uninstall_tln -wallpaper +baseline +del +fileless +findexes +malware +null +regtime +rlo +sizes +slack diff --git a/thirdparty/rr-full/plugins/amcache b/thirdparty/rr-full/plugins/amcache index be59282855..081bf4a7bc 100755 --- a/thirdparty/rr-full/plugins/amcache +++ b/thirdparty/rr-full/plugins/amcache @@ -1,2 +1 @@ -#20161213 *ALL* Plugins that apply on any amcache, alphabetical order -amcache +amcache diff --git a/thirdparty/rr-full/plugins/amcache.pl b/thirdparty/rr-full/plugins/amcache.pl index 8e77b2e6e2..bad27d9a49 100644 --- a/thirdparty/rr-full/plugins/amcache.pl +++ b/thirdparty/rr-full/plugins/amcache.pl @@ -2,6 +2,7 @@ # amcache.pl # # Change history +# 20180311 - updated to support newer version files, albeit without parsing devices # 20170315 - added output for Product Name and File Description values # 20160818 - added check for value 17 # 20131218 - fixed bug computing compile time @@ -9,9 +10,10 @@ # 20131204 - created # # References +# https://binaryforay.blogspot.com/2017/10/amcache-still-rules-everything-around.html # http://www.swiftforensics.com/2013/12/amcachehve-in-windows-8-goldmine-for.html # -# Copyright (c) 2017 QAR, LLC +# Copyright (c) 2018 QAR, LLC # Author: H. Carvey, keydet89@yahoo.com #----------------------------------------------------------- package amcache; @@ -23,7 +25,7 @@ my %config = (hive => "amcache", hasRefs => 1, osmask => 22, category => "program execution", - version => 20170315); + version => 20180311); my $VERSION = getVersion(); # Functions # @@ -40,121 +42,208 @@ sub pluginmain { my $class = shift; my $hive = shift; - # Initialize # ::logMsg("Launching amcache v.".$VERSION); ::rptMsg("amcache v.".$VERSION); ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); my $reg = Parse::Win32Registry->new($hive); my $root_key = $reg->get_root_key; my $key; - my @sk1; - my @sk; - my (@t,$gt); - - my $key_path = 'Root\\File'; - ::rptMsg("***Files***"); - if ($key = $root_key->get_subkey($key_path)) { + +# Newer version Amcache.hve files +# Devices not parsed at this time + my $key_path = 'Root\\InventoryApplicationFile'; + if ($key = $root_key->get_subkey($key_path)) { + parseInventoryApplicationFile($key); - @sk1 = $key->get_list_of_subkeys(); - foreach my $s1 (@sk1) { -# Volume GUIDs - ::rptMsg($s1->get_name()); - - @sk = $s1->get_list_of_subkeys(); - if (scalar(@sk) > 0) { - foreach my $s (@sk) { - ::rptMsg("File Reference: ".$s->get_name()); - ::rptMsg("LastWrite : ".gmtime($s->get_timestamp())." Z"); -# update 20131213: based on trial and error, it appears that not all file -# references will have all of the values, such as Path, or SHA-1 - eval { - ::rptMsg("Path : ".$s->get_value("15")->get_data()); - }; - - eval { - ::rptMsg("Company Name : ".$s->get_value("1")->get_data()); - }; - - eval { - ::rptMsg("Product Name : ".$s->get_value("0")->get_data()); - }; - - eval { - ::rptMsg("File Descr : ".$s->get_value("c")->get_data()); - }; - - eval { - ::rptMsg("Lang Code : ".$s->get_value("3")->get_data()); - }; - - eval { - ::rptMsg("SHA-1 : ".$s->get_value("101")->get_data()); - }; - - eval { - @t = unpack("VV",$s->get_value("11")->get_data()); - $gt = gmtime(::getTime($t[0],$t[1])); - ::rptMsg("Last Mod Time : ".$gt." Z"); - }; - - eval { - @t = unpack("VV",$s->get_value("17")->get_data()); - $gt = gmtime(::getTime($t[0],$t[1])); - ::rptMsg("Last Mod Time2: ".$gt." Z"); - }; - - eval { - @t = unpack("VV",$s->get_value("12")->get_data()); - $gt = gmtime(::getTime($t[0],$t[1])); - ::rptMsg("Create Time : ".$gt." Z"); - }; - - eval { - $gt = gmtime($s->get_value("f")->get_data()); -# $gt = gmtime(unpack("V",$s->get_value("f")->get_data())); - ::rptMsg("Compile Time : ".$gt." Z"); - }; - ::rptMsg(""); - } - } - else { -# ::rptMsg("Key ".$s1->get_name()." has no subkeys."); - } - } } else { ::rptMsg($key_path." not found."); } + ::rptMsg(""); + + my $key_path = 'Root\\InventoryApplication'; + if ($key = $root_key->get_subkey($key_path)) { + parseInventoryApplication($key); + + } + else { + ::rptMsg($key_path." not found."); + } + ::rptMsg(""); + +# Older version AmCache.hve files +# Root\Files subkey + my $key_path = 'Root\\File'; + if ($key = $root_key->get_subkey($key_path)) { + parseFile($key); + + } + else { + ::rptMsg($key_path." not found."); + } + ::rptMsg(""); # Root\Programs subkey $key_path = 'Root\\Programs'; - ::rptMsg("***Programs***"); if ($key = $root_key->get_subkey($key_path)) { - @sk1 = $key->get_list_of_subkeys(); - if (scalar(@sk1) > 0) { - foreach my $s1 (@sk1) { - my $str; - $str = "Name : ".$s1->get_value("0")->get_data(); - - eval { - $str .= " v\.".$s1->get_value("1")->get_data(); - }; - ::rptMsg($str); - eval { - ::rptMsg("Category : ".$s1->get_value("6")->get_data()); - }; - - eval { - ::rptMsg("UnInstall : ".$s1->get_value("7")->get_data()); - }; - - ::rptMsg(""); - } - } + parsePrograms($key); } else { ::rptMsg($key_path." not found."); } } +sub parseInventoryApplicationFile { + my $key = shift; + ::rptMsg("***InventoryApplicationFile***"); + my @sk = $key->get_list_of_subkeys(); + if (scalar(@sk) > 0) { + foreach my $s (@sk) { + my $lw = $s->get_timestamp(); + + my $path; + eval { + $path = $s->get_value("LowerCaseLongPath")->get_data(); + }; + + my $hash; + eval { + $hash = $s->get_value("FileID")->get_data(); + $hash =~ s/^0000//; + }; + ::rptMsg($path." LastWrite: ".gmtime($lw)); + ::rptMsg("Hash: ".$hash); + ::rptMsg(""); + } + } + else { + + } +} + +sub parseInventoryApplication { + my $key = shift; + my @sk = $key->get_list_of_subkeys(); + if (scalar(@sk) > 0) { + foreach my $s (@sk) { + my $lw = $s->get_timestamp(); + my $name; + eval { + $name = $s->get_value("Name")->get_data(); + }; + + my $version; + eval { + $version = "v.".$s->get_value("Version")->get_data(); + }; + ::rptMsg(gmtime($lw)." - ".$name." ".$version); + } + } + else { + + } +} + + +sub parseFile { + my $key = shift; + ::rptMsg("***Files***"); + my (@t,$gt); + my @sk1 = $key->get_list_of_subkeys(); + foreach my $s1 (@sk1) { +# Volume GUIDs + ::rptMsg($s1->get_name()); + + my @sk = $s1->get_list_of_subkeys(); + if (scalar(@sk) > 0) { + foreach my $s (@sk) { + ::rptMsg("File Reference: ".$s->get_name()); + ::rptMsg("LastWrite : ".gmtime($s->get_timestamp())." Z"); +# update 20131213: based on trial and error, it appears that not all file +# references will have all of the values, such as Path, or SHA-1 + eval { + ::rptMsg("Path : ".$s->get_value("15")->get_data()); + }; + + eval { + ::rptMsg("Company Name : ".$s->get_value("1")->get_data()); + }; + + eval { + ::rptMsg("Product Name : ".$s->get_value("0")->get_data()); + }; + + eval { + ::rptMsg("File Descr : ".$s->get_value("c")->get_data()); + }; + + eval { + ::rptMsg("Lang Code : ".$s->get_value("3")->get_data()); + }; + + eval { + ::rptMsg("SHA-1 : ".$s->get_value("101")->get_data()); + }; + + eval { + @t = unpack("VV",$s->get_value("11")->get_data()); + $gt = gmtime(::getTime($t[0],$t[1])); + ::rptMsg("Last Mod Time : ".$gt." Z"); + }; + + eval { + @t = unpack("VV",$s->get_value("17")->get_data()); + $gt = gmtime(::getTime($t[0],$t[1])); + ::rptMsg("Last Mod Time2: ".$gt." Z"); + }; + + eval { + @t = unpack("VV",$s->get_value("12")->get_data()); + $gt = gmtime(::getTime($t[0],$t[1])); + ::rptMsg("Create Time : ".$gt." Z"); + }; + + eval { + $gt = gmtime($s->get_value("f")->get_data()); +# $gt = gmtime(unpack("V",$s->get_value("f")->get_data())); + ::rptMsg("Compile Time : ".$gt." Z"); + }; + ::rptMsg(""); + } + } + else { +# ::rptMsg("Key ".$s1->get_name()." has no subkeys."); + } + } + +} + +# Root\Programs subkey +sub parsePrograms { + my $key = shift; + ::rptMsg("***Programs***"); + my @sk1 = $key->get_list_of_subkeys(); + if (scalar(@sk1) > 0) { + foreach my $s1 (@sk1) { + my $str; + $str = "Name : ".$s1->get_value("0")->get_data(); + + eval { + $str .= " v\.".$s1->get_value("1")->get_data(); + }; + ::rptMsg($str); + eval { + ::rptMsg("Category : ".$s1->get_value("6")->get_data()); + }; + + eval { + ::rptMsg("UnInstall : ".$s1->get_value("7")->get_data()); + }; + + ::rptMsg(""); + } + } +} + + 1; diff --git a/thirdparty/rr-full/plugins/amcache_tln.pl b/thirdparty/rr-full/plugins/amcache_tln.pl index ce51c402a8..de0fbafabb 100644 --- a/thirdparty/rr-full/plugins/amcache_tln.pl +++ b/thirdparty/rr-full/plugins/amcache_tln.pl @@ -2,12 +2,18 @@ # amcache_tln.pl # # Change history -# 20170315 - created +# 20180311 - updated to support newer version files, albeit without parsing devices +# 20170315 - added output for Product Name and File Description values +# 20160818 - added check for value 17 +# 20131218 - fixed bug computing compile time +# 20131213 - updated +# 20131204 - created # # References +# https://binaryforay.blogspot.com/2017/10/amcache-still-rules-everything-around.html # http://www.swiftforensics.com/2013/12/amcachehve-in-windows-8-goldmine-for.html # -# Copyright (c) 2017 QAR, LLC +# Copyright (c) 2018 QAR, LLC # Author: H. Carvey, keydet89@yahoo.com #----------------------------------------------------------- package amcache_tln; @@ -19,7 +25,7 @@ my %config = (hive => "amcache", hasRefs => 1, osmask => 22, category => "program execution", - version => 20170315); + version => 20180311); my $VERSION = getVersion(); # Functions # @@ -28,88 +34,199 @@ sub getHive {return $config{hive};} sub getVersion {return $config{version};} sub getDescr {} sub getShortDescr { - return "Parse AmCache\.hve file, TLN format"; + return "Parse AmCache\.hve file"; } sub getRefs {} sub pluginmain { my $class = shift; my $hive = shift; - - # Initialize # + ::logMsg("Launching amcache_tln v.".$VERSION); # ::rptMsg("amcache v.".$VERSION); # ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); my $reg = Parse::Win32Registry->new($hive); my $root_key = $reg->get_root_key; my $key; - my @sk1; - my @sk; - my (@t,$gt); - - my $key_path = 'Root\\File'; -# ::rptMsg("***Files***"); - if ($key = $root_key->get_subkey($key_path)) { + +# Newer version Amcache.hve files +# Devices not parsed at this time + my $key_path = 'Root\\InventoryApplicationFile'; + if ($key = $root_key->get_subkey($key_path)) { + parseInventoryApplicationFile($key); - @sk1 = $key->get_list_of_subkeys(); - foreach my $s1 (@sk1) { -# Volume GUIDs - ::rptMsg($s1->get_name()); + } + else { +# ::rptMsg($key_path." not found."); + } +# ::rptMsg(""); + +# my $key_path = 'Root\\InventoryApplication'; +# if ($key = $root_key->get_subkey($key_path)) { +# parseInventoryApplication($key); +# +# } +# else { +# ::rptMsg($key_path." not found."); +# } +# ::rptMsg(""); + +# Older version AmCache.hve files +# Root\Files subkey + my $key_path = 'Root\\File'; + if ($key = $root_key->get_subkey($key_path)) { + parseFile($key); + + } + else { +# ::rptMsg($key_path." not found."); + } +# ::rptMsg(""); +} + +sub parseInventoryApplicationFile { + my $key = shift; +# ::rptMsg("***InventoryApplicationFile***"); + my @sk = $key->get_list_of_subkeys(); + if (scalar(@sk) > 0) { + foreach my $s (@sk) { + my $lw = $s->get_timestamp(); + + my $path; + eval { + $path = $s->get_value("LowerCaseLongPath")->get_data(); + }; - @sk = $s1->get_list_of_subkeys(); - if (scalar(@sk) > 0) { - foreach my $s (@sk) { - my $fileref = $s->get_name(); - my $lw = $s->get_timestamp(); + my $hash; + eval { + $hash = $s->get_value("FileID")->get_data(); + $hash =~ s/^0000//; + }; + + ::rptMsg($lw."|AmCache|||Key LastWrite - ".$path." (".$hash.")"); + } + } + else { + + } +} + +sub parseInventoryApplication { + my $key = shift; + my @sk = $key->get_list_of_subkeys(); + if (scalar(@sk) > 0) { + foreach my $s (@sk) { + my $lw = $s->get_timestamp(); + my $name; + eval { + $name = $s->get_value("Name")->get_data(); + }; + + my $version; + eval { + $version = "v.".$s->get_value("Version")->get_data(); + }; + ::rptMsg(gmtime($lw)." - ".$name." ".$version); + } + } + else { + + } +} + + +sub parseFile { + my $key = shift; +# ::rptMsg("***Files***"); + my (@t,$gt); + my @sk1 = $key->get_list_of_subkeys(); + foreach my $s1 (@sk1) { +# Volume GUIDs + ::rptMsg($s1->get_name()); + my @sk = $s1->get_list_of_subkeys(); + if (scalar(@sk) > 0) { + foreach my $s (@sk) { + my $fileref = $s->get_name(); + my $lw = $s->get_timestamp(); # First, report key lastwrite time (== execution time??) - eval { - $fileref = $fileref.":".$s->get_value("15")->get_data(); - }; - - ::rptMsg($lw."|AmCache|||Key LastWrite - ".$fileref); - + eval { + $fileref = $fileref.":".$s->get_value("15")->get_data(); + }; + ::rptMsg($lw."|AmCache|||Key LastWrite - ".$fileref); + # get last mod./creation times - my @dots = qw/. . . ./; - my %t_hash = (); - my @vals = (); + my @dots = qw/. . . ./; + my %t_hash = (); + my @vals = (); # last mod time - eval { - my @t = unpack("VV",$s->get_value("11")->get_data()); - $vals[1] = ::getTime($t[0],$t[1]); - }; + eval { + my @t = unpack("VV",$s->get_value("11")->get_data()); + $vals[1] = ::getTime($t[0],$t[1]); + }; # creation time - eval { - my @t = unpack("VV",$s->get_value("12")->get_data()); - $vals[3] = ::getTime($t[0],$t[1]); - }; + eval { + my @t = unpack("VV",$s->get_value("12")->get_data()); + $vals[3] = ::getTime($t[0],$t[1]); + }; - foreach my $v (@vals) { - @{$t_hash{$v}} = @dots unless ($v == 0); - } + foreach my $v (@vals) { + @{$t_hash{$v}} = @dots unless ($v == 0); + } - ${$t_hash{$vals[0]}}[1] = "A" unless ($vals[0] == 0); - ${$t_hash{$vals[1]}}[0] = "M" unless ($vals[1] == 0); - ${$t_hash{$vals[2]}}[2] = "C" unless ($vals[2] == 0); - ${$t_hash{$vals[3]}}[3] = "B" unless ($vals[3] == 0); + ${$t_hash{$vals[0]}}[1] = "A" unless ($vals[0] == 0); + ${$t_hash{$vals[1]}}[0] = "M" unless ($vals[1] == 0); + ${$t_hash{$vals[2]}}[2] = "C" unless ($vals[2] == 0); + ${$t_hash{$vals[3]}}[3] = "B" unless ($vals[3] == 0); - foreach my $t (reverse sort {$a <=> $b} keys %t_hash) { - my $str = join('',@{$t_hash{$t}}); - ::rptMsg($t."|AmCache|||".$str." ".$fileref); - } + foreach my $t (reverse sort {$a <=> $b} keys %t_hash) { + my $str = join('',@{$t_hash{$t}}); + ::rptMsg($t."|AmCache|||".$str." ".$fileref); + } # check for PE Compile times - eval { - my $pe = $s->get_value("f")->get_data(); - ::rptMsg($pe."|AmCache|||PE Compile time - ".$fileref); - ::rptMsg("Compile Time : ".$gt." Z"); - }; - - } + eval { + my $pe = $s->get_value("f")->get_data(); + ::rptMsg($pe."|AmCache|||PE Compile time - ".$fileref); + ::rptMsg("Compile Time : ".$gt." Z"); + }; + } } + else { +# ::rptMsg("Key ".$s1->get_name()." has no subkeys."); + } + } + +} + +# Root\Programs subkey +sub parsePrograms { + my $key = shift; +# ::rptMsg("***Programs***"); + my @sk1 = $key->get_list_of_subkeys(); + if (scalar(@sk1) > 0) { + foreach my $s1 (@sk1) { + my $str; + $str = "Name : ".$s1->get_value("0")->get_data(); + + eval { + $str .= " v\.".$s1->get_value("1")->get_data(); + }; + ::rptMsg($str); + eval { + ::rptMsg("Category : ".$s1->get_value("6")->get_data()); + }; + + eval { + ::rptMsg("UnInstall : ".$s1->get_value("7")->get_data()); + }; + +# ::rptMsg(""); + } } } -1; \ No newline at end of file + +1; diff --git a/thirdparty/rr-full/plugins/angelfire.pl b/thirdparty/rr-full/plugins/angelfire.pl new file mode 100644 index 0000000000..d6c7d71a00 --- /dev/null +++ b/thirdparty/rr-full/plugins/angelfire.pl @@ -0,0 +1,67 @@ +#----------------------------------------------------------- +# angelfire.pl +# +# History: +# 20170831 - created +# +# References: +# https://wikileaks.org/vault7/document/Angelfire-2_0-UserGuide/Angelfire-2_0-UserGuide.pdf +# +# +# copyright 2017 Quantum Analytics Research, LLC +# Author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package angelfire; +use strict; + +my %config = (hive => "System", + hivemask => 4, + output => "report", + category => "malware", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 31, #XP - Win7 + version => 20170831); + +sub getConfig{return %config} +sub getShortDescr { + return "Detects AngelFire"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching angelfire v.".$VERSION); + ::rptMsg("angelfire v.".$VERSION); # banner + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; +# First thing to do is get the ControlSet00x marked current...this is +# going to be used over and over again in plugins that access the system +# file + my ($current,$ccs); + my $key_path = 'Select'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + $current = $key->get_value("Current")->get_data(); + $ccs = "ControlSet00".$current; + my $af_path = $ccs."\\Control\\Windows\\SystemLookup"; + my $af; + if ($af = $root_key->get_subkey($af_path)) { + ::rptMsg("AngelFire found."); + ::rptMsg("Path: ".$af_path); + } + else { + ::rptMsg("AngelFire not found."); + } + } +} +1; \ No newline at end of file diff --git a/thirdparty/rr-full/plugins/appassoc.pl b/thirdparty/rr-full/plugins/appassoc.pl new file mode 100644 index 0000000000..e5bf8ab22b --- /dev/null +++ b/thirdparty/rr-full/plugins/appassoc.pl @@ -0,0 +1,62 @@ +#----------------------------------------------------------- +# appassoc.pl +# +# Change history +# 20190513 - created +# +# References +# https://twitter.com/EricRZimmerman/status/916422135987474433 +# +# copyright 2017 H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package appassoc; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20190513); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets contents of user's ApplicationAssociationToasts key"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching appassoc v.".$VERSION); + ::rptMsg("appassoc v.".$VERSION); # banner + ::rptMsg("- ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\ApplicationAssociationToasts'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + ::rptMsg("LastWrite: ".gmtime($key->get_timestamp())); + ::rptMsg(""); + foreach my $v (@vals) { + ::rptMsg($v->get_name()); + } + } + else { + ::rptMsg($key_path." has no values."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} + +1; \ No newline at end of file diff --git a/thirdparty/rr-full/plugins/appcompatcache.pl b/thirdparty/rr-full/plugins/appcompatcache.pl index 2e43785121..0a4fbaf463 100644 --- a/thirdparty/rr-full/plugins/appcompatcache.pl +++ b/thirdparty/rr-full/plugins/appcompatcache.pl @@ -2,6 +2,8 @@ # appcompatcache.pl # # History: +# 20190112 - updated parsing for Win8.1 +# 20180311 - updated for more recent version of Win10/Win2016 # 20160528 - updated code to not de-dup entries based on filename # 20160217 - updated to correctly support Win10 # 20150611 - mod'd for Kevin Pagano @@ -42,7 +44,7 @@ my %config = (hive => "System", hasDescr => 0, hasRefs => 0, osmask => 31, #XP - Win7 - version => 20160528); + version => 20190112); sub getConfig{return %config} sub getShortDescr { @@ -120,12 +122,18 @@ sub pluginmain { # probe($app_data); } - elsif ($sig == 0x30) { + elsif ($sig == 0x0) { +# possible win 8.1 system + appWin81($app_data); +# print $app_data; + } + elsif ($sig == 0x30 || $sig == 0x34) { # Windows 10 system appWin10($app_data); } else { ::rptMsg(sprintf "Unknown signature: 0x%x",$sig); +# probe($app_data); } # this is where we print out the files foreach my $f (keys %files) { @@ -296,7 +304,7 @@ sub appWin8 { while($ofs < $len) { my $tag = unpack("V",substr($data,$ofs,4)); - last unless (defined $tag); + last unless (defined $tag); # 32-bit if ($tag == 0x73746f72) { $jmp = unpack("V",substr($data,$ofs + 8,4)); @@ -328,6 +336,38 @@ sub appWin8 { } } +#----------------------------------------------------------- +# appWin81() +# +#----------------------------------------------------------- +sub appWin81 { + my $data = shift; + my $len = length($data); + my ($tag, $sz, $t0, $t1, $name, $name_len); + my $ct = 0; +# my $ofs = unpack("V",substr($data,0,4)); + my $ofs = 0x80; + + while ($ofs < $len) { + $tag = substr($data,$ofs,4); + last unless (defined $tag); + if ($tag eq "10ts") { + + $sz = unpack("V",substr($data,$ofs + 0x08,4)); + $name_len = unpack("v",substr($data,$ofs + 0x0c,2)); + my $name = substr($data,$ofs + 0x0e,$name_len); + $name =~ s/\00//g; +# ($t0,$t1) = unpack("VV",substr($data,$ofs + 0x03 + $name_len,8)); + ($t0,$t1) = unpack("VV",substr($data,$ofs + 0x0e + $name_len + 0x0a,8)); + $files{$ct}{filename} = $name; + $files{$ct}{modtime} = ::getTime($t0,$t1); + + $ct++; + $ofs += ($sz + 0x0c); + } + } +} + #----------------------------------------------------------- # appWin10() # Ref: http://binaryforay.blogspot.com/2015/04/appcompatcache-changes-in-windows-10.html @@ -337,11 +377,11 @@ sub appWin10 { my $len = length($data); my ($tag, $sz, $t0, $t1, $name, $name_len); my $ct = 0; - my $ofs = 0x30; + my $ofs = unpack("V",substr($data,0,4)); +# my $ofs = 0x30; while ($ofs < $len) { $tag = substr($data,$ofs,4); - last unless (defined $tag); if ($tag eq "10ts") { $sz = unpack("V",substr($data,$ofs + 0x08,4)); diff --git a/thirdparty/rr-full/plugins/appcompatcache_tln.pl b/thirdparty/rr-full/plugins/appcompatcache_tln.pl index fd767b51e0..be9b932bfe 100644 --- a/thirdparty/rr-full/plugins/appcompatcache_tln.pl +++ b/thirdparty/rr-full/plugins/appcompatcache_tln.pl @@ -2,6 +2,8 @@ # appcompatcache_tln.pl # # History: +# 20190112 - updated parsing for Win8.1 +# 20180311 - updated for more recent version of Win10/Win2016 # 20160528 - updated code to not de-dup entries based on filename # 20160217 - updated to correctly support Win10 # 20150611 - mod'd for Kevin Pagano @@ -42,7 +44,7 @@ my %config = (hive => "System", hasDescr => 0, hasRefs => 0, osmask => 31, #XP - Win7 - version => 20160528); + version => 20190112); sub getConfig{return %config} sub getShortDescr { @@ -120,7 +122,10 @@ sub pluginmain { # probe($app_data); } - elsif ($sig == 0x30) { + elsif ($sig == 0x0) { + appWin81($app_data); + } + elsif ($sig == 0x30 || $sig == 0x34) { # Windows 10 system appWin10($app_data); } @@ -291,7 +296,7 @@ sub appWin8 { while($ofs < $len) { my $tag = unpack("V",substr($data,$ofs,4)); - last unless (defined $tag); + last unless (defined $tag); # 32-bit if ($tag == 0x73746f72) { $jmp = unpack("V",substr($data,$ofs + 8,4)); @@ -323,6 +328,39 @@ sub appWin8 { } } +#----------------------------------------------------------- +# appWin81() +# +#----------------------------------------------------------- +sub appWin81 { + my $data = shift; + my $len = length($data); + my ($tag, $sz, $t0, $t1, $name, $name_len); + my $ct = 0; +# my $ofs = unpack("V",substr($data,0,4)); + my $ofs = 0x80; + + while ($ofs < $len) { + $tag = substr($data,$ofs,4); + last unless (defined $tag); + if ($tag eq "10ts") { + + $sz = unpack("V",substr($data,$ofs + 0x08,4)); + $name_len = unpack("v",substr($data,$ofs + 0x0c,2)); + my $name = substr($data,$ofs + 0x0e,$name_len); + $name =~ s/\00//g; +# ($t0,$t1) = unpack("VV",substr($data,$ofs + 0x03 + $name_len,8)); + ($t0,$t1) = unpack("VV",substr($data,$ofs + 0x0e + $name_len + 0x0a,8)); + $files{$ct}{filename} = $name; + $files{$ct}{modtime} = ::getTime($t0,$t1); + + $ct++; + $ofs += ($sz + 0x0c); + } + } +} + + #----------------------------------------------------------- # appWin10() # Ref: http://binaryforay.blogspot.com/2015/04/appcompatcache-changes-in-windows-10.html @@ -332,11 +370,11 @@ sub appWin10 { my $len = length($data); my ($tag, $sz, $t0, $t1, $name, $name_len); my $ct = 0; - my $ofs = 0x30; + my $ofs = unpack("V",substr($data,0,4)); +# my $ofs = 0x30; while ($ofs < $len) { $tag = substr($data,$ofs,4); - last unless (defined $tag); if ($tag eq "10ts") { $sz = unpack("V",substr($data,$ofs + 0x08,4)); diff --git a/thirdparty/rr-full/plugins/appkeys.pl b/thirdparty/rr-full/plugins/appkeys.pl new file mode 100644 index 0000000000..a58c8b249b --- /dev/null +++ b/thirdparty/rr-full/plugins/appkeys.pl @@ -0,0 +1,79 @@ +#----------------------------------------------------------- +# appkeys.pl +# +# +# Change history +# 20180920 - created +# +# References +# http://www.hexacorn.com/blog/2018/07/06/beyond-good-ol-run-key-part-80/ +# http://blog.airbuscybersecurity.com/post/2015/06/Latest-improvements-in-PlugX +# https://docs.microsoft.com/en-us/windows/desktop/inputdev/wm-appcommand +# +# Copyright (c) 2018 QAR, LLC +# Author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package appkeys; +use strict; + +my %config = (hive => "NTUSER\.DAT, Software", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + category => "persistence", + version => 20180920); +my $VERSION = getVersion(); + +sub getConfig {return %config} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} +sub getDescr {} +sub getShortDescr { + return "Extracts AppKeys entries."; +} +sub getRefs {} + +sub pluginmain { + my $class = shift; + my $hive = shift; + + ::logMsg("Launching appkeys v.".$VERSION); + ::rptMsg("appkeys v.".$VERSION); + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + my $key; + + my @paths = ("Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AppKey", + "Microsoft\\Windows\\CurrentVersion\\Explorer\\AppKey"); + + foreach my $key_path (@paths) { + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + my $lw = $key->get_timestamp(); + + my @sk = $key->get_list_of_subkeys(); + if (scalar @sk > 0) { + foreach my $s (@sk) { + ::rptMsg("Subkey Name: ".$s->get_name()." LastWrite: ".gmtime($s->get_timestamp())); + + eval { + my $shell = $s->get_value("ShellExecute")->get_data(); + ::rptMsg(" ShellExecute value: ".$shell); + }; + + eval { + my $assoc = $s->get_value("Association")->get_data(); + ::rptMsg(" Association value: ".$assoc); + }; + } + } + else { + ::rptMsg($key_path." has no subkeys."); + } + } + } +} + +1; diff --git a/thirdparty/rr-full/plugins/appkeys_tln.pl b/thirdparty/rr-full/plugins/appkeys_tln.pl new file mode 100644 index 0000000000..f203282e42 --- /dev/null +++ b/thirdparty/rr-full/plugins/appkeys_tln.pl @@ -0,0 +1,78 @@ +#----------------------------------------------------------- +# appkeys_tln.pl +# +# Change history +# 20180920 - created +# +# References +# http://www.hexacorn.com/blog/2018/07/06/beyond-good-ol-run-key-part-80/ +# http://blog.airbuscybersecurity.com/post/2015/06/Latest-improvements-in-PlugX +# https://docs.microsoft.com/en-us/windows/desktop/inputdev/wm-appcommand +# +# Copyright (c) 2018 QAR, LLC +# Author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package appkeys_tln; +use strict; + +my %config = (hive => "NTUSER\.DAT, Software", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + category => "persistence", + version => 20180920); +my $VERSION = getVersion(); + +sub getConfig {return %config} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} +sub getDescr {} +sub getShortDescr { + return "Extracts AppKeys entries."; +} +sub getRefs {} + +sub pluginmain { + my $class = shift; + my $hive = shift; + +# ::logMsg("Launching appkeys v.".$VERSION); +# ::rptMsg("appkeys v.".$VERSION); +# ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + my $key; + + my @paths = ("Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AppKey", + "Microsoft\\Windows\\CurrentVersion\\Explorer\\AppKey"); + + foreach my $key_path (@paths) { + if ($key = $root_key->get_subkey($key_path)) { +# ::rptMsg($key_path); + my $lw = $key->get_timestamp(); + + my @sk = $key->get_list_of_subkeys(); + if (scalar @sk > 0) { + foreach my $s (@sk) { + my $name = $s->get_name(); + my $sk_lw = $s->get_timestamp(); + eval { + my $shell = $s->get_value("ShellExecute")->get_data(); + ::rptMsg($sk_lw."|AppKeys|||AppKey\\".$name." LastWrite - ShellExecute Value: ".$shell); + }; + + eval { + my $assoc = $s->get_value("Association")->get_data(); + ::rptMsg($sk_lw."|AppKeys|||AppKey\\".$name." LastWrite - Association Value: ".$assoc); + }; + } + } + else { +# ::rptMsg($key_path." has no subkeys."); + } + } + } +} + +1; diff --git a/thirdparty/rr-full/plugins/arpcache.pl b/thirdparty/rr-full/plugins/arpcache.pl index 3a0b733ca2..62ce950da2 100644 --- a/thirdparty/rr-full/plugins/arpcache.pl +++ b/thirdparty/rr-full/plugins/arpcache.pl @@ -122,7 +122,7 @@ sub parsePath { while($tag) { $ofs += 2; my $i = substr($data,$ofs,2); - last unless (defined $i); + last unless (defined $i); if (unpack("v",$i) == 0) { $tag = 0; } diff --git a/thirdparty/rr-full/plugins/assoc.pl b/thirdparty/rr-full/plugins/assoc.pl index de15eca151..0fbb55eee0 100644 --- a/thirdparty/rr-full/plugins/assoc.pl +++ b/thirdparty/rr-full/plugins/assoc.pl @@ -3,17 +3,22 @@ # Plugin to extract file association data from the Software hive file # Can take considerable time to run; recommend running it via rip.exe # +# History +# 20180117 - updated, based on input from Jean, jean.crush@hotmail.fr +# 20080815 - created +# +# # copyright 2008 H. Carvey, keydet89@yahoo.com #----------------------------------------------------------- package assoc; use strict; -my %config = (hive => "Software", +my %config = (hive => "Software,USRCLASS", osmask => 22, hasShortDescr => 1, hasDescr => 0, hasRefs => 0, - version => 20080815); + version => 20180117); sub getConfig{return %config} @@ -32,58 +37,55 @@ sub pluginmain { my $hive = shift; ::logMsg("Launching assoc v.".$VERSION); ::rptMsg("assoc v.".$VERSION); # banner - ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner my $reg = Parse::Win32Registry->new($hive); my $root_key = $reg->get_root_key; - my $key_path = "Classes"; + my @paths = ("Classes","Classes\\Wow6432Node","Wow6432Node"); my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("assoc"); - ::rptMsg($key_path); + foreach my $key_path (@paths) { + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("assoc"); + ::rptMsg($key_path); # ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); + ::rptMsg(""); # First step will be to get a list of all of the file extensions - my %ext; - my @sk = $key->get_list_of_subkeys(); - if (scalar(@sk) > 0) { - foreach my $s (@sk) { - my $name = $s->get_name(); - next unless ($name =~ m/^\.\w+$/); - my $data; - eval { - $data = $s->get_value("")->get_data(); - }; - if ($@) { + my %ext; + my @sk = $key->get_list_of_subkeys(); + if (scalar(@sk) > 0) { + foreach my $s (@sk) { + my $name = $s->get_name(); + next unless ($name =~ m/^\.\w+$/); + my $data; + eval { + $data = $s->get_value("")->get_data(); + }; + if ($@) { # Error generated, as "(Default)" value was not found + } + else { + $ext{$name} = $data if ($data ne ""); + } } - else { - $ext{$name} = $data if ($data ne ""); - } - } # Once a list of all file ext subkeys has been compiled, access the file type # to determine the command line used to launch files with that extension - foreach my $e (keys %ext) { - my $cmd; - eval { - $cmd = $key->get_subkey($ext{$e}."\\shell\\open\\command")->get_value("")->get_data(); - }; - if ($@) { + foreach my $e (keys %ext) { + my $cmd; + eval { + $cmd = $key->get_subkey($ext{$e}."\\shell\\open\\command")->get_value("")->get_data(); + }; + if ($@) { # error generated attempting to locate .\shell\open\command\(Default) value - } - else { - ::rptMsg($e." : ".$cmd); + } + else { + ::rptMsg($e." : ".$cmd); + } } } - } - else { - ::rptMsg($key_path." has no subkeys."); + else { + ::rptMsg($key_path." has no subkeys."); + } } } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } - } 1; \ No newline at end of file diff --git a/thirdparty/rr-full/plugins/auditpol.pl b/thirdparty/rr-full/plugins/auditpol.pl index 7f915860cc..a1b274d5ca 100644 --- a/thirdparty/rr-full/plugins/auditpol.pl +++ b/thirdparty/rr-full/plugins/auditpol.pl @@ -4,6 +4,7 @@ # *Works for Win7 and Win10 at the moment # # History +# 20190510 - updated; Win2016 # 20151202 - created # # Ref: @@ -24,7 +25,7 @@ my %config = (hive => "Security", hasDescr => 0, hasRefs => 0, osmask => 22, - version => 20151202); + version => 20190510); sub getConfig{return %config} sub getShortDescr { @@ -71,9 +72,15 @@ sub pluginmain { @policy = processWin10($data) } elsif (length($data) == 138 && $id == 0x78) { + ::rptMsg("Possible Win7/Win2008"); @policy = processWin7($data); } + elsif (length($data) == 0x96 && $id == 0x84) { + ::rptMsg("Possible Win10(1607+)/Win2016"); + @policy = processWin2016($data); + } else { + ::rptMsg(sprintf "Data Length: 0x%x",length($data)); my @d = printData($data); foreach (0..(scalar(@d) - 1)) { ::rptMsg($d[$_]); @@ -213,6 +220,71 @@ sub processWin7 { return @win; } +sub processWin2016 { + my $data = shift; + my @win = ("System:Security State Change;".unpack("v",substr($data,0x0c,2)), + "System:Security System Extension;".unpack("v",substr($data,0x0e,2)), + "System:System Integrity;".unpack("v",substr($data,0x10,2)), + "System:IPsec Driver;".unpack("v",substr($data,0x12,2)), + "System:Other System Events;".unpack("v",substr($data,0x14,2)), + "Logon/Logoff:Logon;".unpack("v",substr($data,0x16,2)), + "Logon/Logoff:Logoff;".unpack("v",substr($data,0x18,2)), + "Logon/Logoff:Account Lockout;".unpack("v",substr($data,0x1a,2)), + "Logon/Logoff:IPsec Main Mode;".unpack("v",substr($data,0x1c,2)), + "Logon/Logoff:Special Logon;".unpack("v",substr($data,0x1e,2)), + "Logon/Logoff:IPsec Quick Mode;".unpack("v",substr($data,0x20,2)), + "Logon/Logoff:IPsec Extended Mode;".unpack("v",substr($data,0x22,2)), + "Logon/Logoff:Other Logon/Logoff Events;".unpack("v",substr($data,0x24,2)), + "Logon/Logoff:Network Policy Server;".unpack("v",substr($data,0x26,2)), + "Logon/Logoff:User/Device Claims;".unpack("v",substr($data,0x28,2)), + "Logon/Logoff:Group Membership;".unpack("v",substr($data,0x2a,2)), + "Object Access:File System;".unpack("v",substr($data,0x2c,2)), + "Object Access:Registry;".unpack("v",substr($data,0x2e,2)), + "Object Access:Kernel Object;".unpack("v",substr($data,0x30,2)), + "Object Access:SAM;".unpack("v",substr($data,0x32,2)), + "Object Access:Other Object Access Events;".unpack("v",substr($data,0x34,2)), + "Object Access:Certification Services;".unpack("v",substr($data,0x36,2)), + "Object Access:Application Generated;".unpack("v",substr($data,0x38,2)), + "Object Access:Handle Manipulation;".unpack("v",substr($data,0x3a,2)), + "Object Access:File Share;".unpack("v",substr($data,0x3c,2)), + "Object Access:Filtering Platform Packet Drop;".unpack("v",substr($data,0x3e,2)), + "Object Access:Filtering Platform Connection;".unpack("v",substr($data,0x40,2)), + "Object Access:Detailed File Share;".unpack("v",substr($data,0x42,2)), + "Object Access:Removable Storage;".unpack("v",substr($data,0x44,2)), + "Object Access:Central Policy Staging;".unpack("v",substr($data,0x46,2)), + "Privilege Use:Sensitive Privilege Use;".unpack("v",substr($data,0x48,2)), + "Privilege Use:Non Sensitive Privilege Use;".unpack("v",substr($data,0x4a,2)), + "Privilege Use:Other Privilege Use Events;".unpack("v",substr($data,0x4c,2)), + "Detailed Tracking:Process Creation;".unpack("v",substr($data,0x4e,2)), + "Detailed Tracking:Process Termination;".unpack("v",substr($data,0x50,2)), + "Detailed Tracking:DPAPI Activity;".unpack("v",substr($data,0x52,2)), + "Detailed Tracking:RPC Events;".unpack("v",substr($data,0x54,2)), + "Detailed Tracking:Plug and Play Events;".unpack("v",substr($data,0x56,2)), + "Detailed Tracking:Token Right Adjusted Events;".unpack("v",substr($data,0x58,2)), + "Policy Change:Audit Policy Change;".unpack("v",substr($data,0x5a,2)), + "Policy Change:Authentication Policy Change;".unpack("v",substr($data,0x5c,2)), + "Policy Change:Authorization Policy Change;".unpack("v",substr($data,0x5e,2)), + "Policy Change:MPSSVC Rule-Level Policy Change;".unpack("v",substr($data,0x60,2)), + "Policy Change:Filtering Platform Policy Change;".unpack("v",substr($data,0x62,2)), + "Policy Change:Other Policy Change Events;".unpack("v",substr($data,0x64,2)), + "Account Management:User Account Management;".unpack("v",substr($data,0x66,2)), + "Account Management:Computer Account Management;".unpack("v",substr($data,0x68,2)), + "Account Management:Security Group Management;".unpack("v",substr($data,0x6a,2)), + "Account Management:Distribution Group Management;".unpack("v",substr($data,0x6c,2)), + "Account Management:Application Group Management;".unpack("v",substr($data,0x6e,2)), + "Account Management:Other Account Management Events;".unpack("v",substr($data,0x70,2)), + "DS Access:Directory Service Access;".unpack("v",substr($data,0x72,2)), + "DS Access:Directory Service Changes;".unpack("v",substr($data,0x74,2)), + "DS Access:Directory Service Replication;".unpack("v",substr($data,0x76,2)), + "DS Access:Detailed Directory Service Replication;".unpack("v",substr($data,0x78,2)), + "Account Logon:Credential Validation;".unpack("v",substr($data,0x7a,2)), + "Account Logon:Kerberos Service Ticket Operations;".unpack("v",substr($data,0x7c,2)), + "Account Logon:Other Account Logon Events;".unpack("v",substr($data,0x73,2)), + "Account Logon:Kerberos Authentication Service;".unpack("v",substr($data,0x80,2))); +# The rest of the data is apparently footer + return @win; +} + #----------------------------------------------------------- # printData() # subroutine used primarily for debugging; takes an arbitrary diff --git a/thirdparty/rr-full/plugins/bam.pl b/thirdparty/rr-full/plugins/bam.pl new file mode 100644 index 0000000000..af64823cfd --- /dev/null +++ b/thirdparty/rr-full/plugins/bam.pl @@ -0,0 +1,106 @@ +#----------------------------------------------------------- +# bam.pl +# +# History: +# 20180225 - created +# +# References: +# from Phill Moore via Twitter: https://padawan-4n6.hatenablog.com/entry/2018/02/22/131110 +# https://twitter.com/aionescu/status/891172221971910661?lang=en +# http://batcmd.com/windows/10/services/bam/ +# +# +# copyright 2018 Quantum Analytics Research, LLC +# Author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package bam; +use strict; + +my %config = (hive => "System", + hivemask => 4, + output => "report", + category => "Program Execution", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 31, #XP - Win7 + version => 20180225); + +sub getConfig{return %config} +sub getShortDescr { + return "Parse files from System hive BAM Services"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); +my %files; +my $str = ""; + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching bam v.".$VERSION); + ::rptMsg("bam v.".$VERSION); # banner + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; +# First thing to do is get the ControlSet00x marked current...this is +# going to be used over and over again in plugins that access the system +# file + my ($current,$ccs); + my $key_path = 'Select'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + $current = $key->get_value("Current")->get_data(); + $ccs = "ControlSet00".$current; + my $bam_path = $ccs."\\Services\\bam\\UserSettings"; + my $bam; + if ($bam = $root_key->get_subkey($bam_path)) { + my @sk = $bam->get_list_of_subkeys(); + if (scalar(@sk) > 0) { + foreach my $s (@sk) { + processKey($s); + } + } + + } + else { + ::rptMsg($bam_path." not found."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} + + +sub processKey { + my $key = shift; + my ($t,$count); + my @values = $key->get_list_of_values(); + + foreach (@values) { + $count = 1 if ($_->get_type() == 3); + } + + if (scalar(@values) > 0 && $count == 1) { + ::rptMsg($key->get_name()); + foreach my $v (@values) { + my $name = $v->get_name(); + + if ($v->get_type() == 3) { + my ($t0,$t1) = unpack("VV",substr($v->get_data(),0,8)); + $t = ::getTime($t0,$t1); + ::rptMsg(" ".gmtime($t)." - ".$name); + } + + } + ::rptMsg(""); + } + +} + +1; \ No newline at end of file diff --git a/thirdparty/rr-full/plugins/bam_tln.pl b/thirdparty/rr-full/plugins/bam_tln.pl new file mode 100644 index 0000000000..b86928fc91 --- /dev/null +++ b/thirdparty/rr-full/plugins/bam_tln.pl @@ -0,0 +1,99 @@ +#----------------------------------------------------------- +# bam_tln.pl +# +# History: +# 20180225 - created +# +# References: +# from Phill Moore via Twitter: https://padawan-4n6.hatenablog.com/entry/2018/02/22/131110 +# https://twitter.com/aionescu/status/891172221971910661?lang=en +# http://batcmd.com/windows/10/services/bam/ +# +# +# copyright 2018 Quantum Analytics Research, LLC +# Author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package bam_tln; +use strict; + +my %config = (hive => "System", + hivemask => 4, + output => "tln", + category => "Program Execution", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 31, #XP - Win7 + version => 20180225); + +sub getConfig{return %config} +sub getShortDescr { + return "Parse files from System hive BAM Services"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); +my %files; +my $str = ""; + +sub pluginmain { + my $class = shift; + my $hive = shift; + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; +# First thing to do is get the ControlSet00x marked current...this is +# going to be used over and over again in plugins that access the system +# file + my ($current,$ccs); + my $key_path = 'Select'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + $current = $key->get_value("Current")->get_data(); + $ccs = "ControlSet00".$current; + my $bam_path = $ccs."\\Services\\bam\\UserSettings"; + my $bam; + if ($bam = $root_key->get_subkey($bam_path)) { + my @sk = $bam->get_list_of_subkeys(); + if (scalar(@sk) > 0) { + foreach my $s (@sk) { + processKey($s); + } + } + + } + else { +# ::rptMsg($bam_path." not found."); + } + } + else { +# ::rptMsg($key_path." not found."); + } +} + + +sub processKey { + my $key = shift; + my ($t,$count); + my @values = $key->get_list_of_values(); + + foreach (@values) { + $count = 1 if ($_->get_type() == 3); + } + + if (scalar(@values) > 0 && $count == 1) { + foreach my $v (@values) { + my $name = $v->get_name(); + + if ($v->get_type() == 3) { + my ($t0,$t1) = unpack("VV",substr($v->get_data(),0,8)); + $t = ::getTime($t0,$t1); + ::rptMsg($t."|BAM|||".$name." (".$key->get_name().")"); + } + } + } +} + +1; \ No newline at end of file diff --git a/thirdparty/rr-full/plugins/bthport.pl b/thirdparty/rr-full/plugins/bthport.pl index 96f2a3769e..0aa76bec01 100644 --- a/thirdparty/rr-full/plugins/bthport.pl +++ b/thirdparty/rr-full/plugins/bthport.pl @@ -5,12 +5,13 @@ # other locations) # # Change history -# 20130115 - created +# 20180705 - updated to support Win10, per data provided by Micah Jones # 20170129 - added support for http://www.hexacorn.com/blog/2017/01/29/beyond-good-ol-run-key-part-59/ +# 20130115 - created # # Category: # -# copyright 2017 Quantum Analytics Research, LLC +# copyright 2018 Quantum Analytics Research, LLC # Author: H. Carvey, keydet89@yahoo.com #----------------------------------------------------------- package bthport; @@ -21,7 +22,7 @@ my %config = (hive => "System", hasDescr => 0, hasRefs => 0, osmask => 22, - version => 20170129); + version => 20180705); sub getConfig{return %config} sub getShortDescr { @@ -67,22 +68,21 @@ sub pluginmain { # Note: Need to get VID and PID values for translation and mapping my $devname; eval { -# May need to work on parsing the binary "Name" value data into an actual name... - my @str1 = split(//,unpack("H*",$s->get_value("Name")->get_data())); - my @s3; - my $str; - foreach my $i (0..((scalar(@str1)/2) - 1)) { - $s3[$i] = $str1[$i * 2].$str1[($i * 2) + 1]; - if (hex($s3[$i]) > 0x1f && hex($s3[$i]) < 0x7f) { - $str .= chr(hex($s3[$i])); - } - else { - $str .= " "; - } - } - ::rptMsg("Device Name: ".$str); + my $n = $s->get_value("Name")->get_data(); + ::rptMsg("Name : ".$n); }; + eval { + my ($t0,$t1) = unpack("VV",$s->get_value("LastSeen")->get_data()); + ::rptMsg("LastSeen : ".gmtime(::getTime($t0,$t1))." Z"); + }; + + eval { + my ($t0,$t1) = unpack("VV",$s->get_value("LastConnected")->get_data()); + ::rptMsg("LastConnected : ".gmtime(::getTime($t0,$t1))." Z"); + }; + + ::rptMsg(""); } } else { @@ -92,7 +92,7 @@ sub pluginmain { else { ::rptMsg($cn_path." not found."); } - + ::rptMsg(""); my $rs_path = $ccs."\\services\\BTHPORT\\Parameters\\Radio Support"; my $rs; if ($rs = $root_key->get_subkey($rs_path)) { diff --git a/thirdparty/rr-full/plugins/bthport_tln.pl b/thirdparty/rr-full/plugins/bthport_tln.pl new file mode 100644 index 0000000000..e48afd15fc --- /dev/null +++ b/thirdparty/rr-full/plugins/bthport_tln.pl @@ -0,0 +1,90 @@ +#----------------------------------------------------------- +# bthport_tln.pl +# Get BlueTooth device information from the Registry; assumes +# MS drivers (other drivers, such as BroadComm, will be found in +# other locations) +# +# Change history +# 20180705 - updated to support Win10, per data provided by Micah Jones +# 20170129 - added support for http://www.hexacorn.com/blog/2017/01/29/beyond-good-ol-run-key-part-59/ +# 20130115 - created +# +# Category: +# +# copyright 2018 Quantum Analytics Research, LLC +# Author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package bthport_tln; +use strict; + +my %config = (hive => "System", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20180705); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets Bluetooth-connected devices from System hive; TLN output"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching bthport_tln v.".$VERSION); +# ::rptMsg("bthport v.".$VERSION); # banner +# ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; +# First thing to do is get the ControlSet00x marked current...this is +# going to be used over and over again in plugins that access the system +# file + my ($current,$ccs); + my $key_path = 'Select'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + $current = $key->get_value("Current")->get_data(); + $ccs = "ControlSet00".$current; + my $cn_path = $ccs."\\services\\BTHPORT\\Parameters\\Devices"; + my $cn; + if ($cn = $root_key->get_subkey($cn_path)) { + + my @sk = $cn->get_list_of_subkeys(); + if (scalar(@sk) > 0) { + foreach my $s (@sk) { + my $uniq = $s->get_name(); + my $devname; + eval { + $devname = $s->get_value("Name")->get_data(); + }; + + eval { + my ($t0,$t1) = unpack("VV",$s->get_value("LastSeen")->get_data()); + ::rptMsg(::getTime($t0,$t1)."|REG|||BlueTooth Device ".$devname." (Unique ID: ".$uniq.") LastSeen"); + }; + + eval { + my ($t0,$t1) = unpack("VV",$s->get_value("LastConnected")->get_data()); + ::rptMsg(::getTime($t0,$t1)."|REG|||BlueTooth Device ".$devname." (Unique ID: ".$uniq.") LastConnected"); + }; + + } + } + else { +# ::rptMsg($cn_path." has no subkeys."); + } + } + else { +# ::rptMsg($cn_path." not found."); + } + } +} + +1; \ No newline at end of file diff --git a/thirdparty/rr-full/plugins/clsid.pl b/thirdparty/rr-full/plugins/clsid.pl index b1848ecf13..94c1a81926 100644 --- a/thirdparty/rr-full/plugins/clsid.pl +++ b/thirdparty/rr-full/plugins/clsid.pl @@ -4,13 +4,19 @@ # Can take considerable time to run; recommend running it via rip.exe # # History +# 20180823 - minor code fix +# 20180819 - updated to incorporate check for "TreatAs" value; code rewrite +# 20180319 - fixed minor code issue +# 20180117 - updated based on input from Jean, jean.crush@hotmail.fr # 20130603 - added alert functionality # 20100227 - created # # References # http://msdn.microsoft.com/en-us/library/ms724475%28VS.85%29.aspx +# https://docs.microsoft.com/en-us/windows/desktop/com/treatas # -# copyright 2010, Quantum Analytics Research, LLC +# #copyright 2010, Quantum Analytics Research, LLC +# copyright 2018, Quantum Analytics Research, LLC #----------------------------------------------------------- package clsid; use strict; @@ -20,7 +26,7 @@ my %config = (hive => "Software", hasShortDescr => 1, hasDescr => 0, hasRefs => 0, - version => 20130603); + version => 20180823); sub getConfig{return %config} @@ -40,77 +46,55 @@ sub pluginmain { my %clsid; ::logMsg("Launching clsid v.".$VERSION); ::rptMsg("clsid v.".$VERSION); # banner - ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner my $reg = Parse::Win32Registry->new($hive); my $root_key = $reg->get_root_key; - my $key_path = "Classes\\CLSID"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); +# my $key_path = "Classes\\CLSID"; + my @paths = ("Classes\\CLSID","Classes\\Wow6432Node\\CLSID"); + foreach my $key_path (@paths) { + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); # ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); + ::rptMsg(""); # First step will be to get a list of all of the file extensions - my %ext; - my @sk = $key->get_list_of_subkeys(); - if (scalar(@sk) > 0) { - foreach my $s (@sk) { + my %ext; + my @sk = $key->get_list_of_subkeys(); + if (scalar(@sk) > 0) { + foreach my $s (@sk) { - my $name = $s->get_name(); - eval { - my $n = $s->get_value("")->get_data(); - $name .= " ".$n unless ($n eq ""); - }; + my $name = $s->get_name(); + my $n; + eval { + $n = $s->get_value("")->get_data(); + $name .= " ".$n unless ($n eq ""); + }; + + ::rptMsg($name); + ::rptMsg(" LastWrite: ".gmtime($s->get_timestamp())." Z"); + + eval { + my $proc = $s->get_subkey("InprocServer32")->get_value("")->get_data(); + ::rptMsg(" InprocServer32: ".$proc); + }; - eval { - my $path = $s->get_subkey("InprocServer32")->get_value("")->get_data(); - alertCheckPath($path); - alertCheckADS($path); - - }; - - push(@{$clsid{$s->get_timestamp()}},$name); - } - - foreach my $t (reverse sort {$a <=> $b} keys %clsid) { - ::rptMsg(gmtime($t)." Z"); - foreach my $item (@{$clsid{$t}}) { - ::rptMsg(" ".$item); + eval { + my $treat = $s->get_subkey("TreatAs")->get_value("")->get_data(); + ::rptMsg(" TreatAs: ".$treat); + }; + ::rptMsg(""); } } + else { + ::rptMsg($key_path." has no subkeys."); + } } else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} - -#----------------------------------------------------------- -# alertCheckPath() -#----------------------------------------------------------- -sub alertCheckPath { - my $path = shift; - $path = lc($path); - my @alerts = ("recycle","globalroot","temp","system volume information","appdata", - "application data"); - - foreach my $a (@alerts) { - if (grep(/$a/,$path)) { - ::alertMsg("ALERT: clsid: ".$a." found in path: ".$path); + ::rptMsg($key_path." not found."); } } } -#----------------------------------------------------------- -# alertCheckADS() -#----------------------------------------------------------- -sub alertCheckADS { - my $path = shift; - my @list = split(/\\/,$path); - my $last = $list[scalar(@list) - 1]; - ::alertMsg("ALERT: clsid: Poss. ADS found in path: ".$path) if grep(/:/,$last); -} + 1; \ No newline at end of file diff --git a/thirdparty/rr-full/plugins/clsid_tln.pl b/thirdparty/rr-full/plugins/clsid_tln.pl new file mode 100644 index 0000000000..3c33be2514 --- /dev/null +++ b/thirdparty/rr-full/plugins/clsid_tln.pl @@ -0,0 +1,94 @@ +#----------------------------------------------------------- +# clsid_tln.pl +# Plugin to extract file association data from the Software hive file +# Can take considerable time to run; recommend running it via rip.exe +# +# History +# 20180823 - minor code fix +# 20180820 - created +# +# References +# http://msdn.microsoft.com/en-us/library/ms724475%28VS.85%29.aspx +# https://docs.microsoft.com/en-us/windows/desktop/com/treatas +# +# #copyright 2010, Quantum Analytics Research, LLC +# copyright 2018, Quantum Analytics Research, LLC +#----------------------------------------------------------- +package clsid_tln; +use strict; + +my %config = (hive => "Software", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20180823); + +sub getConfig{return %config} + +sub getShortDescr { + return "Get list of CLSID/registered classes"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + my %clsid; +# ::logMsg("Launching clsid v.".$VERSION); +# ::rptMsg("clsid v.".$VERSION); # banner +# ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + +# my $key_path = "Classes\\CLSID"; + my @paths = ("Classes\\CLSID","Classes\\Wow6432Node\\CLSID"); + foreach my $key_path (@paths) { + my $key; + if ($key = $root_key->get_subkey($key_path)) { +# ::rptMsg($key_path); +# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); +# ::rptMsg(""); +# First step will be to get a list of all of the file extensions + my %ext; + my @sk = $key->get_list_of_subkeys(); + if (scalar(@sk) > 0) { + foreach my $s (@sk) { + my ($descr,$ts,$proc,$treat); + + $descr = $s->get_name(); + $ts = $s->get_timestamp(); + eval { + my $n = $s->get_value("")->get_data(); + $descr .= " ".$n unless ($n eq ""); + }; + + eval { + my $proc = $s->get_subkey("InprocServer32")->get_value("")->get_data(); + $descr .= " InprocServer32: ".$proc; + }; + + eval { + my $treat = $s->get_subkey("TreatAs")->get_value("")->get_data(); + $descr .= " TreatAs: ".$treat; + }; + ::rptMsg($ts."|CLSID|||".$descr); + } + } + else { +# ::rptMsg($key_path." has no subkeys."); + } + } + else { +# ::rptMsg($key_path." not found."); + } + } +} + + +1; \ No newline at end of file diff --git a/thirdparty/rr-full/plugins/cmdproc.pl b/thirdparty/rr-full/plugins/cmdproc.pl index 4a341d108d..754350f323 100644 --- a/thirdparty/rr-full/plugins/cmdproc.pl +++ b/thirdparty/rr-full/plugins/cmdproc.pl @@ -3,11 +3,13 @@ # Checks key for files to autostart from cmd.exe # # Change History +# 20190223 - added reference # 20130425 - added alertMsg() functionality # 20130115 - created # # References: -# +# https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/ +# # Category: autostart,malware,programexecution # # copyright 2013 Quantum Analytics Research, @@ -21,12 +23,12 @@ my %config = (hive => "NTUSER\.DAT", hasShortDescr => 1, hasDescr => 0, hasRefs => 0, - version => 20130425); + version => 20190223); sub getConfig{return %config} sub getShortDescr { - return "Autostart - get Command Processor\\AutoRun value from NTUSER.DAT hive"; + return "Autostart - get Command Processor\\AutoRun value from NTUSER\.DAT hive"; } sub getDescr{} sub getRefs {} @@ -64,4 +66,4 @@ sub pluginmain { ::rptMsg($key_path." not found."); } } -1; +1; \ No newline at end of file diff --git a/thirdparty/rr-full/plugins/comdlg32.pl b/thirdparty/rr-full/plugins/comdlg32.pl index 1f41837ff2..23495f8521 100644 --- a/thirdparty/rr-full/plugins/comdlg32.pl +++ b/thirdparty/rr-full/plugins/comdlg32.pl @@ -3,6 +3,8 @@ # Plugin for Registry Ripper # # Change history +# 20180702 - update to parseGUID function +# 20180627 - updated to address Win10, per input from Geoff Rempel # 20121005 - updated to address shell item type 0x3A # 20121005 - updated to parse shell item ID lists # 20100409 - updated to include Vista and above @@ -14,7 +16,7 @@ # Win2000 - http://support.microsoft.com/kb/319958 # XP - http://support.microsoft.com/kb/322948/EN-US/ # -# copyright 2012 Quantum Analytics Research, LLC +# copyright 2018 Quantum Analytics Research, LLC # Author: H. Carvey, keydet89@yahoo.com #----------------------------------------------------------- package comdlg32; @@ -26,7 +28,7 @@ my %config = (hive => "NTUSER\.DAT", hasDescr => 0, hasRefs => 0, osmask => 22, - version => 20121008); + version => 20180702); sub getConfig{return %config} sub getShortDescr { @@ -39,6 +41,50 @@ sub getVersion {return $config{version};} my $VERSION = getVersion(); +my %folder_types = ("{724ef170-a42d-4fef-9f26-b60e846fba4f}" => "Administrative Tools", + "{d0384e7d-bac3-4797-8f14-cba229b392b5}" => "Common Administrative Tools", + "{de974d24-d9c6-4d3e-bf91-f4455120b917}" => "Common Files", + "{c1bae2d0-10df-4334-bedd-7aa20b227a9d}" => "Common OEM Links", + "{5399e694-6ce5-4d6c-8fce-1d8870fdcba0}" => "Control Panel", + "{1ac14e77-02e7-4e5d-b744-2eb1ae5198b7}" => "CSIDL_SYSTEM", + "{b4bfcc3a-db2c-424c-b029-7fe99a87c641}" => "Desktop", + "{7b0db17d-9cd2-4a93-9733-46cc89022e7c}" => "Documents Library", + "{a8cdff1c-4878-43be-b5fd-f8091c1c60d0}" => "Documents", + "{fdd39ad0-238f-46af-adb4-6c85480369c7}" => "Documents", + "{374de290-123f-4565-9164-39c4925e467b}" => "Downloads", + "{de61d971-5ebc-4f02-a3a9-6c82895e5c04}" => "Get Programs", + "{a305ce99-f527-492b-8b1a-7e76fa98d6e4}" => "Installed Updates", + "{871c5380-42a0-1069-a2ea-08002b30309d}" => "Internet Explorer (Homepage)", + "{031e4825-7b94-4dc3-b131-e946b44c8dd5}" => "Libraries", + "{2112ab0a-c86a-4ffe-a368-0de96e47012e}" => "Music", + "{1cf1260c-4dd0-4ebb-811f-33c572699fde}" => "Music", + "{4bd8d571-6d19-48d3-be97-422220080e43}" => "Music", + "{20d04fe0-3aea-1069-a2d8-08002b30309d}" => "My Computer", + "{450d8fba-ad25-11d0-98a8-0800361b1103}" => "My Documents", + "{ed228fdf-9ea8-4870-83b1-96b02cfe0d52}" => "My Games", + "{208d2c60-3aea-1069-a2d7-08002b30309d}" => "My Network Places", + "{f02c1a0d-be21-4350-88b0-7367fc96ef3c}" => "Network", + "{3add1653-eb32-4cb0-bbd7-dfa0abb5acca}" => "Pictures", + "{33e28130-4e1e-4676-835a-98395c3bc3bb}" => "Pictures", + "{a990ae9f-a03b-4e80-94bc-9912d7504104}" => "Pictures", + "{7c5a40ef-a0fb-4bfc-874a-c0f2e0b9fa8e}" => "Program Files (x86)", + "{905e63b6-c1bf-494e-b29c-65b732d3d21a}" => "Program Files", + "{df7266ac-9274-4867-8d55-3bd661de872d}" => "Programs and Features", + "{3214fab5-9757-4298-bb61-92a9deaa44ff}" => "Public Music", + "{b6ebfb86-6907-413c-9af7-4fc2abf07cc5}" => "Public Pictures", + "{2400183a-6185-49fb-a2d8-4a392a602ba3}" => "Public Videos", + "{4336a54d-38b-4685-ab02-99bb52d3fb8b}" => "Public", + "{491e922f-5643-4af4-a7eb-4e7a138d8174}" => "Public", + "{dfdf76a2-c82a-4d63-906a-5644ac457385}" => "Public", + "{645ff040-5081-101b-9f08-00aa002f954e}" => "Recycle Bin", + "{d65231b0-b2f1-4857-a4ce-a8e7c6ea7d27}" => "System32 (x86)", + "{9e52ab10-f80d-49df-acb8-4330f5687855}" => "Temporary Burn Folder", + "{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}" => "Users Files", + "{59031a47-3f72-44a7-89c5-5595fe6b30ee}" => "Users", + "{a0953c92-50dc-43bf-be83-3742fed03c9c}" => "Videos", + "{b5947d7f-b489-4fde-9e77-23780cc610d1}" => "Virtual Machines", + "{f38bf404-1d43-42f2-9305-67de0b28fc23}" => "Windows"); + sub pluginmain { my $class = shift; my $ntuser = shift; @@ -128,9 +174,9 @@ sub parseLastVisitedMRU { @mrulist = split(//,$lvmru{MRUList}); delete($lvmru{MRUList}); foreach my $m (@mrulist) { - my ($file,$dir) = split(/\x00\x00/,$lvmru{$m},2); - $file =~ s/\x00//g; - $dir =~ s/\x00//g; + my ($file,$dir) = split(/\00\00/,$lvmru{$m},2); + $file =~ s/\00//g; + $dir =~ s/\00//g; ::rptMsg(" ".$m." -> EXE: ".$file); ::rptMsg(" -> Last Dir: ".$dir); } @@ -213,8 +259,8 @@ sub parseCIDSizeMRU { delete $mru{0xffffffff}; foreach my $m (sort {$a <=> $b} keys %mru) { # my $file = parseStr($mru{$m}); - my $file = (split(/\x00\x00/,$mru{$m},2))[0]; - $file =~ s/\x00//g; + my $file = (split(/\00\00/,$mru{$m},2))[0]; + $file =~ s/\00//g; ::rptMsg(" ".$file); } } @@ -251,18 +297,18 @@ sub parseFirstFolder { delete $mru{0xffffffff}; foreach my $m (sort {$a <=> $b} keys %mru) { # my $file = parseStr($mru{$m}); - my @files = split(/\x00\x00/,$mru{$m}); + my @files = split(/\00\00/,$mru{$m}); if (scalar(@files) == 0) { ::rptMsg(" No files listed."); } elsif (scalar(@files) == 1) { - $files[0] =~ s/\x00//g; + $files[0] =~ s/\00//g; ::rptMsg(" ".$files[0]); } elsif (scalar(@files) > 1) { my @files2; foreach my $file (@files) { - $file =~ s/\x00//g; + $file =~ s/\00//g; push(@files2,$file); } ::rptMsg(" ".join(' ',@files2)); @@ -305,9 +351,9 @@ sub parseLastVisitedPidlMRU { delete $mru{0xffffffff}; foreach my $m (sort {$a <=> $b} keys %mru) { - my ($file,$shell) = split(/\x00\x00/,$mru{$m},2); - $file =~ s/\x00//g; - $shell =~ s/^\x00//; + my ($file,$shell) = split(/\00\00/,$mru{$m},2); + $file =~ s/\00//g; + $shell =~ s/^\00//; my $str = parseShellItem($shell); ::rptMsg(" ".$file." - ".$str); } @@ -386,7 +432,7 @@ sub parseShellItem { while ($tag) { my %item = (); my $sz = unpack("v",substr($data,$cnt,2)); - return %str unless (defined $sz); + return %str unless (defined $sz); $tag = 0 if (($sz == 0) || ($cnt + $sz > $len)); my $dat = substr($data,$cnt,$sz); @@ -398,6 +444,11 @@ sub parseShellItem { %item = parseSystemFolderEntry($dat); $str .= "\\".$item{name}; } + elsif ($type == 0x2E) { +# probe($dat); + %item = parseDeviceEntry($dat); + $str .= "\\".$item{name}; + } elsif ($type == 0x2F) { # Volume (Drive Letter) %item = parseDriveEntry($dat); @@ -476,7 +527,17 @@ sub parseGUID { my $d3 = unpack("v",substr($data,6,2)); my $d4 = unpack("H*",substr($data,8,2)); my $d5 = unpack("H*",substr($data,10,6)); - return sprintf "{%08x-%x-%x-$d4-$d5}",$d1,$d2,$d3; +# ---- Added 20180627, updated 20180702 + my $guid = sprintf "{%08x-%04x-%04x-$d4-$d5}",$d1,$d2,$d3; + + if (exists $folder_types{$guid}) { + return "CLSID_".$folder_types{$guid}; + } + else { + return $guid; + } + +# return sprintf "{%08x-%x-%x-$d4-$d5}",$d1,$d2,$d3; } #----------------------------------------------------------- @@ -498,7 +559,7 @@ sub parseNetworkEntry { my %item = (); $item{type} = unpack("C",substr($data,2,1)); - my @n = split(/\x00/,substr($data,4,length($data) - 4)); + my @n = split(/\00/,substr($data,4,length($data) - 4)); $item{name} = $n[0]; $item{name} =~ s/^\W//; return %item; @@ -538,15 +599,15 @@ sub parseFolderEntry { ($item{mtime_str},$item{mtime}) = convertDOSDate($m[0],$m[1]); # Need to read in short name; nul-term ASCII -# $item{shortname} = (split(/\x00/,substr($data,12,length($data) - 12),2))[0]; +# $item{shortname} = (split(/\00/,substr($data,12,length($data) - 12),2))[0]; $ofs_shortname = $ofs_mdate + 6; my $tag = 1; my $cnt = 0; my $str = ""; while($tag) { my $s = substr($data,$ofs_shortname + $cnt,1); - return %item unless (defined $s); - if ($s =~ m/\x00/ && ((($cnt + 1) % 2) == 0)) { + return %item unless (defined $s); + if ($s =~ m/\00/ && ((($cnt + 1) % 2) == 0)) { $tag = 0; } else { @@ -554,19 +615,19 @@ sub parseFolderEntry { $cnt++; } } -# $str =~ s/\x00//g; +# $str =~ s/\00//g; my $shortname = $str; my $ofs = $ofs_shortname + $cnt + 1; # Read progressively, 1 byte at a time, looking for 0xbeef - $tag = 1; - $cnt = 0; + my $tag = 1; + my $cnt = 0; while ($tag) { - my $s = substr($data,$ofs + $cnt,2); - return %item unless (defined $s); + my $s = substr($data,$ofs + $cnt,2); + return %item unless (defined $s); if (unpack("v",$s) == 0xbeef) { $tag = 0; } - else { + else { $cnt++; } } @@ -577,10 +638,10 @@ sub parseFolderEntry { $ofs = $ofs + $cnt + 2; - @m = unpack("vv",substr($data,$ofs,4)); + my @m = unpack("vv",substr($data,$ofs,4)); ($item{ctime_str},$item{ctime}) = convertDOSDate($m[0],$m[1]); $ofs += 4; - @m = unpack("vv",substr($data,$ofs,4)); + my @m = unpack("vv",substr($data,$ofs,4)); ($item{atime_str},$item{atime}) = convertDOSDate($m[0],$m[1]); $ofs += 4; @@ -594,15 +655,19 @@ sub parseFolderEntry { elsif ($item{extver} == 0x08) { $jmp = 26; } +# Updated for Windows 10 + elsif ($item{extver} == 0x09) { + $jmp = 30; + } else {} $ofs += $jmp; # ::rptMsg(sprintf " Offset: 0x%x",$ofs); - $str = substr($data,$ofs,length($data) - $ofs); + my $str = substr($data,$ofs,length($data) - $ofs); - my $longname = (split(/\x00\x00/,$str,2))[0]; - $longname =~ s/\x00//g; + my $longname = (split(/\00\00/,$str,2))[0]; + $longname =~ s/\00//g; if ($longname ne "") { $item{name} = $longname; @@ -613,6 +678,61 @@ sub parseFolderEntry { return %item; } +#----------------------------------------------------------- +# +#----------------------------------------------------------- +sub parseDeviceEntry { + my $data = shift; + my %item = (); + + my $ofs = unpack("v",substr($data,4,2)); + my $tag = unpack("V",substr($data,6,4)); + +#----------------------------------------------------- +# DEBUG +# ::rptMsg("parseDeviceEntry, tag = ".$tag); +#----------------------------------------------------- + if ($tag == 0) { + my $guid1 = parseGUID(substr($data,$ofs + 6,16)); + my $guid2 = parseGUID(substr($data,$ofs + 6 + 16,16)); + $item{name} = $guid1."\\".$guid2 + } + elsif ($tag == 2) { + $item{name} = substr($data,0x0a,($ofs + 6) - 0x0a); + $item{name} =~ s/\00//g; + } + else { + my $ver = unpack("C",substr($data,9,1)); + my $idx = unpack("C",substr($data,3,1)); + + if ($idx == 0x80) { + $item{name} = parseGUID(substr($data,4,16)); + } +# Version 3 = XP + elsif ($ver == 3) { + my $guid1 = parseGUID(substr($data,$ofs + 6,16)); + my $guid2 = parseGUID(substr($data,$ofs + 6 + 16,16)); + $item{name} = $guid1."\\".$guid2 + + } +# Version 8 = Win7 + elsif ($ver == 8) { + my $userlen = unpack("V",substr($data,30,4)); + my $devlen = unpack("V",substr($data,34,4)); + my $user = substr($data,0x28,$userlen * 2); + $user =~ s/\00//g; + my $dev = substr($data,0x28 + ($userlen * 2),$devlen * 2); + $dev =~ s/\00//g; + $item{name} = $user; + } +# Version unknown + else { + $item{name} = "Device Entry - Unknown Version"; + } + } + return %item; +} + #----------------------------------------------------------- # convertDOSDate() # subroutine to convert 4 bytes of binary data into a human- @@ -701,4 +821,4 @@ sub printData { return @display; } -1; +1; \ No newline at end of file diff --git a/thirdparty/rr-full/plugins/dafupnp.pl b/thirdparty/rr-full/plugins/dafupnp.pl new file mode 100644 index 0000000000..9a36335e32 --- /dev/null +++ b/thirdparty/rr-full/plugins/dafupnp.pl @@ -0,0 +1,105 @@ +#----------------------------------------------------------- +# dafupnp.pl +# +# Description: +# Parses Device Association Framework (DAF) for Universal Plug and Play +# (UPnP) data. DAFUPnP is used to stream media across a network. +# +# History: +# 20180705 - updated, code tweaks +# 20180628 - Created +# +# +# Author: M. Jones, mictjon@gmail.com +#----------------------------------------------------------- +package dafupnp; +use strict; + +my %config = (hive => "System", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20180705); + +my $VERSION = getVersion(); + +sub getConfig{return %config} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} +sub getShortDescr { + return "Parses data from networked media streaming devices"; +} +sub getDescr{} +sub getRefs {}; + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching dafupnp v.".$VERSION); + ::rptMsg("dafupnp v.".$VERSION); # banner + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + my ($current,$ccs); + my $key_path = 'Select'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + $current = $key->get_value("Current")->get_data(); + $ccs = "ControlSet00".$current; + } + else { + ::rptMsg($key_path." not found."); + return; + } + + $key_path = $ccs."\\Enum\\SWD\\DAFUPnPProvider"; + if ($key = $root_key->get_subkey($key_path)) { + + my @subkeys = $key->get_list_of_subkeys(); + if (scalar @subkeys > 0) { + foreach my $s (@subkeys) { + ::rptMsg($s->get_name()); + my ($desc,$comid,$hid,$loc,$mfg,$fname); + + eval { + $desc = $s->get_value("DeviceDesc")->get_data(); + ::rptMsg("DeviceDesc : ".$desc); + }; + + eval { + $comid = $s->get_value("CompatibleIDs")->get_data(); + ::rptMsg("CompatibleID : ".$comid); + }; + + eval { + $hid = $s->get_value("HardwareID")->get_data(); + ::rptMsg("HardwareID : ".$hid); + }; + + eval { + $loc = $s->get_value("LocationInformation")->get_data(); + ::rptMsg("LocationInformation : ".$loc); + }; + + eval { + $mfg = $s->get_value("Mfg")->get_data(); + ::rptMsg("MFG : ".$mfg); + }; + + eval { + $fname = $s->get_value("FriendlyName")->get_data(); + ::rptMsg("FriendlyName : ".$fname); + }; + ::rptMsg(""); + } + } + else { + ::rptMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} +1; diff --git a/thirdparty/rr-full/plugins/del.pl b/thirdparty/rr-full/plugins/del.pl index 56e2633166..fdb82e73b3 100644 --- a/thirdparty/rr-full/plugins/del.pl +++ b/thirdparty/rr-full/plugins/del.pl @@ -4,13 +4,15 @@ # # # Change history +# 20190506 - updated # 20140807 - created # # References: -# +# https://metacpan.org/pod/Parse::Win32Registry +# https://github.com/msuhanov/regf/blob/master/Windows%20registry%20file%20format%20specification.md # # -# copyright 2014 QAR, LLC +# copyright 2019 QAR, LLC # Author: H. Carvey #----------------------------------------------------------- package del; @@ -22,7 +24,7 @@ my %config = (hive => "All", hasRefs => 0, osmask => 22, category => "deleted", - version => 20140807); + version => 20190506); sub getConfig{return %config} sub getShortDescr { @@ -35,6 +37,19 @@ sub getVersion {return $config{version};} my $VERSION = getVersion(); +my %data_types = (0 => "REG_NONE", + 1 => "REG_SZ", + 2 => "REG_EXPAND_SZ", + 3 => "REG_BINARY", + 4 => "REG_DWORD", + 5 => "REG_DWORD_BIG_ENDIAN", + 6 => "REG_LINK", + 7 => "REG_MULTI_SZ", + 8 => "REG_RESOURCE_LIST", + 9 => "REG_FULL_RESOURCE_DESCRIPTOR", + 10 => "REG_RESOURCE_REQUIREMENTS_LIST", + 11 => "REG_QWORD"); + my %regkeys; sub pluginmain { @@ -48,34 +63,92 @@ sub pluginmain { my $entry_iter = $reg->get_entry_iterator; while (defined(my $entry = $entry_iter->get_next)) { next if $entry->is_allocated; -# printf "0x%x ", $entry->get_offset; -# print $entry->unparsed()."\n"; - my $tag = $entry->get_tag(); - my $str = $entry->as_string(); - next if ($str eq "(unidentified entry)"); - - if ($tag eq "vk") { - ::rptMsg("Value: ".$str); - } - elsif ($tag eq "nk") { - if ($entry->get_length() > 15) { - my ($t0,$t1) = unpack("VV",substr($entry->get_raw_bytes(),8,16)); - my $lw = ::getTime($t0,$t1); - ::rptMsg("Key: ".parseDelKeyName($str)." LW: ".gmtime($lw)." Z"); - - } - } - else {} +# printf "0x%x ", $entry->get_offset; +# print $entry->unparsed()."\n"; + my $data = $entry->get_raw_bytes(); + my $len = length($data); + next if ($len <= 8); + ::rptMsg("------------- Deleted Data ------------"); +# Value node header is 20 bytes, w/o name string +# Key node header is 76 bytes, w/o name string + if ($len >= 20) { + my $cursor = 0; + while ($cursor < $len) { + if (unpack("v",substr($data,$cursor,2)) == 0x6b76) { +# ::rptMsg("Value node found at ".$cursor); + parseValueNode($data,$cursor); + $cursor += 0x12; + } + elsif (unpack("v",substr($data,$cursor,2)) == 0x6b6e) { +# ::rptMsg("Key node found at ".$cursor); + parseKeyNode($data,$cursor); + $cursor += 0x4a; + } + else { + $cursor++; + } + } + + } + ::rptMsg($entry->unparsed()); } } -sub parseDelKeyName { - my $str = shift; - my $name_str = (split(/\s\[/,$str))[0]; - my @list = split(/\\/,$name_str); - shift(@list); - return join('\\',@list); +sub parseValueNode { + my $data = shift; + my $ofs = shift; + + my $name_len = unpack("v",substr($data,$ofs + 0x02,2)); + my $data_len = unpack("V",substr($data,$ofs + 0x04,4)); + my $data_ofs = unpack("V",substr($data,$ofs + 0x08,4)); + my $data_type = unpack("V",substr($data,$ofs + 0x0c,4)); + my $data_flag = unpack("v",substr($data,$ofs + 0x10,2)); + + my $name; + if (($ofs + 0x14 + $name_len) <= length($data)) { + $name = substr($data,$ofs + 0x14,$name_len); + ::rptMsg("Value Name: ".$name); + ::rptMsg(sprintf "Data Length: 0x%x Data Offset: 0x%x Data Type: ".$data_types{$data_type},$data_len,$data_ofs); + } } +sub parseKeyNode { + my $data = shift; + my $ofs = shift; + my $len = length($data); + + if ($len > 75 && $ofs >= 4) { + + my $size = unpack("i",substr($data,$ofs - 4,4)); + $size = ($size * -1) if ($size < 0); +# ::rptMsg("Key node size = ".$size); + + my $type = unpack("v",substr($data,$ofs + 0x02,2)); +# ::rptMsg(sprintf "Node Type = 0x%x",$type); + + my ($t1,$t2) = unpack("VV",substr($data,$ofs + 0x04,8)); + my $lw = ::getTime($t1,$t2); +# ::rptMsg("Key LastWrite time = ".gmtime($lw)." UTC"); + + my $parent_ofs = unpack("V",substr($data,$ofs + 0x10,4)); + + my $sk = unpack("V",substr($data,$ofs + 0x14,4)); +# ::rptMsg("Number of subkeys: ".$sk); + + my $vals = unpack("V",substr($data,$ofs + 0x24,4)); +# ::rptMsg("Number of values: ".$vals); + + my $len_name = unpack("V",substr($data,$ofs + 0x48,4)); +# print "Name Length: ".$len_name."\n"; + + my $name; + if (($ofs + 0x4c + $len_name) <= $len) { + $name = substr($data,$ofs + 0x4c,$len_name); + ::rptMsg("Key name: ".$name); + } + ::rptMsg("Key LastWrite time = ".gmtime($lw)." UTC"); + ::rptMsg(sprintf "Offset to parent: 0x%x",$parent_ofs); + } +} 1; \ No newline at end of file diff --git a/thirdparty/rr-full/plugins/del_tln.pl b/thirdparty/rr-full/plugins/del_tln.pl index d594539e1c..3a45976663 100644 --- a/thirdparty/rr-full/plugins/del_tln.pl +++ b/thirdparty/rr-full/plugins/del_tln.pl @@ -4,13 +4,15 @@ # # # Change history +# 20190506 - updated # 20140807 - created # # References: -# +# https://metacpan.org/pod/Parse::Win32Registry +# https://github.com/msuhanov/regf/blob/master/Windows%20registry%20file%20format%20specification.md # # -# copyright 2014 QAR, LLC +# copyright 2019 QAR, LLC # Author: H. Carvey #----------------------------------------------------------- package del_tln; @@ -22,7 +24,7 @@ my %config = (hive => "All", hasRefs => 0, osmask => 22, category => "deleted", - version => 20140807); + version => 20190506); sub getConfig{return %config} sub getShortDescr { @@ -41,38 +43,72 @@ sub pluginmain { my $class = shift; my $file = shift; my $reg = Parse::Win32Registry->new($file); - my $root_key = $reg->get_root_key; -# ::logMsg("Launching del v.".$VERSION); -# ::rptMsg("del v.".$VERSION); # banner + ::logMsg("Launching del_tln v.".$VERSION); +# ::rptMsg("del_tln v.".$VERSION); # banner # ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner my $entry_iter = $reg->get_entry_iterator; while (defined(my $entry = $entry_iter->get_next)) { next if $entry->is_allocated; -# printf "0x%x ", $entry->get_offset; -# print $entry->unparsed()."\n"; - my $tag = $entry->get_tag(); - my $str = $entry->as_string(); - next if ($str eq "(unidentified entry)"); - - if ($tag eq "nk") { - if ($entry->get_length() > 15) { - my ($t0,$t1) = unpack("VV",substr($entry->get_raw_bytes(),8,16)); - my $lw = ::getTime($t0,$t1); - ::rptMsg($lw."|REG|||[Deleted key]: ".parseDelKeyName($str)); - } - } - else {} - +# printf "0x%x ", $entry->get_offset; +# print $entry->unparsed()."\n"; + my $data = $entry->get_raw_bytes(); + my $len = length($data); + next if ($len <= 8); +# Key node header is 76 bytes, w/o name string + if ($len >= 20) { + my $cursor = 0; + while ($cursor < $len) { + if (unpack("v",substr($data,$cursor,2)) == 0x6b6e) { +# ::rptMsg("Key node found at ".$cursor); + parseKeyNode($data,$cursor); + $cursor += 0x4a; + } + else { + $cursor++; + } + } + + } +# ::rptMsg($entry->unparsed()); } } -sub parseDelKeyName { - my $str = shift; - my $name_str = (split(/\s\[/,$str))[0]; - my @list = split(/\\/,$name_str); - shift(@list); - return join('\\',@list); +sub parseKeyNode { + my $data = shift; + my $ofs = shift; + my $len = length($data); + + if ($len > 75 && $ofs >= 4) { + + my $size = unpack("i",substr($data,$ofs - 4,4)); + $size = ($size * -1) if ($size < 0); +# ::rptMsg("Key node size = ".$size); + + my $type = unpack("v",substr($data,$ofs + 0x02,2)); +# ::rptMsg(sprintf "Node Type = 0x%x",$type); + + my ($t1,$t2) = unpack("VV",substr($data,$ofs + 0x04,8)); + my $lw = ::getTime($t1,$t2); +# ::rptMsg("Key LastWrite time = ".gmtime($lw)." UTC"); + + my $parent_ofs = unpack("V",substr($data,$ofs + 0x10,4)); + + my $sk = unpack("V",substr($data,$ofs + 0x14,4)); +# ::rptMsg("Number of subkeys: ".$sk); + + my $vals = unpack("V",substr($data,$ofs + 0x24,4)); +# ::rptMsg("Number of values: ".$vals); + + my $len_name = unpack("V",substr($data,$ofs + 0x48,4)); +# print "Name Length: ".$len_name."\n"; + + my $name; + if (($ofs + 0x4c + $len_name) <= $len) { + $name = substr($data,$ofs + 0x4c,$len_name); + } + ::rptMsg($lw."|||| Deleted key: ".$name); + } } 1; \ No newline at end of file diff --git a/thirdparty/rr-full/plugins/disablelastaccess.pl b/thirdparty/rr-full/plugins/disablelastaccess.pl index 4048561e8b..5fb09934ec 100644 --- a/thirdparty/rr-full/plugins/disablelastaccess.pl +++ b/thirdparty/rr-full/plugins/disablelastaccess.pl @@ -1,8 +1,15 @@ #----------------------------------------------------------- # disablelastaccess.pl +# +# History: +# 20181207 - updated for Win10 v.1803 (Maxim, David Cohen) +# 20090118 - # # References: -# http://support.microsoft.com/kb/555041 +# https://twitter.com/errno_fail/status/1070838120545955840 +# https://dfir.ru/2018/12/08/the-last-access-updates-are-almost-back/ +# https://www.hecfblog.com/2018/12/daily-blog-557-changes-in.html +# http://support.microsoft.com/kb/555041 # http://support.microsoft.com/kb/894372 # # copyright 2008 H. Carvey, keydet89@yahoo.com @@ -15,10 +22,15 @@ my %config = (hive => "System", hasShortDescr => 1, hasDescr => 0, hasRefs => 0, - version => 20090118); + version => 20181207); sub getConfig{return %config} +my %dla = (0x80000000 => "(User Managed, Updates Enabled)", + 0x80000001 => "(User Managed, Updates Disabled)", + 0x80000002 => "(System Managed, Updates Enabled)", + 0x80000003 => "(System Managed, Updates Disabled)"); + sub getShortDescr { return "Get NTFSDisableLastAccessUpdate value"; } @@ -48,7 +60,8 @@ sub pluginmain { $ccs = "ControlSet00".$current; } - $key_path = $ccs."\\Control\\FileSystem"; + my $key_path = $ccs."\\Control\\FileSystem"; + my $key; if ($key = $root_key->get_subkey($key_path)) { ::rptMsg("NtfsDisableLastAccessUpdate"); ::rptMsg($key_path); @@ -57,8 +70,19 @@ sub pluginmain { if (scalar(@vals) > 0) { foreach my $v (@vals) { if ($v->get_name() eq "NtfsDisableLastAccessUpdate") { - ::rptMsg("NtfsDisableLastAccessUpdate = ".$v->get_data()); + my $dat = $v->get_data(); + ::rptMsg(sprintf "NtfsDisableLastAccessUpdate = 0x%08x",$dat); $found = 1; + + if ($dat > 1) { + ::rptMsg($dla{$dat}); + eval { + my $thresh = $key->get_value("NtfsLastAccessUpdatePolicyVolumeSizeThreshold")->get_data(); + ::rptMsg(sprintf "NtfsLastAccessUpdatePolicyVolumeSizeThreshold value = 0x%08x",$thresh); + }; + + } + } } ::rptMsg("NtfsDisableLastAccessUpdate value not found.") if ($found == 0); @@ -71,4 +95,4 @@ sub pluginmain { ::rptMsg($key_path." not found."); } } -1; +1; \ No newline at end of file diff --git a/thirdparty/rr-full/plugins/disablemru.pl b/thirdparty/rr-full/plugins/disablemru.pl new file mode 100644 index 0000000000..166c07fbcc --- /dev/null +++ b/thirdparty/rr-full/plugins/disablemru.pl @@ -0,0 +1,102 @@ +#----------------------------------------------------------- +# disablemru.pl +# +# Change history +# 20180807 - created +# +# References +# *Provided in the code +# +# copyright 2018 H. Carvey +#----------------------------------------------------------- +package disablemru; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20180807); + +sub getConfig{return %config} +sub getShortDescr { + return "Checks settings disabling user's MRUs"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching disablemru v.".$VERSION); + ::rptMsg("disablemru v.".$VERSION); # banner + ::rptMsg("- ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + +# Windows 10 JumpLists +# https://winaero.com/blog/disable-jump-lists-windows-10/ + my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + eval { + my $start = $key->get_value("Start_TrackDocs")->get_data(); + + }; + + } + else { + ::rptMsg($key_path." not found."); + } + +# https://answers.microsoft.com/en-us/windows/forum/windows_xp-security/how-do-i-disable-most-recent-used-list-in-run/dab29225-4222-4412-8bc3-0516cee65a78 + $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Comdlg32'; + if ($key = $root_key->get_subkey($key_path)) { + eval { + my $file = $key->get_value("NoFileMRU")->get_data(); + if ($file == 1) { + ::rptMsg("NoFileMRU = 1; Recording for Comdlg32 disabled"); + } + }; + } + else { + ::rptMsg($key_path." not found."); + } + +# http://systemmanager.ru/win2k_regestry.en/92853.htm + $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer'; + if ($key = $root_key->get_subkey($key_path)) { + my $mru; + eval { + $mru = $key->get_value("NoRecentDocsMenu")->get_data(); + if ($mru == 1) { + ::rptMsg("NoRecentDocsMenu = 1; No Documents menu in Start menu"); + } + }; + + eval { + $mru = $key->get_value("ClearRecentDocsOnExit")->get_data(); + if ($mru == 1) { + ::rptMsg("ClearRecentDocsOnExit = 1; RecentDocs cleared on exit"); + } + }; + + eval { + $mru = $key->get_value("NoRecentDocsHistory")->get_data(); + if ($mru == 1) { + ::rptMsg("NoRecentDocsHistory = 1; No RecentDocs history"); + } + }; + + } + else { + ::rptMsg($key_path." not found."); + } +} + +1; \ No newline at end of file diff --git a/thirdparty/rr-full/plugins/eraser.pl b/thirdparty/rr-full/plugins/eraser.pl new file mode 100644 index 0000000000..d41408a91a --- /dev/null +++ b/thirdparty/rr-full/plugins/eraser.pl @@ -0,0 +1,67 @@ +#----------------------------------------------------------- +# eraser.pl +# Gets Eraser User Settings +# +# Change history +# 20180708 - Created (based on ccleaner.pl plugin) +# +# References +# +# Author: Hadar Yudovich <@hadar0x> +#----------------------------------------------------------- +package eraser; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20180708); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets User's Eraser Settings"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching Eraser v.".$VERSION); + ::rptMsg("Eraser v.".$VERSION); + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); + my $reg = Parse::Win32Registry->new($hive); # creates a Win32Registry object + my $root_key = $reg->get_root_key; + my $key_path = "Software\\Eraser\\Eraser 6"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + my %eraserkeys; + my @eraservals = $key->get_list_of_values(); + if (scalar(@eraservals) > 0) { + foreach my $val (@eraservals) { + $eraserkeys{$val->get_name()} = $val->get_data(); + } + foreach my $keyval (sort keys %eraserkeys) { + ::rptMsg($keyval." -> ".$eraserkeys{$keyval}); + } + } + else { + ::rptMsg($key_path." has no values."); + } + } + else { + ::rptMsg($key_path." does not exist."); + } + ::rptMsg(""); +} + +1; diff --git a/thirdparty/rr-full/plugins/execpolicy.pl b/thirdparty/rr-full/plugins/execpolicy.pl new file mode 100644 index 0000000000..731aedcf9c --- /dev/null +++ b/thirdparty/rr-full/plugins/execpolicy.pl @@ -0,0 +1,60 @@ +#----------------------------------------------------------- +# execpolicy +# +# Change history: +# 20180618 - created +# +# Ref: +# https://blogs.technet.microsoft.com/operationsguy/2011/04/21/remotely-tweak-powershell-execution-policies-without-powershell-remoting/ +# +# copyright 2018 QAR,LLC +# Author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package execpolicy; +use strict; + +my %config = (hive => "Software", + category => "config", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20180618); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets PowerShell Execution Policy"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::rptMsg("Launching execpolicy v.".$VERSION); + ::rptMsg("execpolicy v.".$VERSION); # banner + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + my $key_path = ('Microsoft\\PowerShell\\1\\ShellIds\\Microsoft.Powershell'); + + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my $key; + if ($key = $root_key->get_subkey($key_path)) { + my $policy = ""; + eval { + $policy = $key->get_value("ExecutionPolicy")->get_data(); + }; + if ($policy eq "") { + ::rptMsg("ExecutionPolicy value not found.") + } + else { + ::rptMsg("ExecutionPolicy = ".$policy); + } + } +} +1; \ No newline at end of file diff --git a/thirdparty/rr-full/plugins/ie_zones.pl b/thirdparty/rr-full/plugins/ie_zones.pl index 602910db4d..935b3fb537 100644 --- a/thirdparty/rr-full/plugins/ie_zones.pl +++ b/thirdparty/rr-full/plugins/ie_zones.pl @@ -17,7 +17,7 @@ package ie_zones; use strict; -my %config = (hive => "NTUSER\.DAT;Software", +my %config = (hive => "NTUSER\.DAT,Software", hasShortDescr => 1, hasDescr => 0, hasRefs => 0, diff --git a/thirdparty/rr-full/plugins/imagefile.pl b/thirdparty/rr-full/plugins/imagefile.pl index d05a36c555..6fa9b55176 100644 --- a/thirdparty/rr-full/plugins/imagefile.pl +++ b/thirdparty/rr-full/plugins/imagefile.pl @@ -5,8 +5,10 @@ # http://msdn2.microsoft.com/en-us/library/a329t4ed(VS\.80)\.aspx # CWDIllegalInDllSearch: http://support.microsoft.com/kb/2264107 # http://carnal0wnage.attackresearch.com/2012/04/privilege-escalation-via-sticky-keys.html +# 'Auto' value - https://docs.microsoft.com/en-us/windows/desktop/debug/configuring-automatic-debugging # # Change history: +# 20190511 - added search for 'auto' value # 20131007 - added Carnal0wnage reference # 20130425 - added alertMsg() functionality # 20130410 - added Wow6432Node support @@ -23,7 +25,7 @@ my %config = (hive => "Software", hasRefs => 0, osmask => 22, category => "malware", - version => 20131007); + version => 20190511); sub getConfig{return %config} sub getShortDescr { @@ -76,6 +78,11 @@ sub pluginmain { eval { $dllsearch = $s->get_value("CWDIllegalInDllSearch")->get_data(); }; +# 20190511 - added search for 'auto' value + eval { + $debug{$name}{auto} = $s->get_value("Auto")->get_data(); + }; + # If the eval{} throws an error, it's b/c the Debugger value isn't # found within the key, so we don't need to do anything w/ the error if ($dllsearch ne "") { @@ -88,7 +95,7 @@ sub pluginmain { foreach my $d (keys %debug) { ::rptMsg($d." LastWrite: ".gmtime($debug{$d}{lastwrite})); ::rptMsg(" Debugger : ".$debug{$d}{debug}) if (exists $debug{$d}{debug}); - ::alertMsg("Alert: imagefile: Debugger value found : ".$debug{$d}{debug}) if (exists $debug{$d}{debug}); + ::rptMsg(" Auto : ".$debug{$d}{auto}) if (exists $debug{$d}{auto}); ::rptMsg(" CWDIllegalInDllSearch: ".$debug{$d}{dllsearch}) if (exists $debug{$d}{dllsearch}); } } diff --git a/thirdparty/rr-full/plugins/imgburn1.pl b/thirdparty/rr-full/plugins/imgburn1.pl new file mode 100644 index 0000000000..a73a8ce9e0 --- /dev/null +++ b/thirdparty/rr-full/plugins/imgburn1.pl @@ -0,0 +1,211 @@ +#----------------------------------------------------------- +# imgburn1.pl +# +# Gets user's ImgBurn recent files and configured paths +# +# History +# 20180630 - created +# +# References +# http://forum.imgburn.com/index.php?/forum/4-guides/ +# +# +# copyright 2018 Michael Godfrey mgodfrey [at] gmail.com +#----------------------------------------------------------- +package imgburn1; +use strict; + + +my %config = +( + hive => "NTUSER\.DAT", + hasShortDescr => 0, + hasDescr => 1, + hasRefs => 1, + osmask => 29, + version => 20180630 +); + +sub getConfig {return %config;} +sub getDescr {return "Gets user's ImgBurn MRU files and paths from NTUSER";} +sub getRefs {return "n/a";} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching imgburn1 v.".$VERSION); + ::rptMsg('imgburn1 v'.$VERSION.' ('.getDescr().")"); + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + my $key_path = 'Software\\ImgBurn'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + my $id; + eval { + $id = $key->get_value("InstallDirectory")->get_data(); + + }; + if ($@) { + ::rptMsg("InstallDirectory value not found."); + } + else { + ::rptMsg("InstallDirectory = ".$id); + } + + + my $bq; + eval { + $bq = $key->get_value("IBQ_MRUFile")->get_data(); + + }; + if ($@) { + ::rptMsg("IBQ_MRUFile value not found."); + } + else { + ::rptMsg("IBQ_MRUFile = ".$bq); + } + + + my $rf; + eval { + $rf = $key->get_value("ISOREAD_RecentFiles_Destination")->get_data(); + + }; + if ($@) { + ::rptMsg("ISOREAD_RecentFiles_Destination value not found."); + } + else { + ::rptMsg("ISOREAD_RecentFiles_Destination = ".$rf); + } + + + my $rs; + eval { + $rs = $key->get_value("ISOWRITE_RecentFiles_Source")->get_data(); + + }; + if ($@) { + ::rptMsg("ISOWRITE_RecentFiles_Source value not found."); + } + else { + ::rptMsg("ISOWRITE_RecentFiles_Source = ".$rs); + } + + + my $sf; + eval { + $sf = $key->get_value("ISOBUILD_MRUSourceFolder")->get_data(); + + }; + if ($@) { + ::rptMsg("ISOBUILD_MRUSourceFolder value not found."); + } + else { + ::rptMsg("ISOBUILD_MRUSourceFolder = ".$sf); + } + + + my $fs; + eval { + $fs = $key->get_value("ISOBUILD_RecentFiles_Source")->get_data(); + + }; + if ($@) { + ::rptMsg("ISOBUILD_RecentFiles_Source value not found."); + } + else { + ::rptMsg("ISOBUILD_RecentFiles_Source = ".$fs); + } + + + my $fd; + eval { + $fd = $key->get_value("ISOBUILD_RecentFiles_Destination")->get_data(); + + }; + if ($@) { + ::rptMsg("ISOBUILD_RecentFiles_Destination value not found."); + } + else { + ::rptMsg("ISOBUILD_RecentFiles_Destination = ".$fd); + } + + + my $fd; + eval { + $fd = $key->get_value("ISOBUILD_Recentfolders_Destination")->get_data(); + + }; + if ($@) { + ::rptMsg("ISOBUILD_RecentFolders_Destination value not found."); + } + else { + ::rptMsg("ISOBUILD_RecentFolders_Destination = ".$fd); + } + + + my $if; + eval { + $if = $key->get_value("FILELOCATIONS_ImageFiles")->get_data(); + + }; + if ($@) { + ::rptMsg("FILELOCATIONS_ImageFiles value not found."); + } + else { + ::rptMsg("FILELOCATIONS_ImageFiles = ".$if); + } + + my $lf; + eval { + $lf = $key->get_value("FILELOCATIONS_LogFiles")->get_data(); + + }; + if ($@) { + ::rptMsg("FILELOCATIONS_LogFiles value not found."); + } + else { + ::rptMsg("FILELOCATIONS_LogFiles = ".$lf); + } + + + my $pf; + eval { + $pf = $key->get_value("FILELOCATIONS_ProjectFiles")->get_data(); + + }; + if ($@) { + ::rptMsg("FILELOCATIONS_ProjectFiles value not found."); + } + else { + ::rptMsg("FILELOCATIONS_ProjectFiles = ".$pf); + } + + + my $qf; + eval { + $qf = $key->get_value("FILELOCATIONS_QueueFiles")->get_data(); + + }; + if ($@) { + ::rptMsg("FILELOCATIONS_QueueFiles value not found."); + } + else { + ::rptMsg("FILELOCATIONS_QueueFiles = ".$qf); + } + + + } + else { + ::rptMsg($key_path." not found."); + } +} +1; \ No newline at end of file diff --git a/thirdparty/rr-full/plugins/itempos.pl b/thirdparty/rr-full/plugins/itempos.pl index cbb6d445d8..653666858c 100644 --- a/thirdparty/rr-full/plugins/itempos.pl +++ b/thirdparty/rr-full/plugins/itempos.pl @@ -225,6 +225,7 @@ sub parseFolderItem { my $str = ""; while($tag) { my $s = substr($data,$ofs_shortname + $cnt,1); + return %item unless (defined $s); if ($s =~ m/\x00/ && ((($cnt + 1) % 2) == 0)) { $tag = 0; } @@ -240,7 +241,9 @@ sub parseFolderItem { $tag = 1; $cnt = 0; while ($tag) { - if (unpack("v",substr($data,$ofs + $cnt,2)) == 0xbeef) { + my $s = substr($data,$ofs + $cnt,2); + return %item unless (defined $s); + if (unpack("v",$s) == 0xbeef) { $tag = 0; } else { diff --git a/thirdparty/rr-full/plugins/jumplistdata.pl b/thirdparty/rr-full/plugins/jumplistdata.pl new file mode 100644 index 0000000000..29f0201a5b --- /dev/null +++ b/thirdparty/rr-full/plugins/jumplistdata.pl @@ -0,0 +1,68 @@ +#----------------------------------------------------------- +# jumplistdata.pl +# +# +# Change history +# 20180611 - created (per request submitted by John McCash) +# +# References +# https://twitter.com/sv2hui/status/1005763370186891269 +# +# copyright 2018 QAR, LLC +# author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package jumplistdata; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20180611); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets contents of user's JumpListData key"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching jumplistdata v.".$VERSION); + ::rptMsg("jumplistdata v.".$VERSION); + ::rptMsg("- ".getShortDescr()."\n"); + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Search\\JumpListData'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + + + my @vals = $key->get_list_of_values(); + if (scalar @vals > 0) { + foreach my $v (@vals) { + my $name = $v->get_name(); + my @t = unpack("VV",$v->get_data()); + my $w = ::getTime($t[0],$t[1]); + ::rptMsg(gmtime($w)." UTC $name"); + + } + } + else { + ::rptMsg($key_path." has no values."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} + +1; \ No newline at end of file diff --git a/thirdparty/rr-full/plugins/knowndev.pl b/thirdparty/rr-full/plugins/knowndev.pl index 70dd48a5c2..10b1860387 100644 --- a/thirdparty/rr-full/plugins/knowndev.pl +++ b/thirdparty/rr-full/plugins/knowndev.pl @@ -2,12 +2,14 @@ # knowndev.pl # # History +# 20190714 - updated # 20140414 - created # # Registry entries created by devices that support device stage # Reference: http://nicoleibrahim.com/part-4-usb-device-research-usb-first-insert-results/ # # Author: Jasmine Chua, babymagic06@gmail.com +# updates: QAR, LLC (H. Carvey, keydet89@yahoo.com) #----------------------------------------------------------------------------------------- package knowndev; use strict; @@ -17,7 +19,7 @@ my %config = (hive => "NTUSER\.DAT", hasDescr => 0, hasRefs => 0, osmask => 22, - version => 20140414); + version => 20190714); sub getConfig{return %config} sub getShortDescr { @@ -50,43 +52,18 @@ sub pluginmain { if (scalar @subkeys > 0) { foreach my $s (@subkeys) { my $name = $s->get_name(); - if ($name =~ m/_COMP/) { - my $m = (split(/#/,$name,3))[1]; - my $device = (split(/&/,$m,3))[0]; - my $model = (split(/&/,$m,3))[1]; - my $label; - my $icon; - eval { - $label = $s->get_value('Label')->get_data(); - $icon = $s->get_value('Icon')->get_data(); - }; - my $time = gmtime($s->get_timestamp()); - ::rptMsg("Device: ".$device); - ::rptMsg("Model: ".$model); - ::rptMsg("Label: ".$label) unless ($@); - ::rptMsg("Icon: ".$icon) unless ($@); - ::rptMsg("LastWrite Time: ".$time." (UTC)\n"); - } - elsif ($name =~ m/_USB/) { - my $vidpid = (split(/#/,$name,3))[1]; - my $serial = (split(/#/,$name,3))[2]; - my $label; - my $icon; - eval { - $label = $s->get_value('Label')->get_data(); - $icon = $s->get_value('Icon')->get_data(); - }; - my $time = gmtime($s->get_timestamp()); - ::rptMsg("VID&PID: ".$vidpid); - ::rptMsg("Serial: ".$serial); - ::rptMsg("Label: ".$label) unless ($@); - ::rptMsg("Icon: ".$icon) unless ($@); - ::rptMsg("LastWrite Time: ".$time." (UTC)\n"); - } + my $lw = gmtime($s->get_timestamp()); + ::rptMsg($name." ".$lw." Z"); + + eval { + my $label = $s->get_value("Label")->get_data(); + ::rptMsg("Label: ".$label); + }; + ::rptMsg(""); } } else { - ::rptMsg($key_path." has no subkeys."); + ::rptMsg($key_path." has no subkeys."); } } else { diff --git a/thirdparty/rr-full/plugins/lastloggedon.pl b/thirdparty/rr-full/plugins/lastloggedon.pl index 1585993114..9a197ba331 100644 --- a/thirdparty/rr-full/plugins/lastloggedon.pl +++ b/thirdparty/rr-full/plugins/lastloggedon.pl @@ -6,9 +6,10 @@ # # # History: +# 20180614 - Updated by Michael Godfrey # 20160531 - created # -# copyright 2016 Quantum Analytics Research, LLC +# copyright 2018 Quantum Analytics Research, LLC # Author: H. Carvey, keydet89@yahoo.com #----------------------------------------------------------- package lastloggedon; @@ -62,7 +63,12 @@ sub pluginmain { my $lastsamuser = $key->get_value("LastLoggedOnSAMUser")->get_data(); ::rptMsg("LastLoggedOnSAMUser = ".$lastsamuser); }; - } +# Added by Michael Godfrey + eval { + my $lastsamuserSID = $key->get_value("LastLoggedOnUserSID")->get_data(); + ::rptMsg("LastLoggedOnUserSID = ".$lastsamuserSID); + } + } else { ::rptMsg($key_path." not found."); } diff --git a/thirdparty/rr-full/plugins/logonstats.pl b/thirdparty/rr-full/plugins/logonstats.pl new file mode 100644 index 0000000000..e8fd5a9add --- /dev/null +++ b/thirdparty/rr-full/plugins/logonstats.pl @@ -0,0 +1,82 @@ +#----------------------------------------------------------- +# LogonStats +# +# Change history +# 20180128 - created +# +# References +# https://twitter.com/jasonshale/status/623081308722475009 +# +# copyright 2018 H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package logonstats; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20180128); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets contents of user's LogonStats key"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching logonstats v.".$VERSION); + ::rptMsg("logonstats v.".$VERSION); # banner + ::rptMsg("- ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\LogonStats'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + + eval { + my $flt = $key->get_value("FirstLogonTime")->get_data(); + my $str = convertSystemTime($flt); + ::rptMsg("FirstLogonTime: ".$str); + }; + + eval { + my $oc = $key->get_value("FirstLogonTimeOnCurrentInstallation")->get_data(); + my $i = convertSystemTime($oc); + ::rptMsg("FirstLogonTimeOnCurrentInstallation: ".$i); + }; + } + else { + ::rptMsg($key_path." not found."); + } +} + + + +#----------------------------------------------------------- +# convertSystemTime() +# Converts 128-bit SYSTEMTIME object to readable format +#----------------------------------------------------------- +sub convertSystemTime { + my $date = $_[0]; + my @months = ("Jan","Feb","Mar","Apr","May","Jun","Jul", + "Aug","Sep","Oct","Nov","Dec"); + my @days = ("Sun","Mon","Tue","Wed","Thu","Fri","Sat"); + my ($yr,$mon,$dow,$dom,$hr,$min,$sec,$ms) = unpack("v*",$date); + $hr = "0".$hr if ($hr < 10); + $min = "0".$min if ($min < 10); + $sec = "0".$sec if ($sec < 10); + my $str = $days[$dow]." ".$months[$mon - 1]." ".$dom." ".$hr.":".$min.":".$sec." ".$yr; + return $str; +} + +1; \ No newline at end of file diff --git a/thirdparty/rr-full/plugins/macaddr.pl b/thirdparty/rr-full/plugins/macaddr.pl index be5d690a1e..65bdec97cc 100644 --- a/thirdparty/rr-full/plugins/macaddr.pl +++ b/thirdparty/rr-full/plugins/macaddr.pl @@ -3,19 +3,23 @@ # Attempt to locate MAC address in either Software or System hive files; # The plugin will determine which one its in and use the appropriate # code +# +# History: +# 20190506 - updated +# 20090118 - created # -# -# copyright 2008 H. Carvey, keydet89@yahoo.com +# copyright 2019, QAR, LLC +# Author: H. Carvey, keydet89@yahoo.com #----------------------------------------------------------- package macaddr; use strict; -my %config = (hive => "Software", +my %config = (hive => "System,Software", osmask => 22, hasShortDescr => 1, hasDescr => 0, hasRefs => 0, - version => 20090118); + version => 20190506); sub getConfig{return %config} @@ -61,6 +65,7 @@ sub pluginmain { eval { $na = $key->get_subkey($name)->get_value("NetworkAddress")->get_data(); ::rptMsg(" ".$name.": NetworkAddress = ".$na); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); $found = 1; }; } diff --git a/thirdparty/rr-full/plugins/malware.pl b/thirdparty/rr-full/plugins/malware.pl index c772e11925..c9297440b5 100644 --- a/thirdparty/rr-full/plugins/malware.pl +++ b/thirdparty/rr-full/plugins/malware.pl @@ -8,6 +8,9 @@ # # # Change history: +# 20190527 - updates +# 20190107 - added remote UAC bypass check +# 20180702 - added values to check for MS Defender being disabled # 20161210 - added WebRoot check # 20160615 - added new Sofacy persistence # 20160412 - added Ramdo checks @@ -19,7 +22,7 @@ # 20151008 - added keys # 20150828 - created # -# copyright 2015 Quantum Analytics Research, LLC +# copyright 2018 Quantum Analytics Research, LLC # Author: H. Carvey, keydet89@yahoo.com #----------------------------------------------------------- package malware; @@ -31,7 +34,7 @@ my %config = (hive => "All", hasRefs => 0, osmask => 22, category => "malware", - version => 20161210); + version => 20190527); sub getConfig{return %config} sub getShortDescr { @@ -102,9 +105,29 @@ sub pluginmain { } }; +# Added 20190527 +# https://www.praetorian.com/blog/mitigating-mimikatz-wdigest-cleartext-credential-theft?edition=2019 + eval { + $key_path = "Control\\SecurityProviders\\WDigest"; + if ($key = $root_key->get_subkey($key_path)){ + my $ulc = $key->get_value("UseLogonCredential")->get_data(); + ::rptMsg(" UseLogonCredential value = ".$ulc); + } + }; # Software Hive +# Added 20190527 +# https://www.stigviewer.com/stig/windows_7/2013-03-14/finding/V-3470 + eval { + $key_path = "Policies\\Microsoft\\Windows NT\\Terminal Services\\"; + if ($key = $root_key->get_subkey($key_path)) { + my $fallow = $key->get_value("fAllowUnsolicited")->get_data(); + ::rptMsg(" fAllowUnsolicited value = ".$fallow); + } + }; + + # Check for several PlugX variants # http://www.symantec.com/security_response/earthlink_writeup.jsp?docid=2013-112101-0135-99 # http://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/PLUGX @@ -307,6 +330,45 @@ sub pluginmain { } }; +# https://www.ghacks.net/2015/10/25/how-to-disable-windows-defender-in-windows-10-permanently/ + eval { + $key_path = "Policies\\Microsoft\\Windows Defender"; + if ($key = $root_key->get_subkey($key_path)) { + my $dis = $key->get_value("DisableAntiSpyware")->get_data(); + if ($dis == 1) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time : ".gmtime($key->get_timestamp())." UTC"); + ::rptMsg("DisableAntiSpyware value = 1"); + } + } + }; + + eval { + $key_path = "Policies\\Microsoft\\Windows Defender\\Real-Time Protection"; + if ($key = $root_key->get_subkey($key_path)) { + my $dis = $key->get_value("DisableRealtimeMonitoring")->get_data(); + if ($dis == 1) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time : ".gmtime($key->get_timestamp())." UTC"); + ::rptMsg("DisableRealtimeMonitoring value = 1"); + } + } + }; + +# Remote UAC bypass +# https://support.microsoft.com/en-us/help/951016/description-of-user-account-control-and-remote-restrictions-in-windows + eval { + $key_path = "Microsoft\\Windows\\CurrentVersion\\Policies\\System"; + if ($key = $root_key->get_subkey($key_path)) { + my $uac = $key->get_value("LocalAccountTokenFilterPolicy")->get_data(); + if ($uac == 1) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time : ".gmtime($key->get_timestamp())." UTC"); + ::rptMsg("LocalAccountTokenFilterPolicy value = 1; remote UAC bypass"); + } + } + }; + # NTUSER.DAT/USRCLASS.DAT # Possible PlugX diff --git a/thirdparty/rr-full/plugins/msedge_win10.pl b/thirdparty/rr-full/plugins/msedge_win10.pl new file mode 100644 index 0000000000..223e1b892c --- /dev/null +++ b/thirdparty/rr-full/plugins/msedge_win10.pl @@ -0,0 +1,147 @@ +#----------------------------------------------------------- +# msedge_win10.pl +# Plugin for RegRipper +# +# Parses Microsoft Edge (Windows App) key: +# -USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs +# -USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLsTime +# -USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLsVisitCount +# +# On a live machine, the key path is found under HKEY_CLASSES_ROOT +# +# The script code is based on: +# - adoberdr.pl/landesk.pl by H. Carvey +# - iexplore.pl by E. Rye esten@ryezone.net +# http://www.ryezone.net/regripper-and-internet-explorer-1 +# +# Change history +# 20180610 - First release +# +# References +# http://digitalforensicsurvivalpodcast.com/2017/04/11/dfsp-060-browsing-on-the-edge/ +# https://forensenellanebbia.blogspot.com/2018/06/usrclassdat-stores-more-history-than.html +# +# copyright 2018 Gabriele Zambelli | Twitter: @gazambelli +#----------------------------------------------------------- + +package msedge_win10; +use strict; + +my %config = (hive => "USRCLASS\.DAT", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20180610); + +sub getShortDescr { return "Get values from the user's Microsoft Edge Windows App key"; } + +sub getDescr {} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); +my (@ts,$d); + +my @arr; + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::rptMsg("msedge_win10 v.".$VERSION); + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + # First, let's find out is Microsoft Edge was used to type any URL + my $version; + my $tag = 0; + my @globalitems = (); + my $key_path = "Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppContainer\\Storage\\microsoft.microsoftedge_8wekyb3d8bbwe\\MicrosoftEdge\\TypedURLsVisitCount"; + my $key = $root_key->get_subkey($key_path); + if (defined($key)) { + $tag = 1; + } + else { + ::rptMsg($key_path." not found."); + } + + #TypedURLs + if ($tag) { + my $key_path = "Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppContainer\\Storage\\microsoft.microsoftedge_8wekyb3d8bbwe\\MicrosoftEdge\\TypedURLs"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + my %vals = getKeyValues($key); + foreach my $v (keys %vals) { + push @arr,($v." (TypedURLs) -> ".$vals{$v}); + } + } + else { + ::rptMsg(""); + ::rptMsg($key_path." has no subkeys."); + } + } + + #TypedURLsTime + if ($tag) { + my $key_path = "Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppContainer\\Storage\\microsoft.microsoftedge_8wekyb3d8bbwe\\MicrosoftEdge\\TypedURLsTime"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + my %vals = getKeyValues($key); + foreach my $v (keys %vals) { + @ts = unpack("VV",$key->get_value($v)->get_data()); + push @arr, ($v." (TypedURLsTime) -> ".gmtime(::getTime($ts[0],$ts[1]))." (UTC)"); + } + } + else { + ::rptMsg(""); + ::rptMsg($key_path." has no subkeys."); + } + } + + #TypedURLsVisitCount + if ($tag) { + my $key_path = "Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppContainer\\Storage\\microsoft.microsoftedge_8wekyb3d8bbwe\\MicrosoftEdge\\TypedURLsVisitCount"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + my %vals = getKeyValues($key); + foreach my $v (keys %vals) { + push @arr, ($v." (TypedURLsVisitCount) -> ".$vals{$v}."\r\n"); + } + } + else { + ::rptMsg(""); + ::rptMsg($key_path." has no subkeys."); + } + } + + if (scalar(@arr) > 0) { + #sort items in the array + ::rptMsg("|-- \\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppContainer\\Storage\\microsoft.microsoftedge_8wekyb3d8bbwe"); + ::rptMsg("|----- \\MicrosoftEdge\\TypedURLs"); + ::rptMsg("|----- \\MicrosoftEdge\\TypedURLsTime"); + ::rptMsg("|----- \\MicrosoftEdge\\TypedURLsVisitCount"); + ::rptMsg(""); + foreach my $i (sort @arr){ + ::rptMsg($i); + } + } +} + +sub getKeyValues { + my $key = shift; + my %vals; + my @vk = $key->get_list_of_values(); + if (scalar(@vk) > 0) { + foreach my $v (@vk) { + next if ($v->get_name() eq "" && $v->get_data() eq ""); + $vals{$v->get_name()} = $v->get_data(); + } + } + else { + } + return %vals; +} + +1; \ No newline at end of file diff --git a/thirdparty/rr-full/plugins/mzthunderbird.pl b/thirdparty/rr-full/plugins/mzthunderbird.pl new file mode 100644 index 0000000000..d3952c1182 --- /dev/null +++ b/thirdparty/rr-full/plugins/mzthunderbird.pl @@ -0,0 +1,82 @@ +#----------------------------------------------------------- +# mzthunderbird.pl +# Gets Thunderbird profile data +# +# Change history +# 20180712 - created +# +# References +# https://www.thunderbird.net/en-US/ +# +# Author: M. Jones, mictjon@gmail.com +#----------------------------------------------------------- +package mzthunderbird; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20180712); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets Thunderbird profile data"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching mzthunderbird v.".$VERSION); + ::rptMsg("mzthunderbird v.".$VERSION); # banner + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\UnreadMail"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("Thunderbird Email Addresses"); + ::rptMsg($key_path); + + my @subkeys = $key->get_list_of_subkeys(); + if (scalar(@subkeys) > 0) { + foreach my $s (@subkeys) { + ::rptMsg($s->get_name()." [".gmtime($s->get_timestamp())." (UTC)]"); + my ($app,$msgct,$ts); + + eval { + $app = $s->get_value("Application")->get_data(); + ::rptMsg(" Application: ".$app); + }; + + eval { + $msgct = $s->get_value("MessageCount")->get_data(); + ::rptMsg(" MessageCount: ".$msgct); + }; + + eval { + my ($t0,$t1) = unpack("VV",$s->get_value("TimeStamp")->get_data()); + my $t = ::getTime($t0,$t1); + ::rptMsg(" TimeStamp: ".gmtime($t)); + }; + ::rptMsg(""); + } + } + else { + ::rptMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} + +1; \ No newline at end of file diff --git a/thirdparty/rr-full/plugins/nation.pl b/thirdparty/rr-full/plugins/nation.pl new file mode 100644 index 0000000000..7c96eb8bce --- /dev/null +++ b/thirdparty/rr-full/plugins/nation.pl @@ -0,0 +1,365 @@ +#----------------------------------------------------------- +# nation.pl +# Region Information +# Get Geo Nation information from the NTUSER.DAT hive file +# +# Written By: +# Fahad Alzaabi +# falzaab@masonlive.gmu.edu +# George Mason University,CFRS 763 +#----------------------------------------------------------- +package nation; +use strict; + +my %config = (hive => "ntuser.dat", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20091116); + +sub getConfig{return %config} + +sub getShortDescr { + return "Gets region information from HKCU"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching nation v.".$VERSION); + ::rptMsg("nation v.".$VERSION); + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + my $key_path = "Control Panel\\International\\Geo"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("Nation Information Check"); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + my $nation = $key->get_value("Nation")->get_data(); + ::rptMsg("The Region value is : ".$nation); + ::rptMsg("The Country Is: Antigua and Barbuda") if ($nation == 2); + ::rptMsg("The Country Is: Afghanistan") if ($nation == 3); + ::rptMsg("The Country Is: Algeria") if ($nation == 4); + ::rptMsg("The Country Is: Azerbaijan") if ($nation == 5); + ::rptMsg("The Country Is: Albania") if ($nation == 6); + ::rptMsg("The Country Is: Armenia") if ($nation == 7); + ::rptMsg("The Country Is: Andorra") if ($nation == 8); + ::rptMsg("The Country Is: Angola") if ($nation == 9); + ::rptMsg("The Country Is: American Samoa") if ($nation == 10); + ::rptMsg("The Country Is: Argentina") if ($nation == 11); + ::rptMsg("The Country Is: Australia") if ($nation == 12); + ::rptMsg("The Country Is: Austria") if ($nation == 14); + ::rptMsg("The Country Is: Bahrain") if ($nation == 17); + ::rptMsg("The Country Is: Barbados") if ($nation == 18); + ::rptMsg("The Country Is: Botswana") if ($nation == 19); + ::rptMsg("The Country Is: Bermuda") if ($nation == 20); + ::rptMsg("The Country Is: Belgium") if ($nation == 21); + ::rptMsg("The Country Is: Bahamas The") if ($nation == 22); + ::rptMsg("The Country Is: Bangladesh") if ($nation == 23); + ::rptMsg("The Country Is: Belize") if ($nation == 24); + ::rptMsg("The Country Is: Bosnia and Herzegovina") if ($nation == 25); + ::rptMsg("The Country Is: Bolivia") if ($nation == 26); + ::rptMsg("The Country Is: Myanmar") if ($nation == 27); + ::rptMsg("The Country Is: Benin") if ($nation == 28); + ::rptMsg("The Country Is: Belarus") if ($nation == 29); + ::rptMsg("The Country Is: Solomon Islands") if ($nation == 30); + ::rptMsg("The Country Is: Brazil") if ($nation == 32); + ::rptMsg("The Country Is: Bhutan") if ($nation == 34); + ::rptMsg("The Country Is: Bulgaria") if ($nation == 35); + ::rptMsg("The Country Is: Brunei") if ($nation == 37); + ::rptMsg("The Country Is: Burundi") if ($nation == 38); + ::rptMsg("The Country Is: Canada") if ($nation == 39); + ::rptMsg("The Country Is: Cambodia") if ($nation == 40); + ::rptMsg("The Country Is: Chad") if ($nation == 41); + ::rptMsg("The Country Is: Sri Lanka") if ($nation == 42); + ::rptMsg("The Country Is: Congo") if ($nation == 43); + ::rptMsg("The Country Is: Congo (DRC)") if ($nation == 44); + ::rptMsg("The Country Is: China") if ($nation == 45); + ::rptMsg("The Country Is: Chile") if ($nation == 46); + ::rptMsg("The Country Is: Cameroon") if ($nation == 49); + ::rptMsg("The Country Is: Comoros") if ($nation == 50); + ::rptMsg("The Country Is: Colombia") if ($nation == 51); + ::rptMsg("The Country Is: Costa Rica") if ($nation == 54); + ::rptMsg("The Country Is: Central African Republic") if ($nation == 55); + ::rptMsg("The Country Is: Cuba") if ($nation == 56); + ::rptMsg("The Country Is: Cabo Verde") if ($nation == 57); + ::rptMsg("The Country Is: Cyprus") if ($nation == 59); + ::rptMsg("The Country Is: Denmark") if ($nation == 61); + ::rptMsg("The Country Is: Djibouti") if ($nation == 62); + ::rptMsg("The Country Is: Dominica") if ($nation == 63); + ::rptMsg("The Country Is: Dominican Republic") if ($nation == 65); + ::rptMsg("The Country Is: Ecuador") if ($nation == 66); + ::rptMsg("The Country Is: Egypt") if ($nation == 67); + ::rptMsg("The Country Is: Ireland") if ($nation == 68); + ::rptMsg("The Country Is: Equatorial Guinea") if ($nation == 69); + ::rptMsg("The Country Is: Estonia") if ($nation == 70); + ::rptMsg("The Country Is: Eritrea") if ($nation == 71); + ::rptMsg("The Country Is: El Salvador") if ($nation == 72); + ::rptMsg("The Country Is: Ethiopia") if ($nation == 73); + ::rptMsg("The Country Is: Czech Republic") if ($nation == 75); + ::rptMsg("The Country Is: Finland") if ($nation == 77); + ::rptMsg("The Country Is: Fiji") if ($nation == 78); + ::rptMsg("The Country Is: Micronesia") if ($nation == 80); + ::rptMsg("The Country Is: Faroe Islands") if ($nation == 81); + ::rptMsg("The Country Is: France") if ($nation == 84); + ::rptMsg("The Country Is: Gambia") if ($nation == 86); + ::rptMsg("The Country Is: Gabon") if ($nation == 87); + ::rptMsg("The Country Is: Georgia") if ($nation == 88); + ::rptMsg("The Country Is: Ghana") if ($nation == 89); + ::rptMsg("The Country Is: Gibraltar") if ($nation == 90); + ::rptMsg("The Country Is: Grenada") if ($nation == 91); + ::rptMsg("The Country Is: Greenland") if ($nation == 93); + ::rptMsg("The Country Is: Germany") if ($nation == 94); + ::rptMsg("The Country Is: Greece") if ($nation == 98); + ::rptMsg("The Country Is: Guatemala") if ($nation == 99); + ::rptMsg("The Country Is: Guinea") if ($nation == 100); + ::rptMsg("The Country Is: Guyana") if ($nation == 101); + ::rptMsg("The Country Is: Haiti") if ($nation == 103); + ::rptMsg("The Country Is: Hong Kong ") if ($nation == 104); + ::rptMsg("The Country Is: Honduras") if ($nation == 106); + ::rptMsg("The Country Is: Croatia") if ($nation == 108); + ::rptMsg("The Country Is: Hungary") if ($nation == 109); + ::rptMsg("The Country Is: Iceland") if ($nation == 110); + ::rptMsg("The Country Is: Indonesia") if ($nation == 111); + ::rptMsg("The Country Is: India") if ($nation == 113); + ::rptMsg("The Country Is: British Indian Ocean Territory") if ($nation == 114); + ::rptMsg("The Country Is: Iran") if ($nation == 116); + ::rptMsg("The Country Is: Israel") if ($nation == 117); + ::rptMsg("The Country Is: Italy") if ($nation == 118); + ::rptMsg("The Country Is: Côte dIvoire") if ($nation == 119); + ::rptMsg("The Country Is: Iraq") if ($nation == 121); + ::rptMsg("The Country Is: Japan") if ($nation == 122); + ::rptMsg("The Country Is: Jamaica") if ($nation == 124); + ::rptMsg("The Country Is: Jan Mayen") if ($nation == 125); + ::rptMsg("The Country Is: Jordan") if ($nation == 126); + ::rptMsg("The Country Is: Johnston Atoll") if ($nation == 127); + ::rptMsg("The Country Is: Kenya") if ($nation == 129); + ::rptMsg("The Country Is: Kyrgyzstan") if ($nation == 130); + ::rptMsg("The Country Is: North Korea") if ($nation == 131); + ::rptMsg("The Country Is: Kiribati") if ($nation == 133); + ::rptMsg("The Country Is: Korea") if ($nation == 134); + ::rptMsg("The Country Is: Kuwait") if ($nation == 136); + ::rptMsg("The Country Is: Kazakhstan") if ($nation == 137); + ::rptMsg("The Country Is: Laos") if ($nation == 138); + ::rptMsg("The Country Is: Lebanon") if ($nation == 139); + ::rptMsg("The Country Is: Latvia") if ($nation == 140); + ::rptMsg("The Country Is: Lithuania") if ($nation == 141); + ::rptMsg("The Country Is: Liberia") if ($nation == 142); + ::rptMsg("The Country Is: Slovakia") if ($nation == 143); + ::rptMsg("The Country Is: Liechtenstein") if ($nation == 145); + ::rptMsg("The Country Is: Lesotho") if ($nation == 146); + ::rptMsg("The Country Is: Luxembourg") if ($nation == 147); + ::rptMsg("The Country Is: Libya") if ($nation == 148); + ::rptMsg("The Country Is: Madagascar") if ($nation == 149); + ::rptMsg("The Country Is: Macao") if ($nation == 151); + ::rptMsg("The Country Is: Moldova") if ($nation == 152); + ::rptMsg("The Country Is: Mongolia") if ($nation == 154); + ::rptMsg("The Country Is: Malawi") if ($nation == 156); + ::rptMsg("The Country Is: Mali") if ($nation == 157); + ::rptMsg("The Country Is: Monaco") if ($nation == 158); + ::rptMsg("The Country Is: Morocco") if ($nation == 159); + ::rptMsg("The Country Is: Mauritius") if ($nation == 160); + ::rptMsg("The Country Is: Mauritania") if ($nation == 162); + ::rptMsg("The Country Is: Malta") if ($nation == 163); + ::rptMsg("The Country Is: Oman") if ($nation == 164); + ::rptMsg("The Country Is: Maldives") if ($nation == 165); + ::rptMsg("The Country Is: Mexico") if ($nation == 166); + ::rptMsg("The Country Is: Malaysia") if ($nation == 167); + ::rptMsg("The Country Is: Mozambique") if ($nation == 168); + ::rptMsg("The Country Is: Niger") if ($nation == 173); + ::rptMsg("The Country Is: Vanuatu") if ($nation == 174); + ::rptMsg("The Country Is: Nigeria") if ($nation == 175); + ::rptMsg("The Country Is: Netherlands") if ($nation == 176); + ::rptMsg("The Country Is: Norway") if ($nation == 177); + ::rptMsg("The Country Is: Nepal") if ($nation == 178); + ::rptMsg("The Country Is: Nauru") if ($nation == 180); + ::rptMsg("The Country Is: Suriname") if ($nation == 181); + ::rptMsg("The Country Is: Nicaragua") if ($nation == 182); + ::rptMsg("The Country Is: New Zealand") if ($nation == 183); + ::rptMsg("The Country Is: Palestinian Authority") if ($nation == 184); + ::rptMsg("The Country Is: Paraguay") if ($nation == 185); + ::rptMsg("The Country Is: Peru") if ($nation == 187); + ::rptMsg("The Country Is: Pakistan") if ($nation == 190); + ::rptMsg("The Country Is: Poland") if ($nation == 191); + ::rptMsg("The Country Is: Panama") if ($nation == 192); + ::rptMsg("The Country Is: Portugal") if ($nation == 193); + ::rptMsg("The Country Is: Papua New Guinea") if ($nation == 194); + ::rptMsg("The Country Is: Palau") if ($nation == 195); + ::rptMsg("The Country Is: Guinea-Bissau") if ($nation == 196); + ::rptMsg("The Country Is: Qatar") if ($nation == 197); + ::rptMsg("The Country Is: Réunion") if ($nation == 198); + ::rptMsg("The Country Is: Marshall Islands") if ($nation == 199); + ::rptMsg("The Country Is: Romania") if ($nation == 200); + ::rptMsg("The Country Is: Philippines") if ($nation == 201); + ::rptMsg("The Country Is: Puerto Rico") if ($nation == 202); + ::rptMsg("The Country Is: Russia") if ($nation == 203); + ::rptMsg("The Country Is: Rwanda") if ($nation == 204); + ::rptMsg("The Country Is: Saudi Arabia") if ($nation == 205); + ::rptMsg("The Country Is: Saint Pierre and Miquelon") if ($nation == 206); + ::rptMsg("The Country Is: Saint Kitts and Nevis") if ($nation == 207); + ::rptMsg("The Country Is: Seychelles") if ($nation == 208); + ::rptMsg("The Country Is: South Africa") if ($nation == 209); + ::rptMsg("The Country Is: Senegal") if ($nation == 210); + ::rptMsg("The Country Is: Slovenia") if ($nation == 212); + ::rptMsg("The Country Is: Sierra Leone") if ($nation == 213); + ::rptMsg("The Country Is: San Marino") if ($nation == 214); + ::rptMsg("The Country Is: Singapore") if ($nation == 215); + ::rptMsg("The Country Is: Somalia") if ($nation == 216); + ::rptMsg("The Country Is: Spain") if ($nation == 217); + ::rptMsg("The Country Is: Saint Lucia") if ($nation == 218); + ::rptMsg("The Country Is: Sudan") if ($nation == 219); + ::rptMsg("The Country Is: Svalbard") if ($nation == 220); + ::rptMsg("The Country Is: Sweden") if ($nation == 221); + ::rptMsg("The Country Is: Syria") if ($nation == 222); + ::rptMsg("The Country Is: Switzerland") if ($nation == 223); + ::rptMsg("The Country Is: United Arab Emirates") if ($nation == 224); + ::rptMsg("The Country Is: Trinidad and Tobago") if ($nation == 225); + ::rptMsg("The Country Is: Thailand") if ($nation == 227); + ::rptMsg("The Country Is: Tajikistan") if ($nation == 228); + ::rptMsg("The Country Is: Tonga") if ($nation == 231); + ::rptMsg("The Country Is: Togo") if ($nation == 232); + ::rptMsg("The Country Is: São Tomé and Príncipe") if ($nation == 233); + ::rptMsg("The Country Is: Tunisia") if ($nation == 234); + ::rptMsg("The Country Is: Turkey") if ($nation == 235); + ::rptMsg("The Country Is: Tuvalu") if ($nation == 236); + ::rptMsg("The Country Is: Taiwan") if ($nation == 237); + ::rptMsg("The Country Is: Turkmenistan") if ($nation == 238); + ::rptMsg("The Country Is: Tanzania") if ($nation == 239); + ::rptMsg("The Country Is: Uganda") if ($nation == 240); + ::rptMsg("The Country Is: Ukraine") if ($nation == 241); + ::rptMsg("The Country Is: United Kingdom") if ($nation == 242); + ::rptMsg("The Country Is: United States") if ($nation == 244); + ::rptMsg("The Country Is: Burkina Faso") if ($nation == 245); + ::rptMsg("The Country Is: Uruguay") if ($nation == 246); + ::rptMsg("The Country Is: Uzbekistan") if ($nation == 247); + ::rptMsg("The Country Is: Saint Vincent and the Grenadines") if ($nation == 248); + ::rptMsg("The Country Is: Venezuela") if ($nation == 249); + ::rptMsg("The Country Is: Vietnam") if ($nation == 251); + ::rptMsg("The Country Is: U.S. Virgin Islands") if ($nation == 252); + ::rptMsg("The Country Is: Vatican City") if ($nation == 253); + ::rptMsg("The Country Is: Namibia") if ($nation == 254); + ::rptMsg("The Country Is: Wake Island") if ($nation == 258); + ::rptMsg("The Country Is: Samoa") if ($nation == 259); + ::rptMsg("The Country Is: Swaziland") if ($nation == 260); + ::rptMsg("The Country Is: Yemen") if ($nation == 261); + ::rptMsg("The Country Is: Zambia") if ($nation == 263); + ::rptMsg("The Country Is: Zimbabwe") if ($nation == 264); + ::rptMsg("The Country Is: Serbia and Montenegro (Former)") if ($nation == 269); + ::rptMsg("The Country Is: Montenegro") if ($nation == 270); + ::rptMsg("The Country Is: Serbia") if ($nation == 271); + ::rptMsg("The Country Is: Curaçao") if ($nation == 273); + ::rptMsg("The Country Is: Anguilla") if ($nation == 300); + ::rptMsg("The Country Is: South Sudan") if ($nation == 276); + ::rptMsg("The Country Is: Antarctica") if ($nation == 301); + ::rptMsg("The Country Is: Aruba") if ($nation == 302); + ::rptMsg("The Country Is: Ascension Island") if ($nation == 303); + ::rptMsg("The Country Is: Ashmore and Cartier Islands") if ($nation == 304); + ::rptMsg("The Country Is: Baker sland") if ($nation == 305); + ::rptMsg("The Country Is: Bouvet Island") if ($nation == 306); + ::rptMsg("The Country Is: Cayman Islands") if ($nation == 307); + ::rptMsg("The Country Is: Channel Islands") if ($nation == 308); + ::rptMsg("The Country Is: Christmas Island") if ($nation == 309); + ::rptMsg("The Country Is: Clipperton Island") if ($nation == 310); + ::rptMsg("The Country Is: Cocos (Keeling) Islands") if ($nation == 311); + ::rptMsg("The Country Is: Cook Islands") if ($nation == 312); + ::rptMsg("The Country Is: Coral Sea Islands") if ($nation == 313); + ::rptMsg("The Country Is: Diego Garcia") if ($nation == 314); + ::rptMsg("The Country Is: Falkland Islands") if ($nation == 315); + ::rptMsg("The Country Is: French Guiana") if ($nation == 317); + ::rptMsg("The Country Is: French Polynesia") if ($nation == 318); + ::rptMsg("The Country Is: French Southern Territories") if ($nation == 319); + ::rptMsg("The Country Is: Guadeloupe") if ($nation == 321); + ::rptMsg("The Country Is: Guam") if ($nation == 322); + ::rptMsg("The Country Is: Guantanamo Bay") if ($nation == 323); + ::rptMsg("The Country Is: Guernsey") if ($nation == 324); + ::rptMsg("The Country Is: Heard Island and Mcdonald Islands") if ($nation == 325); + ::rptMsg("The Country Is: Howland Island") if ($nation == 326); + ::rptMsg("The Country Is: Jarvis Island") if ($nation == 327); + ::rptMsg("The Country Is: Jersey") if ($nation == 328); + ::rptMsg("The Country Is: Kingman Reef") if ($nation == 329); + ::rptMsg("The Country Is: Martinique") if ($nation == 330); + ::rptMsg("The Country Is: Mayotte") if ($nation == 331); + ::rptMsg("The Country Is: Montserrat") if ($nation == 332); + ::rptMsg("The Country Is: Netherlands Antilles (Former)") if ($nation == 333); + ::rptMsg("The Country Is: New Caledonia") if ($nation == 334); + ::rptMsg("The Country Is: Niue") if ($nation == 335); + ::rptMsg("The Country Is: Norfolk Island") if ($nation == 336); + ::rptMsg("The Country Is: Northern Mariana Islands") if ($nation == 337); + ::rptMsg("The Country Is: Palmyra Atoll") if ($nation == 338); + ::rptMsg("The Country Is: Pitcairn Islands") if ($nation == 339); + ::rptMsg("The Country Is: Rota Island") if ($nation == 340); + ::rptMsg("The Country Is: Saipan") if ($nation == 341); + ::rptMsg("The Country Is: South Georgia and the South Sandwich Islands") if ($nation == 342); + ::rptMsg("The Country Is: St Helena Ascension and Tristan da Cunha") if ($nation == 343); + ::rptMsg("The Country Is: Tinian Island") if ($nation == 346); + ::rptMsg("The Country Is: Tokelau") if ($nation == 347); + ::rptMsg("The Country Is: Tristan da Cunha") if ($nation == 348); + ::rptMsg("The Country Is: Turks and Caicos Islands") if ($nation == 349); + ::rptMsg("The Country Is: British Virgin Islands") if ($nation == 351); + ::rptMsg("The Country Is: Wallis and Futuna") if ($nation == 352); + ::rptMsg("The Country Is: Africa") if ($nation == 742); + ::rptMsg("The Country Is: Asia") if ($nation == 2129); + ::rptMsg("The Country Is: Europe") if ($nation == 10541); + ::rptMsg("The Country Is: Isle of Man") if ($nation == 15126); + ::rptMsg("The Country Is: Macedonia") if ($nation == 19618); + ::rptMsg("The Country Is: Melanesia") if ($nation == 20900); + ::rptMsg("The Country Is: Micronesia") if ($nation == 21206); + ::rptMsg("The Country Is: Midway Islands") if ($nation == 21242); + ::rptMsg("The Country Is: Northern America") if ($nation == 23581); + ::rptMsg("The Country Is: Polynesia") if ($nation == 26286); + ::rptMsg("The Country Is: Central America") if ($nation == 27082); + ::rptMsg("The Country Is: Oceania") if ($nation == 27114); + ::rptMsg("The Country Is: Sint Maarten") if ($nation == 30967); + ::rptMsg("The Country Is: South America") if ($nation == 31396); + ::rptMsg("The Country Is: Saint Martin") if ($nation == 31706); + ::rptMsg("The Country Is: World") if ($nation == 39070); + ::rptMsg("The Country Is: Western Africa") if ($nation == 42483); + ::rptMsg("The Country Is: Middle Africa") if ($nation == 42484); + ::rptMsg("The Country Is: Northern Africa") if ($nation == 42487); + ::rptMsg("The Country Is: Central Asia") if ($nation == 47590); + ::rptMsg("The Country Is: South-Eastern Asia") if ($nation == 47599); + ::rptMsg("The Country Is: Eastern Asia") if ($nation == 47600); + ::rptMsg("The Country Is: Eastern Africa") if ($nation == 47603); + ::rptMsg("The Country Is: Eastern Europe") if ($nation == 47609); + ::rptMsg("The Country Is: Southern Europe") if ($nation == 47610); + ::rptMsg("The Country Is: Middle East") if ($nation == 47611); + ::rptMsg("The Country Is: Southern Asia") if ($nation == 47614); + ::rptMsg("The Country Is: Timor-Leste") if ($nation == 7299303); + ::rptMsg("The Country Is: Kosovo") if ($nation == 9914689); + ::rptMsg("The Country Is: Americas") if ($nation == 10026358); + ::rptMsg("The Country Is: Åland Islands") if ($nation == 10028789); + ::rptMsg("The Country Is: Caribbean") if ($nation == 10039880); + ::rptMsg("The Country Is: Northern Europe") if ($nation == 10039882); + ::rptMsg("The Country Is: Southern Africa") if ($nation == 10039883); + ::rptMsg("The Country Is: Western Europe") if ($nation == 10210824); + ::rptMsg("The Country Is: Australia and New Zealand") if ($nation == 10210825); + ::rptMsg("The Country Is: Saint Barthélemy") if ($nation == 161832015); + ::rptMsg("The Country Is: U.S. Minor Outlying Islands") if ($nation == 161832256); + ::rptMsg("The Country Is: Latin America and the Caribbean") if ($nation == 161832257); + ::rptMsg("The Country Is: Bonaire Saint Eustatius and Saba") if ($nation == 161832258); + ::rptMsg("For more information please visit the link below:"); + ::rptMsg("https://msdn.microsoft.com/en-us/library/aa723531.aspx"); + + + + } + + else { + ::rptMsg($key_path." not found."); + } + + + ::rptMsg(""); + +} +1; diff --git a/thirdparty/rr-full/plugins/netlogon.pl b/thirdparty/rr-full/plugins/netlogon.pl new file mode 100644 index 0000000000..d10c597776 --- /dev/null +++ b/thirdparty/rr-full/plugins/netlogon.pl @@ -0,0 +1,92 @@ +#----------------------------------------------------------- +# netlogon.pl +# +# +# History: +# 20190223 - created +# +# References: +# https://support.microsoft.com/en-us/help/154501/how-to-disable-automatic-machine-account-password-changes +# +# copyright 2019 Quantum Analytics Research, LLC +# Author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package netlogon; +use strict; + +my %config = (hive => "System", + hivemask => 4, + output => "report", + category => "System Config", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 31, + version => 20190223); + +sub getConfig{return %config} +sub getShortDescr { + return "Parse values for machine account password changes"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); +my @vals; +my $name; +my $data; +my $type; + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching netlogon v.".$VERSION); + ::rptMsg("netlogon v.".$VERSION); + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + my @sets = (); + + my @subkeys = (); + if (@subkeys = $root_key->get_list_of_subkeys()) { + foreach my $s (@subkeys) { + my $name = $s->get_name(); + push(@sets,$name) if ($name =~ m/^ControlSet/); + } + } + + my $set; + foreach $set (@sets) { + ::rptMsg("*** ".$set." ***"); + my $key_path = $set."\\services\\NetLogon\\Parameters"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { +# ::rptMsg("LastWrite Time: ".gmtime($key->get_timestamp())." Z"); + @vals = $key->get_list_of_values(); + if (scalar @vals > 0) { + foreach my $v (@vals) { + $name = $v->get_name(); + $data = $v->get_data(); + $type = $v->get_type(); + if ($type == 4) { + ::rptMsg(sprintf "%-35s 0x%04x",$name,$data); + } + else { + ::rptMsg(sprintf "%-35s $data",$name); + } + } + } + else { +# no values + } + } + else { + ::rptMsg($key_path." not found."); + } + ::rptMsg(""); + } +} + +1; diff --git a/thirdparty/rr-full/plugins/netsh.pl b/thirdparty/rr-full/plugins/netsh.pl index 8b0bd590c5..46c5e0ed61 100644 --- a/thirdparty/rr-full/plugins/netsh.pl +++ b/thirdparty/rr-full/plugins/netsh.pl @@ -4,11 +4,15 @@ # # References # http://www.adaptforward.com/2016/09/using-netshell-to-execute-evil-dlls-and-persist-on-a-host/ +# https://attack.mitre.org/techniques/T1128/ +# https://htmlpreview.github.io/?https://github.com/MatthewDemaske/blogbackup/blob/master/netshell.html # # Change history +# 20190316 - updated references # 20160926 - created # -# Copyright 2016 QAR, LLC +# Copyright 2019 QAR, LLC +# Author: H. Carvey, keydet89@yahoo.com #----------------------------------------------------------- package netsh; use strict; @@ -18,7 +22,7 @@ my %config = (hive => "Software", hasShortDescr => 1, hasDescr => 0, hasRefs => 0, - version => 20160926); + version => 20190316); sub getConfig{return %config} @@ -45,12 +49,13 @@ sub pluginmain { if ($key = $root_key->get_subkey($key_path)) { ::rptMsg($key_path); - ::rptMsg("LastWrite: ".gmtime($key->get_timestamp())." Z"); - ::rptMsg(""); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { + if (scalar @vals > 0) { + ::rptMsg(""); + ::rptMsg(sprintf "%-15s %-25s","Name","DLL Name"); foreach my $v (@vals) { - ::rptMsg(sprintf "%-15s %-30s",$v->get_name(),$v->get_data()); + ::rptMsg(sprintf "%-15s %-25s",$v->get_name(),$v->get_data()); } } } diff --git a/thirdparty/rr-full/plugins/networklist.pl b/thirdparty/rr-full/plugins/networklist.pl index ac556d26cd..a826077644 100644 --- a/thirdparty/rr-full/plugins/networklist.pl +++ b/thirdparty/rr-full/plugins/networklist.pl @@ -5,6 +5,7 @@ # # # Change History: +# 20190128 - Added Nla\Wireless data # 20150812 - updated to include Nla\Cache data # 20120917 - updated to include NameType value # 20090812 - updated code to parse DateCreated and DateLastConnected @@ -24,7 +25,7 @@ my %config = (hive => "Software", hasShortDescr => 1, hasDescr => 0, hasRefs => 0, - version => 20150812); + version => 20190128); sub getConfig{return %config} @@ -125,7 +126,7 @@ sub pluginmain { foreach my $n (keys %nl) { my $str = sprintf "%-15s Gateway Mac: ".$nl{$n}{DefaultGatewayMac},$nl{$n}{ProfileName}; ::rptMsg($nl{$n}{ProfileName}); - ::rptMsg(" Key LastWrite : ".gmtime($nl{$n}{LastWrite})." Z"); +# ::rptMsg(" Key LastWrite : ".gmtime($nl{$n}{LastWrite})." Z"); ::rptMsg(" DateLastConnected: ".$nl{$n}{DateLastConnected}); ::rptMsg(" DateCreated : ".$nl{$n}{DateCreated}); ::rptMsg(" DefaultGatewayMac: ".$nl{$n}{DefaultGatewayMac}); @@ -147,9 +148,30 @@ sub pluginmain { if ($key = $root_key->get_subkey($key_path)) { my @subkeys = $key->get_list_of_subkeys(); if (scalar(@subkeys) > 0) { - ::rptMsg(sprintf "%-26s %-30s","Date","Domain/IP"); +# ::rptMsg(sprintf "%-26s %-30s","Date","Domain/IP"); + ::rptMsg(sprintf "%-30s","Domain/IP"); foreach my $s (@subkeys) { - ::rptMsg(sprintf "%-26s %-30s",gmtime($s->get_timestamp())." Z",$s->get_name()); +# ::rptMsg(sprintf "%-26s %-30s",gmtime($s->get_timestamp())." Z",$s->get_name()); + ::rptMsg(sprintf "%-30s",$s->get_name()); + } + } + } + ::rptMsg(""); +# Added 20190128 - Nla\Wireless data + $key_path = $base_path."\\Nla\\Wireless"; + if ($key = $root_key->get_subkey($key_path)) { + my @subkeys = $key->get_list_of_subkeys(); + if (scalar(@subkeys) > 0) { + ::rptMsg(""); + ::rptMsg("Nla\\Wireless"); + foreach my $s (@subkeys) { + my $str = $s->get_value("")->get_data(); + + my @list = unpack("(A2)*", $str); + my @chars = map {chr hex} @list; + my $new_str = join('',@chars); + ::rptMsg($new_str); + } } } diff --git a/thirdparty/rr-full/plugins/ntuser b/thirdparty/rr-full/plugins/ntuser index 189ee3c33b..6c7f9c2410 100644 --- a/thirdparty/rr-full/plugins/ntuser +++ b/thirdparty/rr-full/plugins/ntuser @@ -1,150 +1,149 @@ -# 20161213 *ALL* Plugins that apply on NTUSER hive, alphabetical order -acmru -adoberdr -aim -aports -appcompatflags -applets -applets_tln -appspecific -ares -arpcache -attachmgr -attachmgr_tln -autoendtasks -autorun -bitbucket_user -brisv -cached -cached_tln -cain -ccleaner -cdstaginginfo -clampi -clampitm -cmdproc -cmdproc_tln -comdlg32 -compdesc -controlpanel -cortana -cpldontload -ddo -decaf -dependency_walker -domains -environment -fileexts -filehistory -gthist -gtwhitelist -haven_and_hearth -identities -iejava -ie_main -ie_settings -ie_zones -internet_explorer_cu -internet_settings_cu -itempos -javafx -kankan -knowndev -latentbot -listsoft -liveContactsGUID -load -logonusername -menuorder -mixer -mixer_tln -mmc -mmc_tln -mmo -mndmru -mndmru_tln -mp2 -mp3 -mpmru -mspaper -muicache -muicache_tln -nero -netassist -ntusernetwork -odysseus -officedocs -officedocs2010 -officedocs2010_tln -oisc -olsearch -osversion -osversion_tln -outlook -outlook2 -policies_u -printermru -printers -privoxy -profiler -proxysettings -publishingwizard -putty -rdphint -reading_locations -realplayer6 -realvnc -recentdocs -recentdocs_tln -reveton -rootkit_revealer -runmru -runmru_tln -sevenzip -shc -shellbags_xp -shellfolders -skype -snapshot_viewer -ssh_host_keys -startmenuinternetapps_cu -startpage -startup -sysinternals -sysinternals_tln -trustrecords -trustrecords_tln -tsclient -tsclient_tln -typedpaths -typedpaths_tln -typedurls -typedurlstime -typedurlstime_tln -typedurls_tln -unreadmail -urun_tln -userassist -userassist_tln -userinfo -userlocsvc -user_run -user_win -vawtrak -vista_bitbucket -vmplayer -vmware_vsphere_client -vnchooksapplicationprefs -vncviewer -wallpaper -warcraft3 -winlogon_u -winrar -winrar2 -winrar_tln -winscp -winscp_sessions -winvnc -winzip -wordwheelquery -yahoo_cu +acmru +adoberdr +ahaha +aim +aports +appassoc +appcompatflags +appkeys +applets +appspecific +ares +arpcache +attachmgr +autoendtasks +autorun +bitbucket_user +brisv +cached +cain +ccleaner +cdstaginginfo +clampi +clampitm +cmdproc +comdlg32 +compdesc +controlpanel +cortana +cpldontload +ddo +decaf +dependency_walker +disablemru +domains +environment +eraser +fileexts +filehistory +foxitrdr +gthist +gtwhitelist +haven_and_hearth +identities +iejava +ie_main +ie_settings +ie_zones +imgburn1 +internet_explorer_cu +internet_settings_cu +itempos +javafx +jumplistdata +kankan +knowndev +latentbot +listsoft +liveContactsGUID +load +logonstats +logonusername +menuorder +mixer +mmc +mmo +mndmru +mp2 +mp3 +mpmru +mspaper +muicache +mzthunderbird +nation +nero +netassist +ntusernetwork +odysseus +officedocs +officedocs2010 +officedocs2010_tln +oisc +olsearch +osversion +outlook +outlook2 +policies_u +printermru +printers +privoxy +profiler +proxysettings +pslogging +publishingwizard +putty +putty_sessions +rdphint +reading_locations +realplayer6 +realvnc +recentapps +recentdocs +recentdocs_timeline +reveton +rootkit_revealer +runmru +searchscopes +sevenzip +shc +shellactivities +shellbags_xp +shellfolders +skype +snapshot_viewer +ssh_host_keys +startmenuinternetapps_cu +startpage +startup +sysinternals +thunderbirdinstalled +trustrecords +tsclient +typedpaths +typedurls +typedurlstime +uninstall +unreadmail +userassist +userinfo +userlocsvc +user_run +user_win +utorrent +vawtrak +vista_bitbucket +vmplayer +vmware_vsphere_client +vnchooksapplicationprefs +vncviewer +wallpaper +warcraft3 +winlogon_u +winrar +winrar2 +winscp +winscp_sessions +winvnc +winzip +wordwheelquery +yahoo_cu diff --git a/thirdparty/rr-full/plugins/photos_win10.pl b/thirdparty/rr-full/plugins/photos_win10.pl new file mode 100644 index 0000000000..87d062a2b7 --- /dev/null +++ b/thirdparty/rr-full/plugins/photos_win10.pl @@ -0,0 +1,191 @@ +#----------------------------------------------------------- +# photos_win10.pl +# Plugin for RegRipper +# +# Parses Microsoft Photos (Windows App) key: +# - USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Photos_8wekyb3d8bbwe +# +# On a live machine, the key path is: +# - HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Photos_8wekyb3d8bbwe +# +# The script was tested on Windows 10 against: +# - Microsoft.Windows.Photos_2017.37071.16410.0_x64__8wekyb3d8bbwe +# - Microsoft.Windows.Photos_2018.18022.15810.1000_x64__8wekyb3d8bbwe +# +# The script code is based on: +# - adoberdr.pl/landesk.pl/photos.pl by H. Carvey +# - iexplore.pl by E. Rye esten@ryezone.net +# http://www.ryezone.net/regripper-and-internet-explorer-1 +# +# Change history +# 20180610 - First release +# +# To Dos +# Extract value name "Link" +# +# References +# https://forensenellanebbia.blogspot.com/2018/06/usrclassdat-stores-more-history-than.html +# https://df-stream.com/2013/03/windows-8-tracking-opened-photos/ +# +# copyright 2018 Gabriele Zambelli | Twitter: @gazambelli +#----------------------------------------------------------- + +package photos_win10; +use strict; + +my %config = (hive => "USRCLASS\.DAT", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20180610); + +sub getShortDescr { return "Get values from the user's Microsoft Photos Windows App key"; } + +sub getDescr {} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); +my (@ts,$d); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::rptMsg("photos_win10 v.".$VERSION); + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + # First, let's find out which version of Microsoft Photos is installed + my $version; + my $tag = 0; + my @globalitems = (); + my $key_path = "Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\Schemas"; + my $key = $root_key->get_subkey($key_path); + if (defined($key)) { + my %vals = getKeyValues($key); + foreach my $v (keys %vals) { + if ($v =~ m/^PackageFullName/) { + #Version of Microsoft Photos App + ::rptMsg($key_path); + ::rptMsg(" PackageFullName => ".($vals{$v})); + $tag = 1; + } + } + } + else { + ::rptMsg($key_path." not found."); + } + + + #Print SubKey, Last Write Time, Viewed Picture + if ($tag) { + my $key_path = "Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\PersistedStorageItemTable\\ManagedByApp"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + my %vals = getKeyValues($key); + if (scalar(keys %vals) > 0) { + foreach my $v (keys %vals) { + ::rptMsg("\t".$v." -> ".$vals{$v}); + } + } + my @sk = $key->get_list_of_subkeys(); + if (scalar(@sk) > 0) { + ::rptMsg(""); + ::rptMsg($key_path); + foreach my $s (@sk) { + ::rptMsg(""); + ::rptMsg(" ".$s->get_name()); + ::rptMsg(" KeyLastWrite : ".gmtime($s->get_timestamp())." (UTC)"); + my %vals = getKeyValues($s); + foreach my $v (keys %vals) { + if ($v =~ m/^Metadata/) { + #Metadata contains the path to the viewed picture + ::rptMsg(" Metadata : ".$vals{$v}); + } + if ($v =~ m/^LastUpdatedTime/) { + #LastUpdatedTime + @ts = unpack("VV",$s->get_value($v)->get_data()); + ::rptMsg(" LastUpdatedTime: ".gmtime(::getTime($ts[0],$ts[1]))." (UTC)"); + } + } + } + } + else { + ::rptMsg(""); + ::rptMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } + } + + #Print Viewed Picture | Write Time + if ($tag) { + my $key_path = "Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\PersistedStorageItemTable\\ManagedByApp"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + my %vals = getKeyValues($key); + my @sk = $key->get_list_of_subkeys(); + if (scalar(@sk) > 0) { + ::rptMsg(""); + ::rptMsg(""); + ::rptMsg("## Microsoft Photos (Windows App): Recent Files ## (Tab-separated values)"); + ::rptMsg(""); + my @sitems; #create new array for sorted items + foreach my $s (@sk) { + my %vals = getKeyValues($s); + foreach my $v (keys %vals) { + if ($v =~ m/^Metadata/) { + if ($vals{$v} =~ m/^. /) { #find single character followed by a space at the beginning of the string + my $sd; #single digit + $sd = substr($vals{$v},0,1); + $vals{$v} =~ s/^. / $sd /g; #change from "^\. " to "^ \. ", Microsoft Photos 2018 prepends a number in front of the path + push @sitems, ($vals{$v}."\t".gmtime($s->get_timestamp())); + } + elsif ($vals{$v} =~ m/^.. /) { #find two characters followed by a space at the beginning of the string + push @sitems, ($vals{$v}."\t".gmtime($s->get_timestamp())); + } + else { + ::rptMsg($vals{$v}."\t KeyLastWrite: ".gmtime($s->get_timestamp())." (UTC)"); + } + } + } + } + if (scalar(@sitems) > 0) { + #sort alphabetically the items in the array + ::rptMsg("Metadata\tKeyLastWrite (UTC)"); #print header row + foreach my $item (sort @sitems){ + ::rptMsg($item); + } + } + } + ::rptMsg(""); + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } + } +} + +sub getKeyValues { + my $key = shift; + my %vals; + my @vk = $key->get_list_of_values(); + if (scalar(@vk) > 0) { + foreach my $v (@vk) { + next if ($v->get_name() eq "" && $v->get_data() eq ""); + $vals{$v->get_name()} = $v->get_data(); + } + } + else { + } + return %vals; +} + +1; \ No newline at end of file diff --git a/thirdparty/rr-full/plugins/pslogging.pl b/thirdparty/rr-full/plugins/pslogging.pl new file mode 100644 index 0000000000..d44ba6ae9c --- /dev/null +++ b/thirdparty/rr-full/plugins/pslogging.pl @@ -0,0 +1,108 @@ +#----------------------------------------------------------- +# pslogging.pl +# +# +# Change history +# 20181209 - created +# +# References +# https://getadmx.com/?Category=Windows_10_2016&Policy=Microsoft.Policies.PowerShell::EnableTranscripting +# +# +# Copyright (c) 2018 QAR, LLC +# Author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package pslogging; +use strict; + +# Declarations # +my %config = (hive => "NTUSER\.DAT, Software", + hasShortDescr => 0, + hasDescr => 1, + hasRefs => 0, + osmask => 22, + category => "config settings", + version => 20181209); +my $VERSION = getVersion(); + +# Functions # +sub getConfig {return %config} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} +sub getDescr {} +sub getShortDescr { + return "Extracts PowerShell logging settings"; +} +sub getRefs {} + +sub pluginmain { + + # Declarations # + my $class = shift; + my $hive = shift; + + # Initialize # + ::logMsg("Launching pslogging v.".$VERSION); + ::rptMsg("pslogging v.".$VERSION); + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + my $key; + + my @paths = ("Software\\Policies\\Microsoft\\Windows\\PowerShell", + "Policies\\Microsoft\\Windows\\PowerShell"); + + foreach my $key_path (@paths) { + if ($key = $root_key->get_subkey($key_path)) { + +# Execution Policy + eval { + my $e_s = $key->get_value("EnableScripts")->get_data(); + ::rptMsg(" EnableScripts = ".$e_s); + }; + + eval { + my $e_p = $key->get_value("ExecutionPolicy")->get_data(); + ::rptMsg(" ExecutionPolicy = ".$e_p); + }; + +# Module Logging + eval { + my $ml = $key->get_subkey("ModuleLogging")->get_value("EnableModuleLogging")->get_data(); + ::rptMsg(" ModuleLogging, EnableModuleLogging = ".$ml); + }; + +# ScriptBlock Logging + eval { + my $sbl = $key->get_subkey("ScriptBlockLogging")->get_value("EnableScriptBlockLogging")->get_data(); + ::rptMsg(" ScriptBlockLogging, EnableScriptBlockLogging = ".$sbl); + }; + + eval { + my $sbil = $key->get_subkey("ScriptBlockLogging")->get_value("EnableScriptBlockInvocationLogging")->get_data(); + ::rptMsg(" ScriptBlockLogging, EnableScriptBlockInvocationLogging = ".$sbil); + }; +# Transcription + eval { + my $t_enable = $key->get_subkey("Transcription")->get_value("EnableTranscripting")->get_data(); + ::rptMsg(" Transcription, EnableTranscripting = ".$t_enable); + }; + + eval { + my $t_out = $key->get_subkey("Transcription")->get_value("OutputDirectory")->get_data(); + ::rptMsg(" Transcription, OutputDirectory = ".$t_out); + }; + + eval { + my $t_eih = $key->get_subkey("Transcription")->get_value("EnableInvocationHeader")->get_data(); + ::rptMsg(" Transcription, EnableInvocationHeader = ".$t_eih); + }; + + } + else { + ::rptMsg($key_path." not found."); + } + } +} + +1; diff --git a/thirdparty/rr-full/plugins/rdphint.pl b/thirdparty/rr-full/plugins/rdphint.pl index dc43c11ab4..13a5458159 100644 --- a/thirdparty/rr-full/plugins/rdphint.pl +++ b/thirdparty/rr-full/plugins/rdphint.pl @@ -7,7 +7,7 @@ package rdphint; use strict; -my %config = (hive => "NTUSER", +my %config = (hive => "NTUSER\.DAT", osmask => 22, hasShortDescr => 1, hasDescr => 0, diff --git a/thirdparty/rr-full/plugins/reading_locations.pl b/thirdparty/rr-full/plugins/reading_locations.pl index a95d9e1927..5344120c30 100644 --- a/thirdparty/rr-full/plugins/reading_locations.pl +++ b/thirdparty/rr-full/plugins/reading_locations.pl @@ -4,6 +4,7 @@ # # Change history # 20140130 - created +# 20190211 - added "paragraphID" int to hex conversion # # References # http://dfstream.blogspot.com/2014/01/ms-word-2013-reading-locations.html @@ -66,7 +67,9 @@ sub pluginmain { eval { my $p = $s->get_value("Position")->get_data(); - ::rptMsg("Position: ".$p); + my @ps = split(' ', $p); + my $paraid = sprintf("%X", $ps[0]); + ::rptMsg("Position: ".$p." (ParagraphID: ".$paraid.")"); }; ::rptMsg(""); } diff --git a/thirdparty/rr-full/plugins/recentapps.pl b/thirdparty/rr-full/plugins/recentapps.pl new file mode 100644 index 0000000000..19e44e73f9 --- /dev/null +++ b/thirdparty/rr-full/plugins/recentapps.pl @@ -0,0 +1,83 @@ +#----------------------------------------------------------- +# recentapps.pl +# +# Change history +# 20171013 - created +# +# References +# https://twitter.com/EricRZimmerman/status/916422135987474433 +# +# copyright 2017 H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package recentapps; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20171013); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets contents of user's RecentApps key"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching recentapps v.".$VERSION); + ::rptMsg("recentapps v.".$VERSION); # banner + ::rptMsg("- ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Search\\RecentApps'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + my @subkeys = $key->get_list_of_subkeys(); + if (scalar(@subkeys) > 0) { + foreach my $s (@subkeys) { + eval { + ::rptMsg("AppId : ".$s->get_value("AppId")->get_data()); + my ($t1,$t2) = unpack("VV",$s->get_value("LastAccessedTime")->get_data()); + my $lat = ::getTime($t1,$t2); + ::rptMsg("LastAccessedTime: ".gmtime($lat)." UTC"); + ::rptMsg("LaunchCount : ".$s->get_value("LaunchCount")->get_data()); + }; + + if (my $r = $s->get_subkey("RecentItems")) { + ::rptMsg("::RecentItems::"); + my @subkeys2 = $s->get_subkey("RecentItems")->get_list_of_subkeys(); + if (scalar(@subkeys2 > 0)) { + foreach my $r (@subkeys2) { + eval { + ::rptMsg(" Path : ".$r->get_value("Path")->get_data()); + my ($l1,$l2) = unpack("VV",$r->get_value("LastAccessedTime")->get_data()); + my $l = ::getTime($l1,$l2); + ::rptMsg(" LastAccessedTime: ".gmtime($l)." UTC"); + ::rptMsg(""); + }; + } + } + } + ::rptMsg(""); + } + } + else { + ::rptMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} + +1; \ No newline at end of file diff --git a/thirdparty/rr-full/plugins/recentapps_tln.pl b/thirdparty/rr-full/plugins/recentapps_tln.pl new file mode 100644 index 0000000000..3a6740ea2d --- /dev/null +++ b/thirdparty/rr-full/plugins/recentapps_tln.pl @@ -0,0 +1,86 @@ +#----------------------------------------------------------- +# recentapps_tln.pl +# +# Change history +# 20190513 - updated timestamp issue +# 20171013 - created +# +# References +# https://twitter.com/EricRZimmerman/status/916422135987474433 +# +# copyright 2017 H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package recentapps_tln; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20190513); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets contents of user's RecentApps key"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching recentapps_tln v.".$VERSION); + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Search\\RecentApps'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + my @subkeys = $key->get_list_of_subkeys(); + if (scalar(@subkeys) > 0) { + foreach my $s (@subkeys) { + my $appid; + eval { + my ($t1,$t2) = unpack("VV",$s->get_value("LastAccessedTime")->get_data()); + my $lat = ::getTime($t1,$t2); + $appid = $s->get_value("AppId")->get_data(); + my $launchcount = $s->get_value("LaunchCount")->get_data(); + ::rptMsg($lat."|REG|||".$appid." (".$launchcount.")"); + }; + + if (my $r = $s->get_subkey("RecentItems")) { + my @subkeys2 = $s->get_subkey("RecentItems")->get_list_of_subkeys(); + if (scalar(@subkeys2 > 0)) { + foreach my $r (@subkeys2) { + eval { + my $path = $r->get_value("Path")->get_data(); + my ($l1,$l2) = unpack("VV",$r->get_value("LastAccessedTime")->get_data()); + my $l = ::getTime($l1,$l2); +# Update to plugin +# If the LastAccessedTime for a RecentItem entry is 0, get the key LastWrite time instead + if ($l == 0) { + $l = $r->get_timestamp(); + } + + ::rptMsg($l."|REG|||".$appid." RecentItem: ".$path); + }; + } + } + } + } + } + else { + ::rptMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} + +1; \ No newline at end of file diff --git a/thirdparty/rr-full/plugins/revouninstaller.pl b/thirdparty/rr-full/plugins/revouninstaller.pl new file mode 100644 index 0000000000..454fb5fce2 --- /dev/null +++ b/thirdparty/rr-full/plugins/revouninstaller.pl @@ -0,0 +1,94 @@ +#------------------------------------ +# revouninstall.pl +# Plugin for Registry Ripper, NTUSER.DAT - gets the information regarding the +# Revo Unistaller Pro application +# +# Change History: +# 20200329 - Initial Development +# +# References +# +# +# Copyright 2020 Tiago Sousa tsousahs@gmail.com +# ------------------------------------ +package revouninstaller; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20200329); + +sub getConfig { return %config } +sub getShortDescr { + return "Gets the information regarding revo unistaller execution"; +} + +sub getDescr {} +sub getRefs {} +sub getHive { return $config{ hive }; } +sub getVersion { return $config{ version }; } + +my $VERSION = getVersion(); + + +sub pluginmain { + + my $class = shift; + my $ntuser = shift; + + ::logMsg("Lauching revounistall v.".$VERSION); + ::rptMsg("revounistall v.".$VERSION); + ::rptMsg("(".getHive().") ".getShortDescr()."\n" ); + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + # Browser Run + + my @key_paths = ( + "Software\\VS Revo Group\\Revo Uninstaller Pro\\TrackCleaner\\Browsers", + "Software\\VS Revo Group\\Revo Uninstaller Pro\\TrackCleaner\\Windows", + "Software\\VS Revo Group\\Revo Uninstaller Pro\\TrackCleaner\\MSOffice", + "Software\\VS Revo Group\\Revo Uninstaller Pro\\Uninstaller\\AppBar", + "Software\\VS Revo Group\\Revo Uninstaller Pro\\Uninstaller" + ); + + my $key; + my @vals; + + my @list_of_browsers; + + # Inside the browser key it may have separate sub keys for specific browsers + $key = $root_key->get_subkey( @key_paths[0] ); + @list_of_browsers = $key->get_list_of_subkeys(); + + + foreach $key (@list_of_browsers) { + push(@key_paths,$key_paths[0]."\\".$key->get_name()); + } + + # Remove the Browser key. it's not really needed anymore + shift(@key_paths); + + + foreach my $key_path (@key_paths) { + + $key = $root_key->get_subkey( $key_path ); + ::rptMsg("\n\nName:".$key->get_name()); + ::rptMsg("Last Write Time: ".gmtime($key->get_timestamp())." (UTC)\n"); + + my @vals = $key->get_list_of_values(); + + foreach my $v (@vals) { + if ($v->get_data() eq 1) { + ::rptMsg($v->get_name()." : Enabled"); + } elsif ($v->get_data() eq 0){ + ::rptMsg($v->get_name()." : Disabled"); + } else { + ::rptMsg($v->get_name()." : ".$v->get_data()); + } + } + } +} diff --git a/thirdparty/rr-full/plugins/runonceex.pl b/thirdparty/rr-full/plugins/runonceex.pl new file mode 100644 index 0000000000..e7bfd48a72 --- /dev/null +++ b/thirdparty/rr-full/plugins/runonceex.pl @@ -0,0 +1,85 @@ +#----------------------------------------------------------- +# runonceex +# +# Change history: +# 20190716 - created +# +# Ref: +# https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/ +# +# copyright 2019 QAR,LLC +# Author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package runonceex; +use strict; + +my %config = (hive => "Software", + category => "autostart", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20190716); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets contents of RunOnceEx values"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::rptMsg("Launching runonceex v.".$VERSION); + ::rptMsg("runonceex v.".$VERSION); # banner + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + my $key_path = ('Microsoft\\Windows\\CurrentVersion\\RunOnceEx'); + + ::rptMsg("RunOnceEx"); + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + + my @sk = $key->get_list_of_subkeys(); + if (scalar(@sk) > 0) { + foreach my $s (@sk) { + ::rptMsg($s->get_name()); + ::rptMsg("LastWrite Time ".gmtime($s->get_timestamp())." (UTC)"); + +# Gets values and data + my @vals = $s->get_list_of_values(); + if (scalar(@vals) > 0) { + foreach my $v (@vals) { + ::rptMsg($v->get_name()." -> ".$v->get_data()); + } + } + ::rptMsg(""); + +# Check for Depend key + if (my $dep = $s->get_subkey("Depend")) { + my @vals2 = $dep->get_list_of_values(); + if (scalar(@vals2) > 0) { + foreach my $v2 (@vals2) { + ::rptMsg($v2->get_name()." -> ".$v2->get_data()); + } + } + } + } + } + else { + ::rptMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} +1; \ No newline at end of file diff --git a/thirdparty/rr-full/plugins/sam b/thirdparty/rr-full/plugins/sam index b89d6e6259..e64143aa20 100644 --- a/thirdparty/rr-full/plugins/sam +++ b/thirdparty/rr-full/plugins/sam @@ -1,3 +1 @@ -# 20161213 *ALL* Plugins that apply on SAM hive, alphabetical order -samparse -samparse_tln +samparse diff --git a/thirdparty/rr-full/plugins/sbs.pl b/thirdparty/rr-full/plugins/sbs.pl new file mode 100644 index 0000000000..2b91b2d731 --- /dev/null +++ b/thirdparty/rr-full/plugins/sbs.pl @@ -0,0 +1,69 @@ +#----------------------------------------------------------- +# sbs +# +# +# References +# http://www.hexacorn.com/blog/2017/12/29/beyond-good-ol-run-key-part-69/ +# +# History: +# 20180101 - created +# +# copyright 2018 Quantum Analytics Research, LLC +# Author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package sbs; +use strict; + +my %config = (hive => "Software", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20180101); + +sub getConfig{return %config} + +sub getShortDescr { + return "Gets PreferExternalManifest value"; +} +sub getDescr{} +sub getRefs { + my %refs = (); + return %refs; +} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching sbs v.".$VERSION); + ::rptMsg("sbs v.".$VERSION); # banner + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + +# used a list of values to address the need for parsing the App Paths key +# in the Wow6432Node key, if it exists. + my @paths = ("Microsoft\\Windows\\CurrentVersion\\SideBySide", + "Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\SideBySide"); + + foreach my $key_path (@paths) { + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("SBS"); + ::rptMsg($key_path); + ::rptMsg(""); + + my $sbs; + eval { + $sbs = $key->get_value("SideBySide")->get_data(); + ::rptMsg("SideBySide = ".$sbs); + }; + ::rptMsg("SideBySide value not found.") if ($@); + } + } +} +1; \ No newline at end of file diff --git a/thirdparty/rr-full/plugins/searchscopes.pl b/thirdparty/rr-full/plugins/searchscopes.pl new file mode 100644 index 0000000000..8b8eecc9c0 --- /dev/null +++ b/thirdparty/rr-full/plugins/searchscopes.pl @@ -0,0 +1,73 @@ +#----------------------------------------------------------- +# searchscopes.pl +# Plugin for Registry Ripper, NTUSER.DAT edition - gets the +# ACMru values +# +# Change history +# 20180406 - created (per request submitted by John McCash) +# +# References +# https://www.online-tech-tips.com/internet-explorer-tips/change-default-search-engine-ie/ +# +# copyright 2018 QAR, LLC +# author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package searchscopes; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20180406); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets contents of user's SearchScopes key"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching searchscopes v.".$VERSION); + ::rptMsg("searchscopes v.".$VERSION); # banner + ::rptMsg("- ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my $key_path = 'Software\\Microsoft\\Internet Explorer\\SearchScopes'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("SearchScopes"); + ::rptMsg($key_path); + ::rptMsg("DefaultScope: ".$key->get_value("DefaultScope")->get_data()); + ::rptMsg(""); +# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + my @subkeys = $key->get_list_of_subkeys(); + if (scalar(@subkeys) > 0) { + foreach my $s (@subkeys) { + ::rptMsg($s->get_name()." [".gmtime($s->get_timestamp())." (UTC)]"); + eval { + ::rptMsg ("DisplayName: ".$s->get_value("DisplayName")->get_data()); + }; + + ::rptMsg(""); + } + } + else { + ::rptMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} + +1; \ No newline at end of file diff --git a/thirdparty/rr-full/plugins/security b/thirdparty/rr-full/plugins/security index 628ca1c876..a2677d5903 100644 --- a/thirdparty/rr-full/plugins/security +++ b/thirdparty/rr-full/plugins/security @@ -1,8 +1,5 @@ -# 20161213 *ALL* Plugins that apply on SECURITY hive, alphabetical order -auditpol -auditpol_xp -lsasecrets -polacdms -secrets -secrets_tln -securityproviders +auditpol +auditpol_xp +lsasecrets +polacdms +secrets diff --git a/thirdparty/rr-full/plugins/shc.pl b/thirdparty/rr-full/plugins/shc.pl index f43e82dce3..bb3fa0e5ac 100644 --- a/thirdparty/rr-full/plugins/shc.pl +++ b/thirdparty/rr-full/plugins/shc.pl @@ -3,8 +3,14 @@ # This key may have something to do with the Start Menu Cache - nothing # definitive yet. # +# In my tests *some* installers/applications populate this key on *some* systems +# and Windows shows *some* of these items as "Recently Installed" at the top of +# the start menu. More research is still needed. -Keith Twombley +# ktwombley@gmail.com +# # Change history # 20130412 - created - IN PROCESS; NOT COMPLETE +# 20190305 - updated - outputs entries from shc # # # References @@ -26,7 +32,7 @@ my %config = (hive => "NTUSER\.DAT", hasDescr => 0, hasRefs => 0, osmask => 32, #Windows 8 - version => 20130412); + version => 20190305); sub getConfig{return %config} sub getShortDescr { @@ -57,9 +63,16 @@ sub pluginmain { my @vals = $key->get_list_of_values(); if (scalar(@vals) > 0) { + my %shc; + foreach my $v (@vals) { - - + my $name = $v->get_name(); + my $data = $v->get_data(); + $shc{$name} = $data + } + + foreach my $u (sort {$a <=> $b} keys %shc) { + ::rptMsg(" ".$u." -> ".$shc{$u}); } } else { diff --git a/thirdparty/rr-full/plugins/shellactivities.pl b/thirdparty/rr-full/plugins/shellactivities.pl new file mode 100644 index 0000000000..8b16917536 --- /dev/null +++ b/thirdparty/rr-full/plugins/shellactivities.pl @@ -0,0 +1,238 @@ +#----------------------------------------------------------- +# shellactivities.pl +# +# +# Change history +# 20180709 - updated +# 20180611 - created (per request submitted by John McCash) +# +# References +# https://twitter.com/gazambelli/status/1005170301355864065 +# +# copyright 2018 QAR, LLC +# author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package shellactivities; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20180709); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets contents of user's ShellActivities key"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching shellactivities v.".$VERSION); + ::rptMsg("shellactivities v.".$VERSION); + ::rptMsg("- ".getShortDescr()."\n"); + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\CloudStore\\Store\\Cache\\DefaultAccount\\$$windows.data.taskflow.shellactivities\\Current'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("Key LastWrite: ".gmtime($key->get_timestamp())); + eval { + my $data = $key->get_value("Data")->get_data(); + processShellActivities($data); + }; + } + else { + ::rptMsg($key_path." not found."); + } +} + +#----------------------------------------------------------- +# +#----------------------------------------------------------- +sub processShellActivities { + my $data = shift; + my $sz = length($data); + my $count = 0; + my $offset = 4; + my ($l,$tag,$str); + my ($t0,$t1) = unpack("VV",substr($data,$offset,8)); + ::rptMsg("Time stamp: ".gmtime(::getTime($t0,$t1))." Z"); + ::rptMsg(""); + + while ($offset < ($sz - 10)) { +# Code to locate the appropriate identifier + $tag = 1; + while ($tag) { + if (unpack("v",substr($data,$offset,2)) == 0x14d2) { + $tag = 0; + } + else { + $offset++; + } + } + + $offset += 2; + $l = unpack("C",substr($data,$offset,1)); +# ::rptMsg("String Length: ".sprintf "0x%x",$l); + $offset += 1; + $str = substr($data,$offset,$l * 2); + $str =~ s/\00//g; + ::rptMsg("Path: ".$str); + $offset += $l * 2; + + $tag = 1; + while ($tag) { + if (unpack("v",substr($data,$offset,2)) == 0x23d2) { + $tag = 0; + } + else { + $offset++; + } + } + + $offset += 2; + $l = unpack("C",substr($data,$offset,1)); + $offset += 1; + $str = substr($data,$offset,$l * 2); + $str =~ s/\00//g; +# ::rptMsg($str); + $offset += $l * 2; + + $tag = 1; + while ($tag) { + if (unpack("v",substr($data,$offset,2)) == 0x28d2) { + $tag = 0; + } + else { + $offset++; + } + } + + $offset += 2; + $l = unpack("C",substr($data,$offset,1)); + $offset += 1; + $str = substr($data,$offset,$l * 2); + $str =~ s/\00//g; + ::rptMsg("Window Title: ".$str); + $offset += $l * 2; + + $tag = 1; + while ($tag) { + if (unpack("v",substr($data,$offset,2)) == 0x32c6) { + $tag = 0; + } + else { + $offset++; + } + } + + $offset += 3; +# probe(substr($data,$offset,8)); + ($t0,$t1) = unpack("VV",substr($data,$offset,8)); +# ::rptMsg("Time 1: ".gmtime(::getTime($t0,$t1))." Z"); + + $tag = 1; + while ($tag) { + if (unpack("v",substr($data,$offset,2)) == 0x3cc6) { + $tag = 0; + } + else { + $offset++; + } + } + + $offset += 3; +# probe(substr($data,$offset,8)); + ($t0,$t1) = unpack("VV",substr($data,$offset,8)); +# ::rptMsg("Time 2: ".gmtime(::getTime($t0,$t1))." Z"); + $offset += 8; + + $count++; + ::rptMsg(""); + } + ::rptMsg("Total Count: ".$count); +} + +#----------------------------------------------------------- +# +#----------------------------------------------------------- + + +#----------------------------------------------------------- +# +#----------------------------------------------------------- + + +#----------------------------------------------------------- +# probe() +# +# Code the uses printData() to insert a 'probe' into a specific +# location and display the data +# +# Input: binary data of arbitrary length +# Output: Nothing, no return value. Displays data to the console +#----------------------------------------------------------- +sub probe { + my $data = shift; + my @d = printData($data); + ::rptMsg(""); + foreach (0..(scalar(@d) - 1)) { + ::rptMsg($d[$_]); + } + ::rptMsg(""); +} + +#----------------------------------------------------------- +# printData() +# subroutine used primarily for debugging; takes an arbitrary +# length of binary data, prints it out in hex editor-style +# format for easy debugging +# +# Usage: see probe() +#----------------------------------------------------------- +sub printData { + my $data = shift; + my $len = length($data); + + my @display = (); + + my $loop = $len/16; + $loop++ if ($len%16); + + foreach my $cnt (0..($loop - 1)) { +# How much is left? + my $left = $len - ($cnt * 16); + + my $n; + ($left < 16) ? ($n = $left) : ($n = 16); + + my $seg = substr($data,$cnt * 16,$n); + my $lhs = ""; + my $rhs = ""; + foreach my $i ($seg =~ m/./gs) { +# This loop is to process each character at a time. + $lhs .= sprintf(" %02X",ord($i)); + if ($i =~ m/[ -~]/) { + $rhs .= $i; + } + else { + $rhs .= "."; + } + } + $display[$cnt] = sprintf("0x%08X %-50s %s",$cnt,$lhs,$rhs); + } + return @display; +} + + +1; \ No newline at end of file diff --git a/thirdparty/rr-full/plugins/shellbags.pl b/thirdparty/rr-full/plugins/shellbags.pl index d8e770471e..f4400cb4f0 100644 --- a/thirdparty/rr-full/plugins/shellbags.pl +++ b/thirdparty/rr-full/plugins/shellbags.pl @@ -394,6 +394,7 @@ sub parseVariableEntry { while($t) { my $sz = unpack("V",substr($stuff,$cnt,4)); my $id = unpack("V",substr($stuff,$cnt + 4,4)); + return %item unless (defined $sz); #-------------------------------------------------------------- # sub-segment types # 0x0a - file name @@ -454,6 +455,7 @@ sub parseVariableEntry { my $t = 1; while ($t) { my $i = substr($data,$o,1); + return %item unless (defined $i); if ($i =~ m/\00/) { $t = 0; } @@ -792,6 +794,7 @@ sub parseFolderEntry { my $str = ""; while($tag) { my $s = substr($data,$ofs_shortname + $cnt,1); + return %item unless (defined $s); if ($s =~ m/\00/ && ((($cnt + 1) % 2) == 0)) { $tag = 0; } @@ -807,7 +810,9 @@ sub parseFolderEntry { my $tag = 1; my $cnt = 0; while ($tag) { - if (unpack("v",substr($data,$ofs + $cnt,2)) == 0xbeef) { + my $s = substr($data,$ofs + $cnt,2); + return %item unless (defined $s); + if (unpack("v",$s) == 0xbeef) { $tag = 0; } else { @@ -911,7 +916,9 @@ sub parseFolderEntry2 { my $tag = 1; while ($tag) { - if (unpack("v",substr($data,$ofs,2)) == 0xbeef) { + my $s = substr($data,$ofs,2); + return %item unless (defined $s); + if (unpack("v",$s) == 0xbeef) { $tag = 0; } else { @@ -1012,6 +1019,7 @@ sub shellItem0x52 { while ($tag) { $d = substr($data,0x32 + $cnt,2); + return %item unless (defined $d); if (unpack("v",$d) == 0) { $tag = 0; } diff --git a/thirdparty/rr-full/plugins/shellbags_test.pl b/thirdparty/rr-full/plugins/shellbags_test.pl index 2c4e7bda3d..7ff3a5a4d5 100644 --- a/thirdparty/rr-full/plugins/shellbags_test.pl +++ b/thirdparty/rr-full/plugins/shellbags_test.pl @@ -2,7 +2,7 @@ # shellbags_test.pl # # -# License: GPL v3 +# # copyright 2012 Quantum Analytics Research, LLC # Author: H. Carvey, keydet89@yahoo.com #----------------------------------------------------------- @@ -358,7 +358,7 @@ sub parseFolderItem { my $str = ""; while($tag) { my $s = substr($data,$ofs_shortname + $cnt,1); - return %item unless (defined $s); + return %item unless (defined $s); if ($s =~ m/\x00/ && ((($cnt + 1) % 2) == 0)) { $tag = 0; } @@ -374,8 +374,8 @@ sub parseFolderItem { $tag = 1; $cnt = 0; while ($tag) { - my $s = substr($data,$ofs + $cnt,2); - return %item unless (defined $s); + my $s = substr($data,$ofs + $cnt,2); + return %item unless (defined $s); if (unpack("v",$s) == 0xbeef) { $tag = 0; } diff --git a/thirdparty/rr-full/plugins/shellbags_tln.pl b/thirdparty/rr-full/plugins/shellbags_tln.pl index bbbd3fe309..f953b1afbf 100644 --- a/thirdparty/rr-full/plugins/shellbags_tln.pl +++ b/thirdparty/rr-full/plugins/shellbags_tln.pl @@ -3,6 +3,7 @@ # RR plugin to parse (Vista, Win7/Win2008R2) shell bags # # History: +# 20180702 - code updates, including to parseGUID() function # 20120810 - added support for parsing Network types; added handling of # offsets for Folder types (ie, transition to long name offset), # based on OS version (Vista, Win7); tested against one Win2008R2 @@ -26,7 +27,7 @@ # Moore for writing the shell bag parser for Registry Decoder, as well as # assistance with some parsing. # -# License: GPL v3 +# # copyright 2012 Quantum Analytics Research, LLC # Author: H. Carvey, keydet89@yahoo.com #----------------------------------------------------------- @@ -42,12 +43,12 @@ my %config = (hive => "USRCLASS\.DAT", hasShortDescr => 1, hasDescr => 0, hasRefs => 0, - version => 20120810); + version => 20180702); sub getConfig{return %config} sub getShortDescr { - return "Shell/BagMRU traversal in Win7 USRCLASS.DAT hives"; + return "Shell/BagMRU traversal in Win7 USRCLASS\.DAT hives"; } sub getDescr{} sub getRefs {} @@ -84,6 +85,7 @@ my %cp_guids = ("{bb64f8a7-bee7-4e1a-ab8d-7d8273f7fdb6}" => "Action Center", "{a3dd4f92-658a-410f-84fd-6fbbbef2fffe}" => "Internet Options", "{a304259d-52b8-4526-8b1a-a1d6cecc8243}" => "iSCSI Initiator", "{725be8f7-668e-4c7b-8f90-46bdb0936430}" => "Keyboard", + "{bf782cc9-5a52-4a17-806c-2a894ffeeac5}" => "Language Settings", "{e9950154-c418-419e-a90a-20c5287ae24b}" => "Location and Other Sensors", "{1fa9085f-25a2-489b-85d4-86326eedcd87}" => "Manage Wireless Networks", "{6c8eec18-8d75-41b2-a177-8831d59d2d50}" => "Mouse", @@ -356,7 +358,7 @@ sub parseVariableEntry { while($tag) { my $sz = unpack("V",substr($stuff,$cnt,4)); my $id = unpack("V",substr($stuff,$cnt + 4,4)); - return %item unless (defined $sz); + return %item unless (defined $sz); #-------------------------------------------------------------- # sub-segment types # 0x0a - file name @@ -372,7 +374,7 @@ sub parseVariableEntry { my $num = unpack("V",substr($stuff,$cnt + 13,4)); my $str = substr($stuff,$cnt + 13 + 4,($num * 2)); - $str =~ s/\x00//g; + $str =~ s/\00//g; $item{name} = $str; } $cnt += $sz; @@ -386,8 +388,8 @@ sub parseVariableEntry { # while($tag) { # my $sz = unpack("V",substr($stuff,$cnt,4)); # my $id = unpack("V",substr($stuff,$cnt + 4,4)); +# return %item unless (defined $sz); # -# return %item unless (defined $sz); # if ($sz == 0x00) { # $tag = 0; # next; @@ -396,7 +398,7 @@ sub parseVariableEntry { # # my $num = unpack("V",substr($stuff,$cnt + 13,4)); # my $str = substr($stuff,$cnt + 13 + 4,($num * 2)); -# $str =~ s/\x00//g; +# $str =~ s/\00//g; # $item{name} = $str; # } # $cnt += $sz; @@ -410,12 +412,12 @@ sub parseVariableEntry { elsif ($tag == 0x7b || $tag == 0xbb || $tag == 0xfb) { my ($sz1,$sz2,$sz3) = unpack("VVV",substr($data,0x3e,12)); $item{name} = substr($data,0x4a,$sz1 * 2); - $item{name} =~ s/\x00//g; + $item{name} =~ s/\00//g; } elsif ($tag == 0x02 || $tag == 0x03) { my ($sz1,$sz2,$sz3,$sz4) = unpack("VVVV",substr($data,0x26,16)); $item{name} = substr($data,0x36,$sz1 * 2); - $item{name} =~ s/\x00//g; + $item{name} =~ s/\00//g; } else { $item{name} = "Unknown Type"; @@ -432,7 +434,7 @@ sub parseNetworkEntry { my %item = (); $item{type} = unpack("C",substr($data,2,1)); - my @n = split(/\x00/,substr($data,4,length($data) - 4)); + my @n = split(/\00/,substr($data,4,length($data) - 4)); $item{name} = $n[0]; return %item; } @@ -449,13 +451,13 @@ sub parseZipSubFolderItem { # Get the opened/accessed date/time $item{datetime} = substr($data,0x24,6); - $item{datetime} =~ s/\x00//g; + $item{datetime} =~ s/\00//g; if ($item{datetime} eq "N/A") { } else { $item{datetime} = substr($data,0x24,40); - $item{datetime} =~ s/\x00//g; + $item{datetime} =~ s/\00//g; my ($date,$time) = split(/\s+/,$item{datetime},2); my ($mon,$day,$yr) = split(/\//,$date,3); my ($hr,$min,$sec) = split(/:/,$time,3); @@ -468,9 +470,9 @@ sub parseZipSubFolderItem { my $sz2 = unpack("V",substr($data,0x58,4)); my $str1 = substr($data,0x5C,$sz *2) if ($sz > 0); - $str1 =~ s/\x00//g; + $str1 =~ s/\00//g; my $str2 = substr($data,0x5C + ($sz * 2),$sz2 *2) if ($sz2 > 0); - $str2 =~ s/\x00//g; + $str2 =~ s/\00//g; if ($sz2 > 0) { $item{name} = $str1."\\".$str2; @@ -509,10 +511,10 @@ sub parseURIEntry { my $sz = unpack("V",substr($data,0x2a,4)); my $uri = substr($data,0x2e,$sz); - $uri =~ s/\x00//g; + $uri =~ s/\00//g; my $proto = substr($data,length($data) - 6, 6); - $proto =~ s/\x00//g; + $proto =~ s/\00//g; $item{name} = $proto."://".$uri; @@ -562,26 +564,81 @@ sub parseGUID { my $d3 = unpack("v",substr($data,6,2)); my $d4 = unpack("H*",substr($data,8,2)); my $d5 = unpack("H*",substr($data,10,6)); - return sprintf "{%08x-%x-%x-$d4-$d5}",$d1,$d2,$d3; + return sprintf "{%08x-%04x-%04x-$d4-$d5}",$d1,$d2,$d3; } +#----------------------------------------------------------- +# +#----------------------------------------------------------- +#sub parseDeviceEntry { +# my $data = shift; +# my %item = (); +# +# my $userlen = unpack("V",substr($data,30,4)); +# my $devlen = unpack("V",substr($data,34,4)); +# +# my $user = substr($data,0x28,$userlen * 2); +# $user =~ s/\00//g; +# +# my $dev = substr($data,0x28 + ($userlen * 2),$devlen * 2); +# $dev =~ s/\00//g; +# +# $item{name} = $user; +# return %item; +#} + #----------------------------------------------------------- # #----------------------------------------------------------- sub parseDeviceEntry { my $data = shift; my %item = (); + + my $ofs = unpack("v",substr($data,4,2)); + my $tag = unpack("V",substr($data,6,4)); - my $userlen = unpack("V",substr($data,30,4)); - my $devlen = unpack("V",substr($data,34,4)); - - my $user = substr($data,0x28,$userlen * 2); - $user =~ s/\x00//g; - - my $dev = substr($data,0x28 + ($userlen * 2),$devlen * 2); - $dev =~ s/\x00//g; - - $item{name} = $user; +#----------------------------------------------------- +# DEBUG +# ::rptMsg("parseDeviceEntry, tag = ".$tag); +#----------------------------------------------------- + if ($tag == 0) { + my $guid1 = parseGUID(substr($data,$ofs + 6,16)); + my $guid2 = parseGUID(substr($data,$ofs + 6 + 16,16)); + $item{name} = $guid1."\\".$guid2 + } + elsif ($tag == 2) { + $item{name} = substr($data,0x0a,($ofs + 6) - 0x0a); + $item{name} =~ s/\00//g; + } + else { + my $ver = unpack("C",substr($data,9,1)); + my $idx = unpack("C",substr($data,3,1)); + + if ($idx == 0x80) { + $item{name} = parseGUID(substr($data,4,16)); + } +# Version 3 = XP + elsif ($ver == 3) { + my $guid1 = parseGUID(substr($data,$ofs + 6,16)); + my $guid2 = parseGUID(substr($data,$ofs + 6 + 16,16)); + $item{name} = $guid1."\\".$guid2 + + } +# Version 8 = Win7 + elsif ($ver == 8) { + my $userlen = unpack("V",substr($data,30,4)); + my $devlen = unpack("V",substr($data,34,4)); + my $user = substr($data,0x28,$userlen * 2); + $user =~ s/\00//g; + my $dev = substr($data,0x28 + ($userlen * 2),$devlen * 2); + $dev =~ s/\00//g; + $item{name} = $user; + } +# Version unknown + else { + $item{name} = "Device Entry - Unknown Version"; + } + } return %item; } @@ -647,15 +704,15 @@ sub parseFolderEntry { ($item{mtime_str},$item{mtime}) = convertDOSDate($m[0],$m[1]); # Need to read in short name; nul-term ASCII -# $item{shortname} = (split(/\x00/,substr($data,12,length($data) - 12),2))[0]; +# $item{shortname} = (split(/\00/,substr($data,12,length($data) - 12),2))[0]; $ofs_shortname = $ofs_mdate + 6; my $tag = 1; my $cnt = 0; my $str = ""; while($tag) { my $s = substr($data,$ofs_shortname + $cnt,1); - return %item unless (defined $s); - if ($s =~ m/\x00/ && ((($cnt + 1) % 2) == 0)) { + return %item unless (defined $s); + if ($s =~ m/\00/ && ((($cnt + 1) % 2) == 0)) { $tag = 0; } else { @@ -663,15 +720,15 @@ sub parseFolderEntry { $cnt++; } } -# $str =~ s/\x00//g; +# $str =~ s/\00//g; my $shortname = $str; my $ofs = $ofs_shortname + $cnt + 1; # Read progressively, 1 byte at a time, looking for 0xbeef - $tag = 1; - $cnt = 0; + my $tag = 1; + my $cnt = 0; while ($tag) { - my $s = substr($data,$ofs + $cnt,2); - return %item unless (defined $s); + my $s = substr($data,$ofs + $cnt,2); + return %item unless (defined $s); if (unpack("v",$s) == 0xbeef) { $tag = 0; } @@ -682,10 +739,10 @@ sub parseFolderEntry { $item{extver} = unpack("v",substr($data,$ofs + $cnt - 4,2)); $ofs = $ofs + $cnt + 2; - @m = unpack("vv",substr($data,$ofs,4)); + my @m = unpack("vv",substr($data,$ofs,4)); ($item{ctime_str},$item{ctime}) = convertDOSDate($m[0],$m[1]); $ofs += 4; - @m = unpack("vv",substr($data,$ofs,4)); + my @m = unpack("vv",substr($data,$ofs,4)); ($item{atime_str},$item{atime}) = convertDOSDate($m[0],$m[1]); my $jmp; @@ -695,12 +752,16 @@ sub parseFolderEntry { elsif ($item{extver} == 0x08) { $jmp = 30; } + elsif ($item{extver} == 0x09) { + $jmp = 34; + } + else {} $ofs += $jmp; - $str = substr($data,$ofs,length($data) - 30); - my $longname = (split(/\x00\x00/,$str,2))[0]; - $longname =~ s/\x00//g; + my $str = substr($data,$ofs,length($data) - 30); + my $longname = (split(/\00\00/,$str,2))[0]; + $longname =~ s/\00//g; if ($longname ne "") { $item{name} = $longname; @@ -750,7 +811,7 @@ sub parseNetworkEntry { my $data = shift; my %item = (); $item{type} = unpack("C",substr($data,2,1)); - my @names = split(/\x00/,substr($data,5,length($data) - 5)); + my @names = split(/\00/,substr($data,5,length($data) - 5)); $item{name} = $names[0]; return %item; } @@ -797,4 +858,4 @@ sub printData { } } -1; +1; \ No newline at end of file diff --git a/thirdparty/rr-full/plugins/shellbags_xp.pl b/thirdparty/rr-full/plugins/shellbags_xp.pl index b4f8ee2b00..ce90cc3e7f 100644 --- a/thirdparty/rr-full/plugins/shellbags_xp.pl +++ b/thirdparty/rr-full/plugins/shellbags_xp.pl @@ -29,7 +29,7 @@ # Moore for writing the shell bag parser for Registry Decoder, as well as # assistance with some parsing. # -# License: GPL v3 +# # copyright 2012 Quantum Analytics Research, LLC # Author: H. Carvey, keydet89@yahoo.com #----------------------------------------------------------- @@ -397,9 +397,8 @@ sub parseVariableEntry { # 0x0e, 0x0f, 0x10 - mod date, create date, access date(?) # 0x0c - size #-------------------------------------------------------------- - return %item unless (defined $sz); - if ($sz == 0x00) { - $tag = 0; + return %item unless (defined $sz); + if ($sz == 0x00) { $tag = 0; next; } elsif ($id == 0x0a) { @@ -421,6 +420,7 @@ sub parseVariableEntry { # my $sz = unpack("V",substr($stuff,$cnt,4)); # my $id = unpack("V",substr($stuff,$cnt + 4,4)); # return %item unless (defined $sz); +# # if ($sz == 0x00) { # $tag = 0; # next; @@ -726,7 +726,7 @@ sub parseFolderEntry { my $str = ""; while($tag) { my $s = substr($data,$ofs_shortname + $cnt,1); - return %item unless (defined $s); + return %item unless (defined $s); if ($s =~ m/\x00/ && ((($cnt + 1) % 2) == 0)) { $tag = 0; } @@ -742,8 +742,8 @@ sub parseFolderEntry { $tag = 1; $cnt = 0; while ($tag) { - my $s = substr($data,$ofs + $cnt,2); - return %item unless (defined $s); + my $s = substr($data,$ofs + $cnt,2); + return %item unless (defined $s); if (unpack("v",$s) == 0xbeef) { $tag = 0; } @@ -833,8 +833,8 @@ sub parseFolderEntry2 { my $tag = 1; while ($tag) { - my $s = substr($data,$ofs,2); - return %item unless (defined $s); + my $s = substr($data,$ofs,2); + return %item unless (defined $s); if (unpack("v",$s) == 0xbeef) { $tag = 0; } diff --git a/thirdparty/rr-full/plugins/shimcache.pl b/thirdparty/rr-full/plugins/shimcache.pl index 125143fbda..6116e6391a 100644 --- a/thirdparty/rr-full/plugins/shimcache.pl +++ b/thirdparty/rr-full/plugins/shimcache.pl @@ -5,6 +5,8 @@ # works within an analysis process. # # History: +# 20190112 - updated parsing for Win8.1 +# 20180311 - updated for more recent version of Win10/Win2016 # 20160528 - updated # 20160502 - created # @@ -32,7 +34,7 @@ my %config = (hive => "System", hasDescr => 0, hasRefs => 0, osmask => 31, - version => 20160528); + version => 20190112); sub getConfig{return %config} sub getShortDescr { @@ -110,7 +112,10 @@ sub pluginmain { elsif ($sig == 0x80) { appWin8($app_data); } - elsif ($sig == 0x30) { + elsif ($sig == 0x0) { + appWin81($app_data); + } + elsif ($sig == 0x30 || $sig == 0x34) { appWin10($app_data); } else { @@ -283,7 +288,7 @@ sub appWin8 { while($ofs < $len) { my $tag = unpack("V",substr($data,$ofs,4)); - last unless (defined $tag); + last unless (defined $tag); # 32-bit if ($tag == 0x73746f72) { $jmp = unpack("V",substr($data,$ofs + 8,4)); @@ -315,6 +320,39 @@ sub appWin8 { } } +#----------------------------------------------------------- +# appWin81() +# +#----------------------------------------------------------- +sub appWin81 { + my $data = shift; + my $len = length($data); + my ($tag, $sz, $t0, $t1, $name, $name_len); + my $ct = 0; +# my $ofs = unpack("V",substr($data,0,4)); + my $ofs = 0x80; + + while ($ofs < $len) { + $tag = substr($data,$ofs,4); + last unless (defined $tag); + if ($tag eq "10ts") { + + $sz = unpack("V",substr($data,$ofs + 0x08,4)); + $name_len = unpack("v",substr($data,$ofs + 0x0c,2)); + my $name = substr($data,$ofs + 0x0e,$name_len); + $name =~ s/\00//g; +# ($t0,$t1) = unpack("VV",substr($data,$ofs + 0x03 + $name_len,8)); + ($t0,$t1) = unpack("VV",substr($data,$ofs + 0x0e + $name_len + 0x0a,8)); + $files{$ct}{filename} = $name; + $files{$ct}{modtime} = ::getTime($t0,$t1); + + $ct++; + $ofs += ($sz + 0x0c); + } + } +} + + #----------------------------------------------------------- # appWin10() # Ref: http://binaryforay.blogspot.com/2015/04/appcompatcache-changes-in-windows-10.html @@ -324,11 +362,11 @@ sub appWin10 { my $len = length($data); my ($tag, $sz, $t0, $t1, $name, $name_len); my $ct = 0; - my $ofs = 0x30; + my $ofs = unpack("V",substr($data,0,4)); +# my $ofs = 0x30; while ($ofs < $len) { $tag = substr($data,$ofs,4); - last unless (defined $tag); if ($tag eq "10ts") { $sz = unpack("V",substr($data,$ofs + 0x08,4)); diff --git a/thirdparty/rr-full/plugins/shimcache_tln.pl b/thirdparty/rr-full/plugins/shimcache_tln.pl index b0fa1588b6..cada7474b7 100644 --- a/thirdparty/rr-full/plugins/shimcache_tln.pl +++ b/thirdparty/rr-full/plugins/shimcache_tln.pl @@ -5,6 +5,8 @@ # works within an analysis process. # # History: +# 20190112 - updated parsing for Win8.1 +# 20180311 - updated for more recent version of Win10/Win2016 # 20160528 - created # # References: @@ -31,7 +33,7 @@ my %config = (hive => "System", hasDescr => 0, hasRefs => 0, osmask => 31, - version => 20160528); + version => 20190112); sub getConfig{return %config} sub getShortDescr { @@ -109,7 +111,10 @@ sub pluginmain { elsif ($sig == 0x80) { appWin8($app_data); } - elsif ($sig == 0x30) { + elsif ($sig == 0x0) { + appWin81($app_data); + } + elsif ($sig == 0x30 || $sig == 0x34) { appWin10($app_data); } else { @@ -118,14 +123,16 @@ sub pluginmain { foreach my $f (keys %files) { my $str; - if (exists $files{$f}{executed}) { - $str = "M... [Program Execution] AppCompatCache - ".$files{$f}{filename}; - } - else { - $str = "M... AppCompatCache - ".$files{$f}{filename}; + next if ($files{$f}{modtime} == 0); + if (exists $files{$f}{updtime}) { +# $str = "[Program Execution] AppCompatCache - ".$files{$f}{filename}; + next if ($files{$f}{updtime} == 0); + ::rptMsg($files{$f}{updtime}."|REG|||[Program Execution] - ".$files{$f}{filename}); } + + $str = "M... AppCompatCache - ".$files{$f}{filename}; $str .= " [Size = ".$files{$f}{size}." bytes]" if (exists $files{$f}{size}); - $str .= " [Executed]" if (exists $files{$f}{executed}); + ::rptMsg($files{$f}{modtime}."|REG|||".$str); } } @@ -148,8 +155,8 @@ sub appXP32Bit { foreach my $i (0..($num_entries - 1)) { my $x = substr($data,(400 + ($i * 552)),552); - my $file = (split(/\x00\x00/,substr($x,0,488)))[0]; - $file =~ s/\x00//g; + my $file = (split(/\00\00/,substr($x,0,488)))[0]; + $file =~ s/\00//g; $file =~ s/^\\\?\?\\//; my ($mod1,$mod2) = unpack("VV",substr($x,528,8)); my $modtime = ::getTime($mod1,$mod2); @@ -192,7 +199,7 @@ sub appWin2k3 { my ($len,$max_len,$ofs,$t0,$t1,$f0,$f1) = unpack("vvVVVVV",$struct); my $file = substr($data,$ofs,$len); - $file =~ s/\x00//g; + $file =~ s/\00//g; $file =~ s/^\\\?\?\\//; my $t = ::getTime($t0,$t1); $files{$i}{filename} = $file; @@ -203,7 +210,7 @@ sub appWin2k3 { elsif ($struct_sz == 32) { my ($len,$max_len,$padding,$ofs0,$ofs1,$t0,$t1,$f0,$f1) = unpack("vvVVVVVVV",$struct); my $file = substr($data,$ofs0,$len); - $file =~ s/\x00//g; + $file =~ s/\00//g; $file =~ s/^\\\?\?\\//; my $t = ::getTime($t0,$t1); $files{i}{filename} = $file; @@ -245,7 +252,7 @@ sub appWin7 { if ($struct_sz == 32) { my ($len,$max_len,$ofs,$t0,$t1,$f0,$f1) = unpack("vvV5x8",$struct); my $file = substr($data,$ofs,$len); - $file =~ s/\x00//g; + $file =~ s/\00//g; $file =~ s/^\\\?\?\\//; my $t = ::getTime($t0,$t1); $files{$i}{filename} = $file; @@ -255,7 +262,7 @@ sub appWin7 { else { my ($len,$max_len,$padding,$ofs0,$ofs1,$t0,$t1,$f0,$f1) = unpack("vvV7x16",$struct); my $file = substr($data,$ofs0,$len); - $file =~ s/\x00//g; + $file =~ s/\00//g; $file =~ s/^\\\?\?\\//; my $t = ::getTime($t0,$t1); $files{$i}{filename} = $file; @@ -277,14 +284,14 @@ sub appWin8 { while($ofs < $len) { my $tag = unpack("V",substr($data,$ofs,4)); - last unless (defined $tag); + last unless (defined $tag); # 32-bit if ($tag == 0x73746f72) { $jmp = unpack("V",substr($data,$ofs + 8,4)); ($t0,$t1) = unpack("VV",substr($data,$ofs + 12,8)); $sz = unpack("v",substr($data,$ofs + 20,2)); $name = substr($data,$ofs + 22,$sz); - $name =~ s/\x00//g; + $name =~ s/\00//g; $files{$ct}{filename} = $name; $files{$ct}{modtime} = ::getTime($t0,$t1); $ct++; @@ -295,7 +302,7 @@ sub appWin8 { $jmp = unpack("V",substr($data,$ofs + 8,4)); $sz = unpack("v",substr($data,$ofs + 0x0C,2)); $name = substr($data,$ofs + 0x0E,$sz + 2); - $name =~ s/\x00//g; + $name =~ s/\00//g; ($t0,$t1) = unpack("VV",substr($data,($ofs + 0x0E + $sz +2 + 8),8)); $files{$ct}{filename} = $name; $files{$ct}{modtime} = ::getTime($t0,$t1); @@ -309,6 +316,39 @@ sub appWin8 { } } +#----------------------------------------------------------- +# appWin81() +# +#----------------------------------------------------------- +sub appWin81 { + my $data = shift; + my $len = length($data); + my ($tag, $sz, $t0, $t1, $name, $name_len); + my $ct = 0; +# my $ofs = unpack("V",substr($data,0,4)); + my $ofs = 0x80; + + while ($ofs < $len) { + $tag = substr($data,$ofs,4); + last unless (defined $tag); + if ($tag eq "10ts") { + + $sz = unpack("V",substr($data,$ofs + 0x08,4)); + $name_len = unpack("v",substr($data,$ofs + 0x0c,2)); + my $name = substr($data,$ofs + 0x0e,$name_len); + $name =~ s/\00//g; +# ($t0,$t1) = unpack("VV",substr($data,$ofs + 0x03 + $name_len,8)); + ($t0,$t1) = unpack("VV",substr($data,$ofs + 0x0e + $name_len + 0x0a,8)); + $files{$ct}{filename} = $name; + $files{$ct}{modtime} = ::getTime($t0,$t1); + + $ct++; + $ofs += ($sz + 0x0c); + } + } +} + + #----------------------------------------------------------- # appWin10() # Ref: http://binaryforay.blogspot.com/2015/04/appcompatcache-changes-in-windows-10.html @@ -318,17 +358,17 @@ sub appWin10 { my $len = length($data); my ($tag, $sz, $t0, $t1, $name, $name_len); my $ct = 0; - my $ofs = 0x30; + my $ofs = unpack("V",substr($data,0,4)); +# my $ofs = 0x30; while ($ofs < $len) { $tag = substr($data,$ofs,4); - last unless (defined $tag); if ($tag eq "10ts") { $sz = unpack("V",substr($data,$ofs + 0x08,4)); $name_len = unpack("v",substr($data,$ofs + 0x0c,2)); my $name = substr($data,$ofs + 0x0e,$name_len); - $name =~ s/\x00//g; + $name =~ s/\00//g; # ($t0,$t1) = unpack("VV",substr($data,$ofs + 0x03 + $name_len,8)); ($t0,$t1) = unpack("VV",substr($data,$ofs + 0x0e + $name_len,8)); $files{$ct}{filename} = $name; diff --git a/thirdparty/rr-full/plugins/silentprocessexit.pl b/thirdparty/rr-full/plugins/silentprocessexit.pl new file mode 100644 index 0000000000..61f3e7754c --- /dev/null +++ b/thirdparty/rr-full/plugins/silentprocessexit.pl @@ -0,0 +1,59 @@ +#----------------------------------------------------------- +# silentprocessexit +# +# Change history: +# 20180601 - created +# +# Ref: +# https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/ +# +# copyright 2018 QAR,LLC +# Author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package silentprocessexit; +use strict; + +my %config = (hive => "Software", + category => "autostart", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20180601); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets contents of SilentProcessExit key"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::rptMsg("Launching silentProcessexit v.".$VERSION); + ::rptMsg("silentprocessexit v.".$VERSION); # banner + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + my $key_path = ('Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit'); + + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my $key; + if ($key = $root_key->get_subkey($key_path)) { + my @sk = $key->get_list_of_subkeys(); + foreach my $s (@sk) { + ::rptMsg($s->get_name()); + ::rptMsg("LastWrite: ".gmtime($s->get_timestamp())." UTC"); + eval { + ::rptMsg("MonitorProcess: ".$s->get_value("MonitorProcess")->get_data()); + }; + ::rptMsg(""); + } + } +} +1; \ No newline at end of file diff --git a/thirdparty/rr-full/plugins/silentprocessexit_tln.pl b/thirdparty/rr-full/plugins/silentprocessexit_tln.pl new file mode 100644 index 0000000000..c6ae90f579 --- /dev/null +++ b/thirdparty/rr-full/plugins/silentprocessexit_tln.pl @@ -0,0 +1,59 @@ +#----------------------------------------------------------- +# silentprocessexit_tln +# +# Change history: +# 20180601 - created +# +# Ref: +# https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/ +# +# copyright 2018 QAR,LLC +# Author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package silentprocessexit_tln; +use strict; + +my %config = (hive => "Software", + category => "autostart", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20180601); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets contents of SilentProcessExit key"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; +# ::rptMsg("Launching silentProcessexit v.".$VERSION); +# ::rptMsg("silentprocessexit v.".$VERSION); # banner +# ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + my $key_path = ('Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit'); + + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my $key; + if ($key = $root_key->get_subkey($key_path)) { + my @sk = $key->get_list_of_subkeys(); + foreach my $s (@sk) { + + my $mon; + eval { + $mon = $s->get_value("MonitorProcess")->get_data(); + }; + ::rptMsg($s->get_timestamp()."|REG|||SilentProcessExit: ".$s->get_name()." - MonitorProcess: ".$mon); + } + } +} +1; \ No newline at end of file diff --git a/thirdparty/rr-full/plugins/sizes.pl b/thirdparty/rr-full/plugins/sizes.pl index 03958c488f..7b19a64164 100644 --- a/thirdparty/rr-full/plugins/sizes.pl +++ b/thirdparty/rr-full/plugins/sizes.pl @@ -6,6 +6,8 @@ # sizes; change $min_size value to suit your needs # # Change history +# 20180817 - updated to include brief output, based on suggestion from J. Wood +# 20180607 - modified based on Meterpreter input from Mari DeGrazia # 20150527 - Created # # copyright 2015 QAR, LLC @@ -14,16 +16,19 @@ package sizes; use strict; +my $min_size = 5000; +my $output_size = 48; + my %config = (hive => "All", hasShortDescr => 1, hasDescr => 0, hasRefs => 0, osmask => 22, - version => 20150527); + version => 20180817); sub getConfig{return %config} sub getShortDescr { - return "Scans a hive file looking for binary value data of a min size"; + return "Scans a hive file looking for binary value data of a min size (".$min_size.")"; } sub getDescr{} sub getRefs {} @@ -31,7 +36,7 @@ sub getHive {return $config{hive};} sub getVersion {return $config{version};} my $VERSION = getVersion(); -my $min_size = 50000; +my $count = 0; sub pluginmain { my $class = shift; @@ -40,8 +45,16 @@ sub pluginmain { my $root_key = $reg->get_root_key; ::logMsg("Launching sizes v.".$VERSION); ::rptMsg("sizes v.".$VERSION); - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); + + my $start = time; + traverse($root_key); + + my $finish = time; + + ::rptMsg("Scan completed: ".($finish - $start)." sec"); + ::rptMsg("Total values : ".$count); } sub traverse { @@ -49,8 +62,9 @@ sub traverse { # my $ts = $key->get_timestamp(); foreach my $val ($key->get_list_of_values()) { + $count++; my $type = $val->get_type(); - if ($type == 0 || $type == 3) { + if ($type == 0 || $type == 3 || $type == 1 || $type == 2) { my $data = $val->get_data(); my $len = length($data); if ($len > $min_size) { @@ -59,10 +73,19 @@ sub traverse { $name[0] = ""; $name[0] = "\\" if (scalar(@name) == 1); my $path = join('\\',@name); + ::rptMsg("Key : ".$path." Value: ".$val->get_name()." Size: ".$len." bytes"); + +# Data type "none", "Reg_SZ", "Reg_Expand_SZ" + if ($type == 0 || $type == 1 || $type == 2) { + ::rptMsg("Data Sample (first ".$output_size." bytes) : ".substr($data,0,$output_size)."..."); + } + +# Binary data + if ($type == 3) { + my $out = substr($data,0,$output_size); + probe($out); + } - ::rptMsg("Key : ".$path); - ::rptMsg("Value: ".$val->get_name()); - ::rptMsg("Size : ".$len." bytes."); ::rptMsg(""); } } @@ -73,4 +96,65 @@ sub traverse { } } +#----------------------------------------------------------- +# probe() +# +# Code the uses printData() to insert a 'probe' into a specific +# location and display the data +# +# Input: binary data of arbitrary length +# Output: Nothing, no return value. Displays data to the console +#----------------------------------------------------------- +sub probe { + my $data = shift; + my @d = printData($data); + ::rptMsg(""); + foreach (0..(scalar(@d) - 1)) { + ::rptMsg($d[$_]); + } + ::rptMsg(""); +} + +#----------------------------------------------------------- +# printData() +# subroutine used primarily for debugging; takes an arbitrary +# length of binary data, prints it out in hex editor-style +# format for easy debugging +# +# Usage: see probe() +#----------------------------------------------------------- +sub printData { + my $data = shift; + my $len = length($data); + + my @display = (); + + my $loop = $len/16; + $loop++ if ($len%16); + + foreach my $cnt (0..($loop - 1)) { +# How much is left? + my $left = $len - ($cnt * 16); + + my $n; + ($left < 16) ? ($n = $left) : ($n = 16); + + my $seg = substr($data,$cnt * 16,$n); + my $lhs = ""; + my $rhs = ""; + foreach my $i ($seg =~ m/./gs) { +# This loop is to process each character at a time. + $lhs .= sprintf(" %02X",ord($i)); + if ($i =~ m/[ -~]/) { + $rhs .= $i; + } + else { + $rhs .= "."; + } + } + $display[$cnt] = sprintf("0x%08X %-50s %s",$cnt,$lhs,$rhs); + } + return @display; +} + 1; \ No newline at end of file diff --git a/thirdparty/rr-full/plugins/slack.pl b/thirdparty/rr-full/plugins/slack.pl new file mode 100644 index 0000000000..9a0aa4e85f --- /dev/null +++ b/thirdparty/rr-full/plugins/slack.pl @@ -0,0 +1,135 @@ +#! c:\perl\bin\perl.exe +#----------------------------------------------------------- +# slack.pl +# +# +# Change history +# 20180926 - created +# +# References: +# +# +# +# copyright 2018 QAR, LLC +# Author: H. Carvey +#----------------------------------------------------------- +package slack; +use strict; + +my %config = (hive => "All", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + category => "slack", + version => 20180926); + +sub getConfig{return %config} +sub getShortDescr { + return "Parse hive, print slack space, retrieve keys/values"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +my %regkeys; + +sub pluginmain { + my $class = shift; + my $file = shift; + my $reg = Parse::Win32Registry->new($file); + ::logMsg("Launching slack v.".$VERSION); + ::rptMsg("slack v.".$VERSION); + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); + + my $block_iter = $reg->get_block_iterator; + while (my $block = $block_iter->get_next) { + my $entry_iter = $block->get_entry_iterator; + while (my $entry = $entry_iter->get_next) { + if ($entry->is_allocated()) { + + my $data = $entry->get_raw_bytes(); + ::rptMsg("------------- Slack Data ------------"); +# Value node header is 20 bytes, w/o name string +# Key node header is 76 bytes, w/o name string + my $len = length($data); + if ($len >= 20) { + my $cursor = 0; + while ($cursor < $len) { + if (unpack("v",substr($data,$cursor,2)) == 0x6b76) { +# ::rptMsg("Value node found at ".$cursor); + parseValueNode($data,$cursor); + } + elsif (unpack("v",substr($data,$cursor,2)) == 0x6b6e) { +# ::rptMsg("Key node found at ".$cursor); + parseKeyNode($data,$cursor); + } + else {} + $cursor++; + } + print "\n"; + } + ::rptMsg($entry->unparsed()); + } + } + } +} + +sub parseValueNode { + my $data = shift; + my $ofs = shift; + + my $name_len = unpack("v",substr($data,$ofs + 0x02,2)); + my $data_len = unpack("V",substr($data,$ofs + 0x04,4)); + my $data_ofs = unpack("V",substr($data,$ofs + 0x08,4)); + my $data_type = unpack("V",substr($data,$ofs + 0x0c,4)); + my $data_flag = unpack("v",substr($data,$ofs + 0x10,2)); + + my $name; + if (($ofs + 0x14 + $name_len) <= length($data)) { + $name = substr($data,$ofs + 0x14,$name_len); + ::rptMsg("Value Name: ".$name); + } +} + +sub parseKeyNode { + my $data = shift; + my $ofs = shift; + my $len = length($data); + + if ($len > 75 && $ofs >= 4) { + + my $size = unpack("i",substr($data,$ofs - 4,4)); + $size = ($size * -1) if ($size < 0); +# ::rptMsg("Key node size = ".$size); + + my $type = unpack("v",substr($data,$ofs + 0x02,2)); +# ::rptMsg(sprintf "Node Type = 0x%x",$type); + + my ($t1,$t2) = unpack("VV",substr($data,$ofs + 0x04,8)); + my $lw = ::getTime($t1,$t2); +# ::rptMsg("Key LastWrite time = ".gmtime($lw)." UTC"); + + my $sk = unpack("V",substr($data,$ofs + 0x14,4)); +# ::rptMsg("Number of subkeys: ".$sk); + + my $vals = unpack("V",substr($data,$ofs + 0x24,4)); +# ::rptMsg("Number of values: ".$vals); + + my $len_name = unpack("V",substr($data,$ofs + 0x48,4)); +# print "Name Length: ".$len_name."\n"; + + my $name; + if (($ofs + 0x4c + $len_name) <= $len) { + $name = substr($data,$ofs + 0x4c,$len_name); + ::rptMsg("Key name: ".$name); + } + ::rptMsg("Key LastWrite time = ".gmtime($lw)." UTC"); + } +} + + +1; \ No newline at end of file diff --git a/thirdparty/rr-full/plugins/slack_tln.pl b/thirdparty/rr-full/plugins/slack_tln.pl new file mode 100644 index 0000000000..6d25b697c6 --- /dev/null +++ b/thirdparty/rr-full/plugins/slack_tln.pl @@ -0,0 +1,117 @@ +#! c:\perl\bin\perl.exe +#----------------------------------------------------------- +# slack_tln.pl +# +# +# Change history +# 20190506 - slack_tln.pl created +# 20180926 - original slack.pl created +# +# References: +# +# +# +# copyright 2019 QAR, LLC +# Author: H. Carvey +#----------------------------------------------------------- +package slack_tln; +use strict; + +my %config = (hive => "All", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + category => "slack", + version => 20190506); + +sub getConfig{return %config} +sub getShortDescr { + return "Parse hive, print slack space, retrieve keys/values"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +my %regkeys; + +sub pluginmain { + my $class = shift; + my $file = shift; + my $reg = Parse::Win32Registry->new($file); + ::logMsg("Launching slack v.".$VERSION); + ::rptMsg("slack v.".$VERSION); + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); + + my $block_iter = $reg->get_block_iterator; + while (my $block = $block_iter->get_next) { + my $entry_iter = $block->get_entry_iterator; + while (my $entry = $entry_iter->get_next) { + if ($entry->is_allocated()) { + + my $data = $entry->get_raw_bytes(); +# ::rptMsg("------------- Slack Data ------------"); +# Value node header is 20 bytes, w/o name string +# Key node header is 76 bytes, w/o name string + my $len = length($data); + if ($len >= 74) { + my $cursor = 0; + while ($cursor < $len) { + if (unpack("v",substr($data,$cursor,2)) == 0x6b6e) { +# ::rptMsg("Key node found at ".$cursor); + parseKeyNode($data,$cursor); + $cursor += 74; + } + else { + $cursor++; + } + } + } +# ::rptMsg($entry->unparsed()); + } + } + } +} + +sub parseKeyNode { + my $data = shift; + my $ofs = shift; + my $len = length($data); + + if ($len > 75 && $ofs >= 4) { + + my $size = unpack("i",substr($data,$ofs - 4,4)); + $size = ($size * -1) if ($size < 0); +# ::rptMsg("Key node size = ".$size); + + my $type = unpack("v",substr($data,$ofs + 0x02,2)); +# ::rptMsg(sprintf "Node Type = 0x%x",$type); + + my ($t1,$t2) = unpack("VV",substr($data,$ofs + 0x04,8)); + my $lw = ::getTime($t1,$t2); +# ::rptMsg("Key LastWrite time = ".gmtime($lw)." UTC"); + + my $sk = unpack("V",substr($data,$ofs + 0x14,4)); +# ::rptMsg("Number of subkeys: ".$sk); + + my $vals = unpack("V",substr($data,$ofs + 0x24,4)); +# ::rptMsg("Number of values: ".$vals); + + my $len_name = unpack("V",substr($data,$ofs + 0x48,4)); +# print "Name Length: ".$len_name."\n"; + + my $name; + if (($ofs + 0x4c + $len_name) <= $len) { + $name = substr($data,$ofs + 0x4c,$len_name); +# ::rptMsg("Key name: ".$name); + } + + ::rptMsg($lw."|||| Key found in hive slack: ".$name); + } +} + + +1; \ No newline at end of file diff --git a/thirdparty/rr-full/plugins/software b/thirdparty/rr-full/plugins/software index 68e724d448..2f996a673d 100644 --- a/thirdparty/rr-full/plugins/software +++ b/thirdparty/rr-full/plugins/software @@ -1,98 +1,102 @@ -# 20161213 *ALL* Plugins that apply on SOFTWARE hive, alphabetical order -ahaha -appinitdlls -apppaths -apppaths_tln -assoc -at -at_tln -audiodev -banner -bho -bitbucket -btconfig -clsid -cmd_shell -cmd_shell_tln -codeid -ctrlpnl -dcom -dfrg -direct -direct_tln -disablesr -drivers32 -drwatson -emdmgmt -esent -etos -gauss -gpohist -gpohist_tln -handler -ie_version -ie_zones -imagefile -init_dlls -inprocserver -installedcomp -installer -javasoft -kb950582 -landesk -landesk_tln -lastloggedon -lazyshell -licenses -logmein -logmein_tln -macaddr -mrt -msis -netsh -networkcards -networklist -networklist_tln -networkuid -opencandy -port_dev -product -profilelist -regback -removdev -renocide -schedagent -secctr -sfc -shellexec -shellext -shelloverlay -snapshot -soft_run -spp_clients -sql_lastconnect -srun_tln -ssid -startmenuinternetapps_lm -susclient -svchost -systemindex -teamviewer -tracing -tracing_tln -trappoll -uac -uninstall -uninstall_tln -urlzone -virut -volinfocache -wbem -winbackup -win_cv -winevt -winlogon -winlogon_tln -winnt_cv -winver -yahoo_lm +ahaha +appcompatflags +appinitdlls +appkeys +apppaths +assoc +at +audiodev +banner +bho +bitbucket +btconfig +clsid +cmd_shell +codeid +ctrlpnl +dcom +defbrowser +dfrg +direct +disablesr +drivers32 +drwatson +emdmgmt +esent +etos +execpolicy +gauss +gpohist +handler +ie_version +ie_zones +imagefile +init_dlls +inprocserver +installedcomp +installer +javasoft +kankan +kb950582 +landesk +lastloggedon +lazyshell +licenses +logmein +macaddr +mrt +msis +netsh +networkcards +networklist +networkuid +opencandy +port_dev +product +profilelist +pslogging +psscript +regback +removdev +renocide +runonceex +sbs +schedagent +secctr +sfc +shellexec +shellext +shelloverlay +silentprocessexit +snapshot +soft_run +spp_clients +sql_lastconnect +ssid +startmenuinternetapps_lm +susclient +svchost +systemindex +teamviewer +termserv +thunderbirdinstalled +tracing +trappoll +uac +uninstall +updates +urlzone +virut +volinfocache +watp +wbem +webroot +winbackup +winevt +winlogon +winnt_cv +winver +win_cv +wow64 +wsh_settings +yahoo_lm diff --git a/thirdparty/rr-full/plugins/source_os.pl b/thirdparty/rr-full/plugins/source_os.pl new file mode 100644 index 0000000000..5cb218c306 --- /dev/null +++ b/thirdparty/rr-full/plugins/source_os.pl @@ -0,0 +1,98 @@ +#----------------------------------------------------------- +# source_os.pl +# +# History: +# 20180629 - created +# +# References: +# http://az4n6.blogspot.com/2017/02/when-windows-lies.html +# +# +# copyright 2018 Quantum Analytics Research, LLC +# Author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package source_os; +use strict; + +my %config = (hive => "System", + hivemask => 4, + output => "report", + category => "Program Execution", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 31, #XP - Win7 + version => 20180629); + +sub getConfig{return %config} +sub getShortDescr { + return "Parse Source OS subkey values"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); +my %files; +my $str = ""; + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching source_os v.".$VERSION); + ::rptMsg("source_os v.".$VERSION); # banner + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my $key_path = 'Setup'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + my @sk = $key->get_list_of_subkeys(); + foreach my $s (@sk) { + my $name = $s->get_name(); + if (substr($name,0,6) eq "Source") { + + my $id = $s->get_value("InstallDate")->get_data(); + + ::rptMsg($name); + ::rptMsg(" InstallDate: ".gmtime($id)." Z"); + + eval { + my ($t0,$t1) = unpack("VV",$s->get_value("InstallTime")->get_data()); + my $t = ::getTime($t0,$t1); + ::rptMsg(" InstallTime: ".gmtime($t)." Z"); + }; + + eval { + ::rptMsg(" BuildLab: ".$s->get_value("BuildLab")->get_data()); + }; + + eval { + ::rptMsg(" CurrentBuild: ".$s->get_value("CurrentBuild")->get_data()); + }; + + eval { + ::rptMsg(" ProductName: ".$s->get_value("ProductName")->get_data()); + }; + + eval { + ::rptMsg(" RegisteredOwner: ".$s->get_value("RegisteredOwner")->get_data()); + }; + + eval { + ::rptMsg(" ReleaseID: ".$s->get_value("ReleaseID")->get_data()); + }; + + ::rptMsg(""); + } + } + } + else { + ::rptMsg($key_path." not found."); + } +} + + +1; \ No newline at end of file diff --git a/thirdparty/rr-full/plugins/svc_plus.pl b/thirdparty/rr-full/plugins/svc_plus.pl index acb407ebc8..5b68cc5164 100644 --- a/thirdparty/rr-full/plugins/svc_plus.pl +++ b/thirdparty/rr-full/plugins/svc_plus.pl @@ -25,7 +25,7 @@ my %config = (hive => "System", sub getConfig{return %config} sub getShortDescr { - return "Lists services/drivers in Services key by LastWrite times in a short format with warnings for type mismatches\n^^^^ Indicates non-standard Type\n<<<< Indicates Start mismatch for Driver\n**** Indicates ObjectName mismatch for Driver\n>>>> Indicates Start mismatch for Service\n++++ Indicates nonstandard ObjectName for Service."; + return "Lists services/drivers in Services key by LastWrite times in a short format with warnings for type mismatches; ^^^^ Indicates non-standard Type, <<<< Indicates Start mismatch for Driver, **** Indicates ObjectName mismatch for Driver, >>>> Indicates Start mismatch for Service, ++++ Indicates nonstandard ObjectName for Service."; } sub getDescr{} sub getRefs {} diff --git a/thirdparty/rr-full/plugins/syscache b/thirdparty/rr-full/plugins/syscache new file mode 100644 index 0000000000..004687da42 --- /dev/null +++ b/thirdparty/rr-full/plugins/syscache @@ -0,0 +1,2 @@ +syscache +syscache_csv diff --git a/thirdparty/rr-full/plugins/syscache.pl b/thirdparty/rr-full/plugins/syscache.pl new file mode 100644 index 0000000000..08a5971bdc --- /dev/null +++ b/thirdparty/rr-full/plugins/syscache.pl @@ -0,0 +1,114 @@ +#----------------------------------------------------------- +# syscache.pl +# +# Change history +# 20181209 - created +# +# References +# https://github.com/libyal/winreg-kb/blob/master/documentation/SysCache.asciidoc +# +# Copyright (c) 2018 QAR, LLC +# Author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package syscache; +use strict; + +my %config = (hive => "syscache", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + category => "program execution", + version => 20181209); +my $VERSION = getVersion(); + +# Functions # +sub getConfig {return %config} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} +sub getDescr {} +sub getShortDescr { + return "Parse SysCache\.hve file"; +} +sub getRefs {} + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching syscache v.".$VERSION); + ::rptMsg("syscache v.".$VERSION); + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + my $key; + + my $key_path = 'DefaultObjectStore\\ObjectTable'; + if ($key = $root_key->get_subkey($key_path)) { + my @subkeys = $key->get_list_of_subkeys(); + if (scalar @subkeys > 0) { + foreach my $sk (@subkeys) { + processKey($sk); + ::rptMsg(""); + } + } + + } + else { + ::rptMsg($key_path." not found"); + } +} + +sub processKey { + my $key = shift; + + my $lw = $key->get_timestamp(); + ::rptMsg("LastWrite: ".gmtime($lw)." Z"); + + eval { + my ($f1,$f2,$seq) = unpack("Vvv",$key->get_value("_FileId_")->get_data()); + my $entry = mftRecNum($f1,$f2); + ::rptMsg(" FileID = ".$entry."/".$seq); + }; + + + eval { + my $aefileid = $key->get_value("AeFileID")->get_data(); + $aefileid =~ s/\00//g; + my $sha1 = $aefileid; + $sha1 =~ s/^0000//; + ::rptMsg(" AeFileID = ".$aefileid); + ::rptMsg(" SHA-1 Hash = ".$sha1); + }; + + eval { + my ($u1,$u2) = unpack("VV",$key->get_value("_UsnJournalId_")->get_data()); + my $usn = ::getTime($u1,$u2); + ::rptMsg(" USN Journal ID = ".gmtime($usn)." Z"); + + }; + +} + +# from: http://www.cse.scu.edu/~tschwarz/coen252_07Fall/Lectures/NTFS.html +# "Each MFT record is addressed by a 48 bit MFT entry value.The first entry has address 0. +# Each MFT entry has a 16 bit sequence number that is incremented when the entry is allocated. +# MFT entry value and sequence number combined yield 64b file reference address.: +# +# The 64-bit field is translated as 48-bits for the entry number and 16-bits for the +# sequence number +# +# variation of the below code shared by David Cowen +sub mftRecNum { + my $f1 = shift; + my $f2 = shift; + + if ($f2 == 0) { + return $f1; + } + else { + $f2 = ($f2 * 16777216); + return ($f1 + $f2); + } +} + +1; \ No newline at end of file diff --git a/thirdparty/rr-full/plugins/syscache_csv.pl b/thirdparty/rr-full/plugins/syscache_csv.pl new file mode 100644 index 0000000000..b5534cc785 --- /dev/null +++ b/thirdparty/rr-full/plugins/syscache_csv.pl @@ -0,0 +1,116 @@ +#----------------------------------------------------------- +# syscache_csv.pl +# +# Change history +# 20190425 - csv output added +# 20181209 - original plugin created +# +# References +# https://github.com/libyal/winreg-kb/blob/master/documentation/SysCache.asciidoc +# +# Copyright (c) 2018 QAR, LLC +# Author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package syscache_csv; +use strict; + +my %config = (hive => "syscache", + hasShortDescr => 0, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + category => "program execution", + version => 20190425); +my $VERSION = getVersion(); + +# Functions # +sub getConfig {return %config} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} +sub getDescr {} +sub getShortDescr {} +sub getRefs {} + +sub pluginmain { + my $class = shift; + my $hive = shift; +# ::logMsg("Launching syscache v.".$VERSION); +# ::rptMsg("syscache_csv v.".$VERSION); +# ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + my $key; + + my $key_path = 'DefaultObjectStore\\ObjectTable'; + if ($key = $root_key->get_subkey($key_path)) { + my @subkeys = $key->get_list_of_subkeys(); + if (scalar @subkeys > 0) { + foreach my $sk (@subkeys) { + processKey($sk); +# ::rptMsg(""); + } + } + + } + else { + ::rptMsg($key_path." not found"); + } +} + +sub processKey { + my $key = shift; + my @str = (); + my $lw = $key->get_timestamp(); +# ::rptMsg("LastWrite: ".gmtime($lw)." Z"); + push(@str,gmtime($lw)." UTC"); + + eval { + my ($f1,$f2,$seq) = unpack("Vvv",$key->get_value("_FileId_")->get_data()); + my $entry = mftRecNum($f1,$f2); +# ::rptMsg(" FileID = ".$entry."/".$seq); + push(@str,$entry."/".$seq); + }; + + + eval { + my $aefileid = $key->get_value("AeFileID")->get_data(); + $aefileid =~ s/\00//g; + my $sha1 = $aefileid; + $sha1 =~ s/^0000//; + push(@str,$sha1); +# ::rptMsg(" AeFileID = ".$aefileid); +# ::rptMsg(" SHA-1 Hash = ".$sha1); + }; + +# eval { +# my ($u1,$u2) = unpack("VV",$key->get_value("_UsnJournalId_")->get_data()); +# my $usn = ::getTime($u1,$u2); +# ::rptMsg(" USN Journal ID = ".gmtime($usn)." Z"); +# }; + my $s = join(',',@str); + ::rptMsg($s); +} + +# from: http://www.cse.scu.edu/~tschwarz/coen252_07Fall/Lectures/NTFS.html +# "Each MFT record is addressed by a 48 bit MFT entry value.The first entry has address 0. +# Each MFT entry has a 16 bit sequence number that is incremented when the entry is allocated. +# MFT entry value and sequence number combined yield 64b file reference address.: +# +# The 64-bit field is translated as 48-bits for the entry number and 16-bits for the +# sequence number +# +# variation of the below code shared by David Cowen +sub mftRecNum { + my $f1 = shift; + my $f2 = shift; + + if ($f2 == 0) { + return $f1; + } + else { + $f2 = ($f2 * 16777216); + return ($f1 + $f2); + } +} + +1; \ No newline at end of file diff --git a/thirdparty/rr-full/plugins/syscache_tln.pl b/thirdparty/rr-full/plugins/syscache_tln.pl new file mode 100644 index 0000000000..be03f97785 --- /dev/null +++ b/thirdparty/rr-full/plugins/syscache_tln.pl @@ -0,0 +1,114 @@ +#----------------------------------------------------------- +# syscache_tln.pl +# +# Change history +# 20190516 - tln output added +# 20181209 - original plugin created +# +# References +# https://github.com/libyal/winreg-kb/blob/master/documentation/SysCache.asciidoc +# +# Copyright (c) 2019 QAR, LLC +# Author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package syscache_tln; +use strict; + +my %config = (hive => "syscache", + hasShortDescr => 0, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + category => "program execution", + version => 20190516); +my $VERSION = getVersion(); + +# Functions # +sub getConfig {return %config} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} +sub getDescr {} +sub getShortDescr {} +sub getRefs {} + +sub pluginmain { + my $class = shift; + my $hive = shift; +# ::logMsg("Launching syscache v.".$VERSION); +# ::rptMsg("syscache_csv v.".$VERSION); +# ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + my $key; + + my $key_path = 'DefaultObjectStore\\ObjectTable'; + if ($key = $root_key->get_subkey($key_path)) { + my @subkeys = $key->get_list_of_subkeys(); + if (scalar @subkeys > 0) { + foreach my $sk (@subkeys) { + processKey($sk); +# ::rptMsg(""); + } + } + + } + else { + ::rptMsg($key_path." not found"); + } +} + +sub processKey { + my $key = shift; + my @str = (); + my $lw = $key->get_timestamp(); +# ::rptMsg("LastWrite: ".gmtime($lw)." Z"); + my $str = $lw."|SYSCACHE|||"; + eval { + my ($f1,$f2,$seq) = unpack("Vvv",$key->get_value("_FileId_")->get_data()); + my $entry = mftRecNum($f1,$f2); +# ::rptMsg(" FileID = ".$entry."/".$seq); + $str .= "MFT Ref: ".$entry."/".$seq." "; + }; + + + eval { + my $aefileid = $key->get_value("AeFileID")->get_data(); + $aefileid =~ s/\00//g; + my $sha1 = $aefileid; + $sha1 =~ s/^0000//; + $str .= "SHA-1: ".$sha1; +# ::rptMsg(" AeFileID = ".$aefileid); +# ::rptMsg(" SHA-1 Hash = ".$sha1); + }; + +# eval { +# my ($u1,$u2) = unpack("VV",$key->get_value("_UsnJournalId_")->get_data()); +# my $usn = ::getTime($u1,$u2); +# ::rptMsg(" USN Journal ID = ".gmtime($usn)." Z"); +# }; + ::rptMsg($str); +} + +# from: http://www.cse.scu.edu/~tschwarz/coen252_07Fall/Lectures/NTFS.html +# "Each MFT record is addressed by a 48 bit MFT entry value.The first entry has address 0. +# Each MFT entry has a 16 bit sequence number that is incremented when the entry is allocated. +# MFT entry value and sequence number combined yield 64b file reference address.: +# +# The 64-bit field is translated as 48-bits for the entry number and 16-bits for the +# sequence number +# +# variation of the below code shared by David Cowen +sub mftRecNum { + my $f1 = shift; + my $f2 = shift; + + if ($f2 == 0) { + return $f1; + } + else { + $f2 = ($f2 * 16777216); + return ($f1 + $f2); + } +} + +1; \ No newline at end of file diff --git a/thirdparty/rr-full/plugins/system b/thirdparty/rr-full/plugins/system index e84ecb9f54..f95897e19d 100644 --- a/thirdparty/rr-full/plugins/system +++ b/thirdparty/rr-full/plugins/system @@ -1,70 +1,71 @@ -# 20161213 *ALL* Plugins that apply on SYSTEM hive, alphabetical order -appcertdlls -appcompatcache -appcompatcache_tln -auditfail -backuprestore -bthport -comfoo -compname -crashcontrol -ddm -devclass -diag_sr -disablelastaccess -dllsearch -dnschanger -eventlog -eventlogs -fw_config -hibernate -ide -imagedev -kbdcrash -legacy -legacy_tln -lsa_packages -mountdev -mountdev2 -netsvcs -network -nic -nic2 -nic_mst2 -nolmhash -pagefile -pending -phdet -prefetch -processor_architecture -productpolicy -producttype -rdpnla -rdpport -regin -remoteaccess -routes -safeboot -securityproviders -services -shares -shimcache -shimcache_tln -shutdown -shutdowncount -stillimage -svc -svcdll -svc_plus -svc_tln -systemindex -termcert -termserv -timezone -usb -usbdevices -usbstor -usbstor2 -usbstor3 -wpdbusenum -xpedition +angelfire +appcertdlls +appcompatcache +auditfail +backuprestore +bam +bthport +comfoo +compname +crashcontrol +dafupnp +ddm +devclass +diag_sr +disablelastaccess +dllsearch +dnschanger +eventlog +eventlogs +fw_config +hibernate +ide +imagedev +kbdcrash +legacy +lsa_packages +macaddr +mountdev +mountdev2 +netlogon +netsvcs +network +nic +nic2 +nic_mst2 +nolmhash +pagefile +pending +phdet +prefetch +processor_architecture +productpolicy +producttype +profiler +rdpnla +rdpport +regin +remoteaccess +routes +safeboot +securityproviders +services +shares +shimcache +shutdown +shutdowncount +source_os +stillimage +svc +svcdll +svc_plus +termcert +termserv +timezone +usb +usbdevices +usbstor +usbstor2 +usbstor3 +wpdbusenum +xpedition diff --git a/thirdparty/rr-full/plugins/termserv.pl b/thirdparty/rr-full/plugins/termserv.pl index 94b360b7f1..5a92ab7dec 100644 --- a/thirdparty/rr-full/plugins/termserv.pl +++ b/thirdparty/rr-full/plugins/termserv.pl @@ -3,6 +3,7 @@ # Plugin for Registry Ripper; # # Change history +# 20190527 - Added checks in Software hive # 20160224 - added SysProcs info # 20131007 - updated with Sticky Keys info # 20130307 - updated with autostart locations @@ -27,16 +28,16 @@ package termserv; use strict; -my %config = (hive => "System", +my %config = (hive => "System, Software", hasShortDescr => 1, hasDescr => 0, hasRefs => 0, osmask => 22, - version => 20160224); + version => 20190527); sub getConfig{return %config} sub getShortDescr { - return "Gets Terminal Server values from System hive"; + return "Gets Terminal Server settings from System and Software hives"; } sub getDescr{} sub getRefs {} @@ -66,8 +67,6 @@ sub pluginmain { ::rptMsg($ts_path); ::rptMsg("LastWrite Time ".gmtime($ts->get_timestamp())." (UTC)"); ::rptMsg(""); - ::rptMsg("Reference: http://support.microsoft.com/kb/243215"); - ::rptMsg(""); my $ver; eval { @@ -151,6 +150,14 @@ sub pluginmain { }; ::rptMsg(" InitialProgram value not found\.") if ($@); +# Added 20190527 + eval { + my $sec = $ts->get_subkey("WinStations\\RDP-Tcp")->get_value("SecurityLayer")->get_data(); + ::rptMsg("WinStations\\RDP-Tcp key"); + ::rptMsg(" SecurityLayer: ".$sec); + ::rptMsg("Analysis Tip: Maybe be empty; appears as '{blank}'"); + }; + # Added 20160224 eval { my $sys = $ts->get_subkey("SysProcs"); @@ -185,5 +192,41 @@ sub pluginmain { else { ::rptMsg($key_path." not found."); } + +# Added 20190527 + $key_path = "Policies\\Microsoft\\Windows NT\\Terminal Services"; + if ($key = $root_key->get_subkey($key_path)) { + my $lw = $key->get_timestamp(); + ::rptMsg($key_path); + ::rptMsg("LastWrite: ".gmtime($lw)." Z"); + ::rptMsg(""); + +# Note: fDenyTSConnections was added here because I've seen it used by bad actors, +# not due to any MS documentation + eval { + my $deny = $key->get_value("fDenyTSConnections")->get_data(); + ::rptMsg("fDenyTSConnections value = ".$deny); + }; + + eval { + my $fallow = $key->get_value("fAllowUnsolicited")->get_data(); + ::rptMsg("fAllowUnsolicited value = ".$fallow); + }; + + + eval { + my $fallowfc = $key->get_value("fAllowUnsolicitedFullControl")->get_data(); + ::rptMsg("fAllowUnsolicitedFullControl value = ".$fallowfc); + }; + + eval { + my $user = $key->get_value("UserAuthentication")->get_data(); + ::rptMsg("UserAuthentication value = ".$user); + }; + + } + else { + ::rptMsg($key_path." not found."); + } } 1; \ No newline at end of file diff --git a/thirdparty/rr-full/plugins/thunderbirdinstalled.pl b/thirdparty/rr-full/plugins/thunderbirdinstalled.pl new file mode 100644 index 0000000000..7c72995140 --- /dev/null +++ b/thirdparty/rr-full/plugins/thunderbirdinstalled.pl @@ -0,0 +1,92 @@ +#----------------------------------------------------------- +# thunderbirdinstalled +# Shows install current status for Mozilla Thunderbird +# +# References +# https://www.thunderbird.net/en-US/ +# +# History: +# 20180712 - created +# +# Author: +# M. Jones, mictjon@gmail.com +#----------------------------------------------------------- +package thunderbirdinstalled; +use strict; + +my %config = (hive => "Software,NTUSER\.DAT", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 1, + version => 20120524); + +sub getConfig{return %config} + +sub getShortDescr { + return "Shows install status of Thunderbird"; +} +sub getDescr{} +sub getRefs { + my %refs = ("Mozilla" => + "https://www.thunderbird.net/en-US/"); + return %refs; +} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching thunderbirdinstalled v.".$VERSION); + ::rptMsg("thunderbirdinstalled v.".$VERSION); # banner + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + +# used a list of values to address the need for parsing the App Paths key +# in the Wow6432Node key, if it exists. + my @paths = ("Microsoft\\Windows\\CurrentVersion\\App Paths\\thunderbird.exe", + "WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\App Paths\\thunderbird.exe"); + + foreach my $key_path (@paths) { + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("Thunderbird installed"); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + my %apps; + my @subkeys = $key->get_list_of_subkeys(); + if (scalar(@subkeys) > 0) { + foreach my $s (@subkeys) { + + my $name = $s->get_name(); + my $lastwrite = $s->get_timestamp(); + my $path; + eval { + $path = $s->get_value("")->get_data(); + }; + push(@{$apps{$lastwrite}},$name." - ".$path); + } + + foreach my $t (reverse sort {$a <=> $b} keys %apps) { + ::rptMsg(gmtime($t)." (UTC)"); + foreach my $item (@{$apps{$t}}) { + ::rptMsg(" $item"); + } + } + } + else { + ::rptMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); + ::rptMsg(" Thunderbird not installed."); + } + } +} +1; \ No newline at end of file diff --git a/thirdparty/rr-full/plugins/trustrecords.pl b/thirdparty/rr-full/plugins/trustrecords.pl index a32501a29e..d9e7a40031 100644 --- a/thirdparty/rr-full/plugins/trustrecords.pl +++ b/thirdparty/rr-full/plugins/trustrecords.pl @@ -4,10 +4,15 @@ # the default security settings for the application # # Change history +# 20190626 - updated to more recent versions of Office # 20160224 - modified per Mari's blog post # 20120716 - created # # References +# 20190626 updates +# https://decentsecurity.com/block-office-macros +# https://gist.github.com/PSJoshi/749cf1733217d8791cf956574a3583a2 +# # http://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html # ForensicArtifacts.com posting by Andrew Case: # http://forensicartifacts.com/2012/07/ntuser-trust-records/ @@ -25,7 +30,7 @@ my %config = (hive => "NTUSER\.DAT", hasDescr => 0, hasRefs => 0, osmask => 22, - version => 20160224); + version => 20190626); sub getConfig{return %config} sub getShortDescr { @@ -76,7 +81,7 @@ sub pluginmain { # Now that we have the most recent version of Office installed, let's # start looking at the various subkeys my @apps = ("Word","PowerPoint","Excel","Access"); - $key_path = "Software\\Microsoft\\Office\\".$office_version; + my $key_path = "Software\\Microsoft\\Office\\".$office_version; foreach my $app (@apps) { ::rptMsg("**".$app."**"); @@ -90,11 +95,22 @@ sub pluginmain { ::rptMsg(""); } }; + +# Added 20190626 + eval { + if (my $sec = $root_key->get_subkey($app_path)) { + my $blk = $sec->get_value("blockcontentexecutionfrominternet")->get_data(); + ::rptMsg("blockcontentexecutionfrominternet = ".$blk); + ::rptMsg(""); + } + }; + # Trusted Documents/Trust Records $app_path = $key_path."\\".$app."\\Security\\Trusted Documents"; if (my $app_key = $root_key->get_subkey($app_path)) { if (my $trust = $app_key->get_subkey("TrustRecords")) { my @vals = $trust->get_list_of_values(); + ::rptMsg("TrustRecords"); foreach my $v (@vals) { my $data = $v->get_data(); my ($t0,$t1) = (unpack("VV",substr($data,0,8))); @@ -110,4 +126,4 @@ sub pluginmain { } } -1; +1; \ No newline at end of file diff --git a/thirdparty/rr-full/plugins/updates.pl b/thirdparty/rr-full/plugins/updates.pl new file mode 100644 index 0000000000..b6a1dd97a1 --- /dev/null +++ b/thirdparty/rr-full/plugins/updates.pl @@ -0,0 +1,88 @@ +#----------------------------------------------------------- +# updates.pl +# +# +# References: +# https://stackoverflow.com/questions/5102900/registry-key-location-for-security-update-and-hotfixes +# +# Change History: +# 20170715 - created +# +# copyright 2017 Quantum Analytics Research, LLC +# Author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package updates; +use strict; + +my %config = (hive => "Software", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20170715); + +sub getConfig{return %config} + +sub getShortDescr { + return "Gets updates/hotfixes from Software hive"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + + my %uninst; + ::logMsg("Launching updates v.".$VERSION); + ::rptMsg("updates v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); + + my $key_path = 'Microsoft\\Windows\\CurrentVersion\\Component Based Servicing\\Packages'; + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + ::rptMsg("Updates"); + my $key; + if ($key = $root_key->get_subkey($key_path)) { + + ::rptMsg($key_path); + ::rptMsg(""); + + + my @subkeys = $key->get_list_of_subkeys(); + if (scalar(@subkeys) > 0) { + foreach my $s (@subkeys) { + my $lastwrite = $s->get_timestamp(); + my $install; + eval { + $install = $s->get_value("InstallName")->get_data(); + }; + $install = $s->get_name() if ($install eq ""); + + my $client; + eval { + $client = $s->get_value("InstallClient")->get_data(); + }; + $install .= " InstallClient: ".$client unless ($@); + + push(@{$uninst{$lastwrite}},$install); + } + } + + foreach my $t (reverse sort {$a <=> $b} keys %uninst) { + ::rptMsg(gmtime($t)." (UTC)"); + foreach my $item (@{$uninst{$t}}) { + ::rptMsg(" ".$item); + } + ::rptMsg(""); + } + } + else { + ::rptMsg($key_path." has no subkeys."); + } +} +1; \ No newline at end of file diff --git a/thirdparty/rr-full/plugins/userassist_tln.pl b/thirdparty/rr-full/plugins/userassist_tln.pl index 418f7e4a46..3c6ca303f2 100644 --- a/thirdparty/rr-full/plugins/userassist_tln.pl +++ b/thirdparty/rr-full/plugins/userassist_tln.pl @@ -5,6 +5,7 @@ # UserAssist values # # Change history +# 20180710 - removed alert functionality # 20130603 - added alert functionality # 20110516 - created, modified from userassist2.pl # 20100322 - Added CLSID list reference @@ -24,12 +25,7 @@ my %config = (hive => "NTUSER\.DAT", hasDescr => 0, hasRefs => 0, osmask => 22, - version => 20130603); - -my @paths = ("recycle","globalroot","temp","system volume information","appdata", - "application data"); - -my @alerts = (); + version => 20180710); sub getConfig{return %config} sub getShortDescr { @@ -113,19 +109,8 @@ sub processKey { foreach my $t (reverse sort {$a <=> $b} keys %ua) { foreach my $i (@{$ua{$t}}) { ::rptMsg($t."|REG|||[Program Execution] UserAssist - ".$i); - - my $lci = lc($i); - foreach my $a (@paths) { - push(@alerts,$t."|ALERT|||UserAssist: ".$a." found in path: ".$i) if (grep(/$a/,$lci)); - } } } } - - if (scalar(@alerts) > 0) { - foreach (@alerts) { - ::alertMsg($_); - } - } } 1; \ No newline at end of file diff --git a/thirdparty/rr-full/plugins/usrclass b/thirdparty/rr-full/plugins/usrclass index fd2083b066..d1bc5b2fbe 100755 --- a/thirdparty/rr-full/plugins/usrclass +++ b/thirdparty/rr-full/plugins/usrclass @@ -1,5 +1,8 @@ -# 20161213 *ALL* Plugins that apply on USRCLASS hive, alphabetical order -cmd_shell_u -photos -shellbags -shellbags_tln +assoc +cmd_shell_u +msedge_win10 +muicache +photos +photos_win10 +shellbags +shellbags_test diff --git a/thirdparty/rr-full/plugins/utorrent.pl b/thirdparty/rr-full/plugins/utorrent.pl new file mode 100644 index 0000000000..b38e27b675 --- /dev/null +++ b/thirdparty/rr-full/plugins/utorrent.pl @@ -0,0 +1,149 @@ +#------------------------------------------------------------------------------ +# uTorrent +# Shows path where uTorrent client installed (default is C:\Users\\AppData\Roaming\uTorrent) +# Version of uTorrent client installed +# Computer ID (should match 'cids' entry in settings.dat) +# +# Change history +# 20180615 - first release +# +# References +# n/a +# +# Copyright +# Michael Godfrey (c) 2018 +# mgodfrey [at] gmail.com +# +#------------------------------------------------------------------------------ + +package utorrent; +use strict; + +my %config = +( + hive => "NTUSER\.DAT", + hasShortDescr => 0, + hasDescr => 1, + hasRefs => 1, + osmask => 29, + version => 20180615 +); + +sub getConfig {return %config;} +sub getDescr {return "Shows uTorrent client install path, version and Unique ID of computer";} +sub getRefs {return "n/a";} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain +{ + my $class = shift; + my $hive = shift; + ::logMsg('Launching uTorrent v'.$VERSION); + ::rptMsg('utorrent v'.$VERSION.' ('.getDescr().")"); + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + enum_recursively ($root_key, "Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\uTorrent", 1,""); + enum_recursively ($root_key, "Software\\BitTorrent", 1,""); +} + +sub hexify +{ +my $data = shift; +my $l=''; +my $r=''; +my $n=0; +my $nd=''; +for (my $i=0; $i15) + + { + $nd.=sprintf("%-48s%s\n", $l,$r); + $l='';$r='';$n=0; + } +} +if ($n!=0) + { + $nd.=sprintf("%-48s%s\n", $l,$r); + + } +return $nd; +} + +sub enum_recursively +{ +my $root_key = shift; +my $key_path = shift; +my $rec_level = shift; +return if ($rec_level>3); +my $find = shift;$find = '.' if $find eq ''; +my $key; +my $key_printed=0; +my $sep = ' ' x 2; + +if ($key = $root_key->get_subkey($key_path)) +{ + + $sep = ' ' x 4; + my @vals = $key->get_list_of_values(); + my %ac_vals; + foreach my $v (sort {lc($a) <=> lc($b)} @vals) + { + my $vd = $v->get_data(); + my $vt = $v->get_type_as_string(); + if ($vt !~ /REG_(DWORD|SZ|EXPAND_SZ)/) + { + $vd = hexify($vd); + } + $ac_vals{$v->get_name()}{'VT'} = $vt; + $ac_vals{$v->get_name()}{'VD'} = $vd; + } + foreach my $a (sort {lc($a) <=> lc($b)} keys %ac_vals) + { + my $ax = $a; $ax = '(Default)' if $a eq ''; + my $vt = $ac_vals{$a}{'VT'}; + my $vd = $ac_vals{$a}{'VD'}; + if (($a.$vd) ne ''&& ($ax.$a.$vd) =~/$find/is) + { + if ($key_printed==0) + { + ::rptMsg("\n"); + ::rptMsg($sep.$key_path); + ::rptMsg($sep.'LastWrite Time '.gmtime($key->get_timestamp())." (UTC)\n"); + $key_printed=1; + } + $sep = ' ' x 4; + ::rptMsg($sep.$ax); + $sep = ' ' x 6; + ::rptMsg($sep.$vt); + $sep = ' ' x 8; + if ($vt !~ /REG_(DWORD|SZ|EXPAND_SZ)/) + { + $vd =~ s/[\n]+/\n$sep/sg; + } + ::rptMsg($sep.$vd); + } + + } + my @subkeys = $key->get_list_of_subkeys(); + if (scalar(@subkeys) > 0) + { + foreach my $s (@subkeys) + { + enum_recursively ($root_key , $key_path."\\".$s->get_name(), $rec_level + 1,$find); + } + } +} +else +{ + ::rptMsg($sep.$key_path.' not found.'); +} +} diff --git a/thirdparty/rr-full/plugins/watp.pl b/thirdparty/rr-full/plugins/watp.pl new file mode 100644 index 0000000000..c22195ca24 --- /dev/null +++ b/thirdparty/rr-full/plugins/watp.pl @@ -0,0 +1,61 @@ +#----------------------------------------------------------- +# watp +# +# Change history: +# 20190506 - created +# +# Ref: +# +# +# copyright 2019 QAR,LLC +# Author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package watp; +use strict; + +my %config = (hive => "Software", + category => "config", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20190506); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets contents of Windows Advanced Threat Protection key"; +} +sub getDescr{} +sub getRefs { +} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::rptMsg("Launching watp v.".$VERSION); + ::rptMsg("watp v.".$VERSION); # banner + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + my $key_path = ('Microsoft\\Windows Advanced Protection'); + + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + + my @vals = $key->get_list_of_values(); + foreach my $v (@vals) { + ::rptMsg($v->get_name()." ".$v->get_data()); + } + } + else { + ::rptMsg($key_path." not found."); + } +} +1; \ No newline at end of file diff --git a/thirdparty/rr-full/plugins/webroot.pl b/thirdparty/rr-full/plugins/webroot.pl new file mode 100644 index 0000000000..5a4162713e --- /dev/null +++ b/thirdparty/rr-full/plugins/webroot.pl @@ -0,0 +1,301 @@ +#----------------------------------------------------------- +# webroot.pl +# Plugin to parse webroot antivirus registry data +# I have only extracted some of the data from the root key "WOW6432Node\\WRData", manual review is recommended +# I also do not know what a number of fields mean, so further work may be required to fully exploit the data in this key. +# +# Change history +# 20191230 - initial commit +# +# References +# +# copyright 2019 Phill Moore +#----------------------------------------------------------- + +package webroot; +use strict; + + +my %config = (hive => "SOFTWARE", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20191230); + +sub getConfig{return %config} +sub getShortDescr { + return "Provides *some* of the webroot data in the registry, manual review is still recommended. Particularly surrounding the root key"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + + +sub displayActions { + ::rptMsg("---------------------------------------------------------------"); + my $root_key = shift; + my $key_path = "WOW6432Node\\WRData\\Actions"; + my $key; + if ($key = $root_key->get_subkey($key_path)){ + ::rptMsg(""); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + + my @vals = $key->get_list_of_values(); + + foreach my $val (@vals) { + my $d = $val->get_data(); + my $v = $val->get_name(); + my $str = $v.":\t".$d; + ::rptMsg($str); + } + } + else { + ::rptMsg($key_path." not found."); + } +} + +sub displayJournal { + ::rptMsg("---------------------------------------------------------------"); + my $root_key = shift; + my $key_path = "WOW6432Node\\WRData\\Journal"; + my $key; + if ($key = $root_key->get_subkey($key_path)){ + ::rptMsg(""); + ::rptMsg($key_path . " - ". gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + + my @vals = $key->get_list_of_values(); + + ::rptMsg("filename,md5,timestamp"); + foreach my $val (@vals) { + + #format = "filename=$filename,md5=$md5,timestamp=$timestamp" + my @d = split (/,/, $val->get_data()); + my $fn=(split(/\=/,$d[0]))[1]; + my $md5= (split(/\=/,$d[1]))[1]; + my $ts=(split(/\=/,$d[2]))[1]; + my $timestamp=gmtime($ts); + my $str = $fn.",".$md5.",".$ts.",".$timestamp; + ::rptMsg($str); + } + } + else { + ::rptMsg($key_path." not found."); + } +} + +sub displayStatus { + ::rptMsg("---------------------------------------------------------------"); + my $root_key = shift; + my $key_path = "WOW6432Node\\WRData\\Status"; + my $key; + if ($key = $root_key->get_subkey($key_path)){ + ::rptMsg(""); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + + my @vals = $key->get_list_of_values(); + + foreach my $val (@vals) { + my $d = $val->get_data(); + my $v = $val->get_name(); + + #if $v is in the following list then convert timestamp + my @timestamp_fields = ["AgentStartupTime", "ExpirationDate", "LastDeepScan", "LastScan", "LastThreatSeen", "SystemStateUpdated", "UpdateTime", "UpdateTime"]; + $d = $d." (".gmtime($d).")" if ($v ~~ @timestamp_fields); + + my $str = $v.":\t".$d; + ::rptMsg($str); + } + } + else { + ::rptMsg($key_path." not found."); + } +} + +sub displayFileFlags { + ::rptMsg("---------------------------------------------------------------"); + my $root_key = shift; + my $key_path = "WOW6432Node\\WRData\\FileFlags"; + my $key; + if ($key = $root_key->get_subkey($key_path)){ + ::rptMsg(""); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + + ::rptMsg("MD5 hash:\t\t\t\taction, last changed"); + my @vals = $key->get_list_of_values(); + foreach my $val (@vals) { + my $d = $val->get_data(); + my $v = $val->get_name(); + + my @split_d = split (/\,/, $d); + my @changetime = split (/\=/, $split_d[1]); + my $str = $v.":\t".$d."(".gmtime($changetime[1]).")"; + ::rptMsg($str); + } + } + else { + ::rptMsg($key_path." not found."); + } +} + +sub displayIPM { + ::rptMsg("---------------------------------------------------------------"); + my $root_key = shift; + my $key_path = "WOW6432Node\\WRData\\IPM";; + my $key; + if ($key = $root_key->get_subkey($key_path)){ + ::rptMsg(""); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + + my @vals = $key->get_list_of_values(); + foreach my $val (@vals) { + my $d = $val->get_data(); + my $v = $val->get_name(); + my $d = $d." (".gmtime($d).")"if ($v eq "ILU"); + my $str = $v.":\t".$d; + ::rptMsg($str); + } + } + else { + ::rptMsg($key_path." not found."); + } +} + + + + +sub dumpAllVals { + ::rptMsg("---------------------------------------------------------------"); + my $root_key = shift; + my $key_path = shift; + my $key; + if ($key = $root_key->get_subkey($key_path)){ + ::rptMsg(""); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + + my @vals = $key->get_list_of_values(); + foreach my $val (@vals) { + my $d = $val->get_data(); + my $v = $val->get_name(); + my $str = $v.":\t".$d; + ::rptMsg($str); + } + } + else { + ::rptMsg($key_path." not found."); + } +} + +sub dumpThreatsVals { + ::rptMsg("---------------------------------------------------------------"); + my $root_key = shift; + my $key_path = shift; + my $key; + my $v; + my $str; + + if ($key = $root_key->get_subkey($key_path)){ + ::rptMsg(""); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + + my @vals = sort ($key->get_list_of_values()); + + foreach my $val (@vals) { + + my $v = $val->get_name(); + my $d = $val->get_data(); + if ($v eq "Count"){ + $str = $v.":\t".$d; + } + else { + my @split_d = split (/\|/, $d); + my $path = $split_d[0]; + my $detection = $split_d[1]; + my $ts = $split_d[2]; + my $timestamp = gmtime(hex($ts)); + $str = $v.":\t".$path."|".$detection."|".$ts." (".$timestamp.")"; + } + ::rptMsg($str); + } + } + else { + ::rptMsg($key_path." not found."); + } + + +} + +sub displayThreats { + my $root_key = shift; + my $key_path = "WOW6432Node\\WRData\\Threats"; + + + dumpAllVals($root_key, $key_path); + my @threats = ($key_path."\\Active", $key_path."\\History"); + + foreach my $k (@threats){ + #::rptMsg($k); + dumpThreatsVals($root_key, $k); + } +} + + + +my $VERSION = getVersion(); +my $PLUGIN = "webroot"; + +sub pluginmain { + my $class = shift; + my $hive = shift; + my $infected = 0; + ::logMsg("Launching ".$PLUGIN." v.".$VERSION); + ::rptMsg($PLUGIN." v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + my $key_path = "WOW6432Node\\WRData"; + my $key; + + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg(""); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + #my @vals = $key->get_list_of_values(); + my @vals = ("AVP", "BMV", "GWord", "HPL", "InstallDir", "InstalledVersion", "InstallTime", "LastInfection", "OIT"); + + foreach my $v (@vals) { + my $d = $key->get_value($v)->get_data(); + my $str = $v.":\t".$d; + ::rptMsg($str); + } + + + displayActions($root_key); + displayFileFlags($root_key); + displayIPM($root_key); + displayJournal($root_key); + displayStatus($root_key); + displayThreats($root_key); + dumpAllVals($root_key, "WOW6432Node\\WRData\\wrURL"); + } + else { + ::rptMsg($key_path." not found."); + ::rptMsg(""); + } +}1; \ No newline at end of file diff --git a/thirdparty/rr-full/plugins/wow64.pl b/thirdparty/rr-full/plugins/wow64.pl new file mode 100644 index 0000000000..fff65ad377 --- /dev/null +++ b/thirdparty/rr-full/plugins/wow64.pl @@ -0,0 +1,71 @@ +#----------------------------------------------------------- +# wow64 +# +# Change history: +# 20190712 - created +# +# Ref: +# http://www.hexacorn.com/blog/2019/07/11/beyond-good-ol-run-key-part-108-2/ +# https://wbenny.github.io/2018/11/04/wow64-internals.html +# +# copyright 2019 QAR,LLC +# Author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package wow64; +use strict; + +my %config = (hive => "Software", + category => "persistence", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20190712); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets contents of WOW64\\x86 key"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::rptMsg("Launching wow64 v.".$VERSION); + ::rptMsg("wow64 v.".$VERSION); + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); + my @paths = ('Microsoft\\WOW64\\x86','Microsoft\\WOW64\\arm'); + + ::rptMsg("WOW64"); + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + foreach my $key_path (@paths) { + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + + my @vals; + if (@vals = $key->get_list_of_values()) { + if (scalar(@vals) > 0) { + foreach my $v (@vals) { + ::rptMsg($v->get_name()." ".$v->get_data()); + } + } + } + else { + ::rptMsg($key_path." has no values."); + } + } + else { + ::rptMsg($key_path." not found."); + } + } +} +1; \ No newline at end of file diff --git a/thirdparty/rr-full/plugins/wsh_settings.pl b/thirdparty/rr-full/plugins/wsh_settings.pl new file mode 100644 index 0000000000..e7c8b2dc57 --- /dev/null +++ b/thirdparty/rr-full/plugins/wsh_settings.pl @@ -0,0 +1,69 @@ +#----------------------------------------------------------- +# wsh_settings +# +# Change history: +# 20180819 - created +# +# Ref: +# http://www.hexacorn.com/blog/2018/08/18/lateral-movement-using-wshcontroller-wshremote-objects-iwshcontroller-and-iwshremote-interfaces/ +# +# copyright 2018 QAR,LLC +# Author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package wsh_settings; +use strict; + +my %config = (hive => "Software", + category => "config", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20180819); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets WSH Settings"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + my ($name,$data); + ::rptMsg("Launching wsh_settings v.".$VERSION); + ::rptMsg("wsh_settings v.".$VERSION); # banner + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + my $key_path = ('Microsoft\\Windows Script Host\\Settings'); + + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("Key LastWrite: ".gmtime($key->get_timestamp())." Z"); + my @vals = $key->get_list_of_values(); + if (scalar @vals > 1) { + foreach my $v (@vals) { + $name = $v->get_name(); + $data = $v->get_data(); + ::rptMsg(sprintf "%-20s %d",$name,$data); + } + ::rptMsg(""); + ::rptMsg("Analysis Tip: If Remote value is set to 1, system may be WSH Remoting target"); + } + else { + ::rptMsg($key_path." has no values."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} +1; \ No newline at end of file diff --git a/thirdparty/rr-full/rip.exe b/thirdparty/rr-full/rip.exe index 9a024202f3..575299ad2a 100755 Binary files a/thirdparty/rr-full/rip.exe and b/thirdparty/rr-full/rip.exe differ diff --git a/thirdparty/rr-full/rip.pl b/thirdparty/rr-full/rip.pl index 5cf62efcda..ef8815a86b 100644 --- a/thirdparty/rr-full/rip.pl +++ b/thirdparty/rr-full/rip.pl @@ -8,6 +8,9 @@ # Usage: see "_syntax()" function # # Change History +# 20190318 - modified code to allow the .exe to be run from anywhere within the file system +# 20190128 - added Time::Local, modifications to module Key.pm +# 20180406 - added "-uP" switch to update profiles # 20130801 - added File::Spec support, for cross-platform compat. # 20130716 - added 'push(@INC,$str);' line based on suggestion from # Hal Pomeranz to support Linux compatibility @@ -18,15 +21,14 @@ # 20080419 - added '-g' switch (experimental) # 20080412 - added '-c' switch # -# copyright 2013 Quantum Analytics Research, LLC +# copyright 2013-2019 Quantum Analytics Research, LLC # Author: H. Carvey, keydet89@yahoo.com # -# This software is released via the GPL v3.0 license: -# http://www.gnu.org/licenses/gpl.html #------------------------------------------------------------------------- use strict; use Parse::Win32Registry qw(:REG_); use Getopt::Long; +use Time::Local; use File::Spec; # Included to permit compiling via Perl2Exe @@ -46,7 +48,7 @@ use File::Spec; my %config; Getopt::Long::Configure("prefix_pattern=(-|\/)"); -GetOptions(\%config,qw(reg|r=s file|f=s csv|c guess|g user|u=s sys|s=s plugin|p=s list|l help|?|h)); +GetOptions(\%config,qw(reg|r=s file|f=s csv|c guess|g user|u=s sys|s=s plugin|p=s update|uP list|l help|?|h)); # Code updated 20090102 my @path; @@ -55,15 +57,17 @@ my $str = $0; : (@path = split(/\//,$0)); $str =~ s/($path[scalar(@path) - 1])//; -# Suggested addition by Hal Pomeranz for compatibility with -# Linux +# Suggested addition by Hal Pomeranz for compatibility with Linux #push(@INC,$str); - +# code updated 20190318 +my $plugindir; +($^O eq "MSWin32") ? ($plugindir = $str."plugins/") + : ($plugindir = File::Spec->catfile("plugins")); #my $plugindir = $str."plugins/"; -my $plugindir = File::Spec->catfile("plugins"); +#my $plugindir = File::Spec->catfile("plugins"); #print "Plugins Dir = ".$plugindir."\n"; # End code update -my $VERSION = "2\.8_20130801"; +my $VERSION = "2\.8_20190318"; my @alerts = (); if ($config{help} || !%config) { @@ -107,6 +111,55 @@ if ($config{list}) { exit; } +#------------------------------------------------------------- +# +#------------------------------------------------------------- +if ($config{update}) { + my @plugins; + opendir(DIR,$plugindir) || die "Could not open $plugindir: $!\n"; + @plugins = readdir(DIR); + closedir(DIR); +# hash of lists to hold plugin names + my %files = (); + + foreach my $p (@plugins) { + next unless ($p =~ m/\.pl$/); +# $pkg = name of plugin + my $pkg = (split(/\./,$p,2))[0]; +# $p = $plugindir.$p; + $p = File::Spec->catfile($plugindir,$p); + eval { + require $p; + my $hive = $pkg->getHive(); + my @hives = split(/,/,$hive); + foreach my $h (@hives) { + my $lch = lc($h); + $lch =~ s/\.dat$//; + $lch =~ s/^\s+//; + + push(@{$files{$lch}},$pkg); + + } + + }; + print "Error: $@\n" if ($@); + } + +# once hash of lists is populated, print files + foreach my $f (keys %files) { + my $filepath = $plugindir."\\".$f; + open(FH,">",$filepath) || die "Could not open ".$filepath." to write: $!"; + + for my $i (0..$#{$files{$f}}) { + next if ($files{$f}[$i] =~ m/tln$/); + print FH $files{$f}[$i]."\n"; + } + + close(FH); + } + exit; +} + #------------------------------------------------------------- # #------------------------------------------------------------- @@ -199,6 +252,7 @@ Parse Windows Registry files, using either a single module, or a plugins file. -c ................Output list in CSV format (use with -l) -s system name.....Server name (TLN support) -u username........User name (TLN support) + -uP ...............Update profiles -h.................Help (print this information) Ex: C:\\>rip -r c:\\case\\system -f system @@ -207,7 +261,7 @@ Ex: C:\\>rip -r c:\\case\\system -f system All output goes to STDOUT; use redirection (ie, > or >>) to output to a file\. -copyright 2013 Quantum Analytics Research, LLC +copyright 2019 Quantum Analytics Research, LLC EOT } diff --git a/thirdparty/rr-full/rip_bulk.zip b/thirdparty/rr-full/rip_bulk.zip new file mode 100644 index 0000000000..689b38d9ec Binary files /dev/null and b/thirdparty/rr-full/rip_bulk.zip differ diff --git a/thirdparty/rr-full/rr.exe b/thirdparty/rr-full/rr.exe index 889b971889..de4898478d 100755 Binary files a/thirdparty/rr-full/rr.exe and b/thirdparty/rr-full/rr.exe differ diff --git a/thirdparty/rr-full/rr.pl b/thirdparty/rr-full/rr.pl index f4e06fe824..fdd78c2fc6 100644 --- a/thirdparty/rr-full/rr.pl +++ b/thirdparty/rr-full/rr.pl @@ -8,6 +8,7 @@ # version # # Change History: +# 20190128 - added Time::Local, modifications to module Key.pm # 20130429 - minor updates, including not adding .txt files to Profile list # 20130425 - added alertMsg() functionality, updated to v2.8 # 20120505 - Updated to v2.5 @@ -34,14 +35,13 @@ # Functionality: # - plugins file is selectable # -# copyright 2013 Quantum Research Analytics, LLC +# copyright 2013-2019 Quantum Research Analytics, LLC # Author: H. Carvey, keydet89@yahoo.com # -# This software is released via the GPL v3.0 license: -# http://www.gnu.org/licenses/gpl.html #----------------------------------------------------------- #use strict; use Win32::GUI(); +use Time::Local; use Parse::Win32Registry qw(:REG_); # Included to permit compiling via Perl2Exe @@ -61,7 +61,7 @@ use Parse::Win32Registry qw(:REG_); #----------------------------------------------------------- # Global variables #----------------------------------------------------------- -my $VERSION = "2\.8"; +my $VERSION = "2\.8_20190128"; my %env; my @alerts = (); @@ -318,7 +318,7 @@ sub RR_OnAbout { "Parses Registry hive (NTUSER\.DAT, System, etc.) files, placing pertinent info in a report ". "file in a readable manner.\r\n". "\r\n". - "Copyright 2013 Quantum Analytics Research, LLC.\r\n". + "Copyright 2019 Quantum Analytics Research, LLC.\r\n". "H\. Carvey, keydet89\@yahoo\.com", "About...", MB_ICONINFORMATION | MB_OK, diff --git a/thirdparty/rr-full/sample.txt b/thirdparty/rr-full/sample.txt new file mode 100644 index 0000000000..cf10772c2c --- /dev/null +++ b/thirdparty/rr-full/sample.txt @@ -0,0 +1,6064 @@ +Modified | Accessed | Created | Zip_Opened |Resource +____________ | ____________ | ____________ | ____________ |____________ + | | | |Desktop\Control Panel + | | | |Desktop\Control Panel\ + | | | |Desktop\Control Panel\Network and Sharing Center + | | | |Desktop\Control Panel\{7007acc7-3202-11d1-aad2-00805fc1270e} + | | | |Desktop\Control Panel\ + | | | |Desktop\Control Panel\System + | | | |Desktop\Control Panel\Windows Update + | | | |Desktop\Control Panel\Windows Update\View update history + | | | |Desktop\Control Panel\Windows Update\View available updates + | | | |Desktop\Control Panel\Performance Information and Tools + | | | |Desktop\Control Panel\Getting Started + | | | |Desktop\Control Panel\ + | | | |Desktop\Control Panel\Personalization + | | | |Desktop\Control Panel\Personalization\Desktop Background + | | | |Desktop\Control Panel\Personalization\Window Color and Appearance + | | | |Desktop\Control Panel\ + | | | |Desktop\Control Panel\Programs and Features + | | | |Desktop\Control Panel\Default Programs + | | | |Desktop\Control Panel\ + | | | |Desktop\Control Panel\Power Options + | | | |Desktop\Control Panel\Power Options\Create a Power Plan + | | | |Desktop\Control Panel\Power Options\Edit Plan Settings + | | | |Desktop\Control Panel\ + | | | |Desktop\Control Panel\ + | | | |Desktop\Control Panel\User Accounts + | | | |Desktop\Control Panel\User Accounts\Turn User Account Control On or Off + | | | |Desktop\My Computer + | | | |Desktop\My Computer\C:\ + +0x00000000: 70 00 31 00 00 00 00 00 2c 39 26 8c 11 00 55 73 p.1.....,9&...Us +0x00000010: 65 72 73 00 5c 00 07 00 04 00 ef be 62 35 51 5a ers.\.......b5QZ +0x00000020: 2c 39 26 8c 26 00 00 00 37 01 00 00 00 00 01 00 ,9&.&...7....... +0x00000030: 00 00 00 00 00 00 00 00 32 00 55 00 73 00 65 00 ........2.U.s.e. +0x00000040: 72 00 73 00 00 00 40 00 73 00 68 00 65 00 6c 00 r.s...@.s.h.e.l. +0x00000050: 6c 00 33 00 32 00 2e 00 64 00 6c 00 6c 00 2c 00 l.3.2...d.l.l.,. +0x00000060: 2d 00 32 00 31 00 38 00 31 00 33 00 00 00 14 00 -.2.1.8.1.3..... +0x00000070: 00 00 .. + +2008-09-12 17:33:12 | 2008-09-12 17:33:12 | 2006-11-02 11:18:34 | |Desktop\My Computer\C:\Users + +0x00000000: 4c 00 31 00 00 00 00 00 2c 39 34 8c 10 00 6e 67 L.1.....,94...ng +0x00000010: 75 79 65 6e 00 00 36 00 07 00 04 00 ef be 2c 39 uyen..6.......,9 +0x00000020: 26 8c 2c 39 34 8c 26 00 00 00 8b 01 00 00 00 00 &.,94.&......... +0x00000030: 07 00 00 00 00 00 00 00 00 00 00 00 6e 00 67 00 ............n.g. +0x00000040: 75 00 79 00 65 00 6e 00 00 00 16 00 00 00 u.y.e.n....... + +2008-09-12 17:33:40 | 2008-09-12 17:33:40 | 2008-09-12 17:33:12 | |Desktop\My Computer\C:\Users\nguyen + +0x00000000: 4e 00 31 00 00 00 00 00 2c 39 34 8c 12 20 41 70 N.1.....,94.. Ap +0x00000010: 70 44 61 74 61 00 38 00 07 00 04 00 ef be 2c 39 pData.8.......,9 +0x00000020: 26 8c 2c 39 34 8c 26 00 00 00 b0 35 00 00 00 00 &.,94.&....5.... +0x00000030: 06 00 00 00 00 00 00 00 00 00 00 00 41 00 70 00 ............A.p. +0x00000040: 70 00 44 00 61 00 74 00 61 00 00 00 16 00 00 00 p.D.a.t.a....... + +2008-09-12 17:33:40 | 2008-09-12 17:33:40 | 2008-09-12 17:33:12 | |Desktop\My Computer\C:\Users\nguyen\AppData + +0x00000000: 4e 00 31 00 00 00 00 00 2c 39 2e 8c 10 20 52 6f N.1.....,9... Ro +0x00000010: 61 6d 69 6e 67 00 38 00 07 00 04 00 ef be 2c 39 aming.8.......,9 +0x00000020: 26 8c 2c 39 2e 8c 26 00 00 00 f7 35 00 00 00 00 &.,9..&....5.... +0x00000030: 05 00 00 00 00 00 00 00 00 00 00 00 52 00 6f 00 ............R.o. +0x00000040: 61 00 6d 00 69 00 6e 00 67 00 00 00 16 00 00 00 a.m.i.n.g....... + +2008-09-12 17:33:28 | 2008-09-12 17:33:28 | 2008-09-12 17:33:12 | |Desktop\My Computer\C:\Users\nguyen\AppData\Roaming + +0x00000000: 54 00 31 00 00 00 00 00 2c 39 2e 8c 14 20 4d 49 T.1.....,9... MI +0x00000010: 43 52 4f 53 7e 31 00 00 3c 00 07 00 04 00 ef be CROS~1..<....... +0x00000020: 2c 39 26 8c 2c 39 2e 8c 26 00 00 00 3f 3b 00 00 ,9&.,9..&...?;.. +0x00000030: 00 00 03 00 00 00 00 00 00 00 00 00 00 00 4d 00 ..............M. +0x00000040: 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 i.c.r.o.s.o.f.t. +0x00000050: 00 00 18 00 00 00 ...... + +2008-09-12 17:33:28 | 2008-09-12 17:33:28 | 2008-09-12 17:33:12 | |Desktop\My Computer\C:\Users\nguyen\AppData\Roaming\Microsoft + +0x00000000: 4e 00 31 00 00 00 00 00 62 35 52 5a 10 20 57 69 N.1.....b5RZ. Wi +0x00000010: 6e 64 6f 77 73 00 38 00 07 00 04 00 ef be 2c 39 ndows.8.......,9 +0x00000020: 26 8c 2c 39 26 8c 26 00 00 00 b0 3b 00 00 00 00 &.,9&.&....;.... +0x00000030: 03 00 00 00 00 00 00 00 00 00 00 00 57 00 69 00 ............W.i. +0x00000040: 6e 00 64 00 6f 00 77 00 73 00 00 00 16 00 00 00 n.d.o.w.s....... + +2006-11-02 11:18:36 | 2008-09-12 17:33:12 | 2008-09-12 17:33:12 | |Desktop\My Computer\C:\Users\nguyen\AppData\Roaming\Microsoft\Windows + +0x00000000: 7e 00 31 00 00 00 00 00 2c 39 34 8c 11 00 53 54 ~.1.....,94...ST +0x00000010: 41 52 54 4d 7e 31 00 00 66 00 07 00 04 00 ef be ARTM~1..f....... +0x00000020: 2c 39 26 8c 2c 39 34 8c 26 00 00 00 c7 8c 00 00 ,9&.,94.&....... +0x00000030: 00 00 08 00 00 00 00 00 00 00 00 00 3c 00 53 00 ............<.S. +0x00000040: 74 00 61 00 72 00 74 00 20 00 4d 00 65 00 6e 00 t.a.r.t. .M.e.n. +0x00000050: 75 00 00 00 40 00 73 00 68 00 65 00 6c 00 6c 00 u...@.s.h.e.l.l. +0x00000060: 33 00 32 00 2e 00 64 00 6c 00 6c 00 2c 00 2d 00 3.2...d.l.l.,.-. +0x00000070: 32 00 31 00 37 00 38 00 36 00 00 00 18 00 00 00 2.1.7.8.6....... + +2008-09-12 17:33:40 | 2008-09-12 17:33:40 | 2008-09-12 17:33:12 | |Desktop\My Computer\C:\Users\nguyen\AppData\Roaming\Microsoft\Windows\Start Menu + +0x00000000: 48 00 31 00 00 00 00 00 74 39 07 ac 10 20 4c 6f H.1.....t9... Lo +0x00000010: 63 61 6c 00 34 00 07 00 04 00 ef be 2c 39 26 8c cal.4.......,9&. +0x00000020: 74 39 07 ac 26 00 00 00 ac 9f 00 00 00 00 04 00 t9..&........... +0x00000030: 00 00 00 00 00 00 00 00 00 00 4c 00 6f 00 63 00 ..........L.o.c. +0x00000040: 61 00 6c 00 00 00 14 00 00 00 a.l....... + +2008-11-20 21:32:14 | 2008-11-20 21:32:14 | 2008-09-12 17:33:12 | |Desktop\My Computer\C:\Users\nguyen\AppData\Local + +0x00000000: 46 00 31 00 00 00 00 00 8f 39 02 8f 10 20 54 65 F.1......9... Te +0x00000010: 6d 70 00 00 32 00 07 00 04 00 ef be 2c 39 26 8c mp..2.......,9&. +0x00000020: 8f 39 02 8f 26 00 00 00 b0 9f 00 00 00 00 04 00 .9..&........... +0x00000030: 00 00 00 00 00 00 00 00 00 00 54 00 65 00 6d 00 ..........T.e.m. +0x00000040: 70 00 00 00 14 00 00 00 p....... + +2008-12-15 17:56:04 | 2008-12-15 17:56:04 | 2008-09-12 17:33:12 | |Desktop\My Computer\C:\Users\nguyen\AppData\Local\Temp + +0x00000000: 58 00 31 00 00 00 00 00 8f 39 bc 8e 10 20 4e 4f X.1......9... NO +0x00000010: 54 45 53 36 7e 31 00 00 40 00 07 00 04 00 ef be TES6~1..@....... +0x00000020: 54 39 e9 96 8f 39 bc 8e 26 00 00 00 94 33 00 00 T9...9..&....3.. +0x00000030: 00 00 15 00 00 00 00 00 00 00 00 00 00 00 6e 00 ..............n. +0x00000040: 6f 00 74 00 65 00 73 00 36 00 30 00 33 00 30 00 o.t.e.s.6.0.3.0. +0x00000050: 43 00 38 00 00 00 18 00 00 00 C.8....... + +2008-12-15 17:53:56 | 2008-12-15 17:53:56 | 2008-10-20 18:55:18 | |Desktop\My Computer\C:\Users\nguyen\AppData\Local\Temp\notes6030C8 + +0x00000000: c6 00 31 00 00 00 00 00 2c 39 2d 8c 11 00 43 6f ..1.....,9-...Co +0x00000010: 6e 74 61 63 74 73 00 00 ae 00 07 00 04 00 ef be ntacts.......... +0x00000020: 2c 39 2d 8c 2c 39 2d 8c 26 00 00 00 6b 1b 00 00 ,9-.,9-.&...k... +0x00000030: 00 00 12 00 00 00 00 00 00 00 00 00 38 00 43 00 ............8.C. +0x00000040: 6f 00 6e 00 74 00 61 00 63 00 74 00 73 00 00 00 o.n.t.a.c.t.s... +0x00000050: 40 00 43 00 3a 00 5c 00 50 00 72 00 6f 00 67 00 @.C.:.\.P.r.o.g. +0x00000060: 72 00 61 00 6d 00 20 00 46 00 69 00 6c 00 65 00 r.a.m. .F.i.l.e. +0x00000070: 73 00 5c 00 43 00 6f 00 6d 00 6d 00 6f 00 6e 00 s.\.C.o.m.m.o.n. +0x00000080: 20 00 46 00 69 00 6c 00 65 00 73 00 5c 00 73 00 .F.i.l.e.s.\.s. +0x00000090: 79 00 73 00 74 00 65 00 6d 00 5c 00 77 00 61 00 y.s.t.e.m.\.w.a. +0x000000a0: 62 00 33 00 32 00 72 00 65 00 73 00 2e 00 64 00 b.3.2.r.e.s...d. +0x000000b0: 6c 00 6c 00 2c 00 2d 00 31 00 30 00 31 00 30 00 l.l.,.-.1.0.1.0. +0x000000c0: 30 00 00 00 18 00 00 00 0....... + +2008-09-12 17:33:26 | 2008-09-12 17:33:26 | 2008-09-12 17:33:26 | |Desktop\My Computer\C:\Users\nguyen\Contacts + +0x00000000: 76 00 31 00 00 00 00 00 4f 39 4b b3 11 00 44 65 v.1.....O9K...De +0x00000010: 73 6b 74 6f 70 00 60 00 07 00 04 00 ef be 2c 39 sktop.`.......,9 +0x00000020: 26 8c 4f 39 4b b3 26 00 00 00 ad 35 00 00 00 00 &.O9K.&....5.... +0x00000030: 05 00 00 00 00 00 00 00 00 00 36 00 44 00 65 00 ..........6.D.e. +0x00000040: 73 00 6b 00 74 00 6f 00 70 00 00 00 40 00 73 00 s.k.t.o.p...@.s. +0x00000050: 68 00 65 00 6c 00 6c 00 33 00 32 00 2e 00 64 00 h.e.l.l.3.2...d. +0x00000060: 6c 00 6c 00 2c 00 2d 00 32 00 31 00 37 00 36 00 l.l.,.-.2.1.7.6. +0x00000070: 39 00 00 00 16 00 00 00 9....... + +2008-10-15 22:26:22 | 2008-10-15 22:26:22 | 2008-09-12 17:33:12 | |Desktop\My Computer\C:\Users\nguyen\Desktop + +0x00000000: 4c 00 31 00 00 00 00 00 52 3c b0 ad 10 00 43 69 L.1.....R<....Ci +0x00000010: 73 70 72 6f 00 00 36 00 07 00 04 00 ef be 52 3c spro..6.......R< +0x00000020: ad ad 52 3c b0 ad 26 00 00 00 07 22 00 00 00 00 ..R<..&....".... +0x00000030: 93 00 00 00 00 00 00 00 00 00 00 00 43 00 69 00 ............C.i. +0x00000040: 73 00 70 00 72 00 6f 00 00 00 16 00 00 00 s.p.r.o....... + +2010-02-18 21:45:32 | 2010-02-18 21:45:32 | 2010-02-18 21:45:26 | |Desktop\My Computer\C:\Users\nguyen\Desktop\Cispro + +0x00000000: 7c 00 31 00 00 00 00 00 2c 39 34 8c 11 00 44 4f |.1.....,94...DO +0x00000010: 57 4e 4c 4f 7e 31 00 00 64 00 07 00 04 00 ef be WNLO~1..d....... +0x00000020: 2c 39 26 8c 2c 39 34 8c 26 00 00 00 b7 2c 00 00 ,9&.,94.&....,.. +0x00000030: 00 00 06 00 00 00 00 00 00 00 00 00 3a 00 44 00 ............:.D. +0x00000040: 6f 00 77 00 6e 00 6c 00 6f 00 61 00 64 00 73 00 o.w.n.l.o.a.d.s. +0x00000050: 00 00 40 00 73 00 68 00 65 00 6c 00 6c 00 33 00 ..@.s.h.e.l.l.3. +0x00000060: 32 00 2e 00 64 00 6c 00 6c 00 2c 00 2d 00 32 00 2...d.l.l.,.-.2. +0x00000070: 31 00 37 00 39 00 38 00 00 00 18 00 00 00 1.7.9.8....... + +2008-09-12 17:33:40 | 2008-09-12 17:33:40 | 2008-09-12 17:33:12 | |Desktop\My Computer\C:\Users\nguyen\Downloads + +0x00000000: 7c 00 31 00 00 00 00 00 2c 39 35 8c 11 00 46 41 |.1.....,95...FA +0x00000010: 56 4f 52 49 7e 31 00 00 64 00 07 00 04 00 ef be VORI~1..d....... +0x00000020: 2c 39 26 8c 2c 39 35 8c 26 00 00 00 ab 2c 00 00 ,9&.,95.&....,.. +0x00000030: 00 00 06 00 00 00 00 00 00 00 00 00 3a 00 46 00 ............:.F. +0x00000040: 61 00 76 00 6f 00 72 00 69 00 74 00 65 00 73 00 a.v.o.r.i.t.e.s. +0x00000050: 00 00 40 00 73 00 68 00 65 00 6c 00 6c 00 33 00 ..@.s.h.e.l.l.3. +0x00000060: 32 00 2e 00 64 00 6c 00 6c 00 2c 00 2d 00 32 00 2...d.l.l.,.-.2. +0x00000070: 31 00 37 00 39 00 36 00 00 00 18 00 00 00 1.7.9.6....... + +2008-09-12 17:33:42 | 2008-09-12 17:33:42 | 2008-09-12 17:33:12 | |Desktop\My Computer\C:\Users\nguyen\Favorites + +0x00000000: 70 00 31 00 00 00 00 00 2c 39 34 8c 11 00 4c 69 p.1.....,94...Li +0x00000010: 6e 6b 73 00 5c 00 07 00 04 00 ef be 2c 39 26 8c nks.\.......,9&. +0x00000020: 2c 39 34 8c 26 00 00 00 aa 2c 00 00 00 00 05 00 ,94.&....,...... +0x00000030: 00 00 00 00 00 00 00 00 32 00 4c 00 69 00 6e 00 ........2.L.i.n. +0x00000040: 6b 00 73 00 00 00 40 00 73 00 68 00 65 00 6c 00 k.s...@.s.h.e.l. +0x00000050: 6c 00 33 00 32 00 2e 00 64 00 6c 00 6c 00 2c 00 l.3.2...d.l.l.,. +0x00000060: 2d 00 32 00 31 00 38 00 31 00 30 00 00 00 14 00 -.2.1.8.1.0..... +0x00000070: 00 00 .. + +2008-09-12 17:33:40 | 2008-09-12 17:33:40 | 2008-09-12 17:33:12 | |Desktop\My Computer\C:\Users\nguyen\Links + +0x00000000: 80 00 31 00 00 00 00 00 2c 39 34 8c 11 00 53 41 ..1.....,94...SA +0x00000010: 56 45 44 47 7e 31 00 00 68 00 07 00 04 00 ef be VEDG~1..h....... +0x00000020: 2c 39 26 8c 2c 39 34 8c 26 00 00 00 bb 20 00 00 ,9&.,94.&.... .. +0x00000030: 00 00 05 00 00 00 00 00 00 00 00 00 3e 00 53 00 ............>.S. +0x00000040: 61 00 76 00 65 00 64 00 20 00 47 00 61 00 6d 00 a.v.e.d. .G.a.m. +0x00000050: 65 00 73 00 00 00 40 00 73 00 68 00 65 00 6c 00 e.s...@.s.h.e.l. +0x00000060: 6c 00 33 00 32 00 2e 00 64 00 6c 00 6c 00 2c 00 l.3.2...d.l.l.,. +0x00000070: 2d 00 32 00 31 00 38 00 31 00 34 00 00 00 18 00 -.2.1.8.1.4..... +0x00000080: 00 00 .. + +2008-09-12 17:33:40 | 2008-09-12 17:33:40 | 2008-09-12 17:33:12 | |Desktop\My Computer\C:\Users\nguyen\Saved Games + +0x00000000: 78 00 31 00 00 00 00 00 2c 39 34 8c 11 00 53 65 x.1.....,94...Se +0x00000010: 61 72 63 68 65 73 00 00 60 00 07 00 04 00 ef be arches..`....... +0x00000020: 2c 39 34 8c 2c 39 34 8c 26 00 00 00 b6 3c 00 00 ,94.,94.&....<.. +0x00000030: 00 00 04 00 00 00 00 00 00 00 00 00 38 00 53 00 ............8.S. +0x00000040: 65 00 61 00 72 00 63 00 68 00 65 00 73 00 00 00 e.a.r.c.h.e.s... +0x00000050: 40 00 73 00 68 00 65 00 6c 00 6c 00 33 00 32 00 @.s.h.e.l.l.3.2. +0x00000060: 2e 00 64 00 6c 00 6c 00 2c 00 2d 00 39 00 30 00 ..d.l.l.,.-.9.0. +0x00000070: 33 00 31 00 00 00 18 00 00 00 3.1....... + +2008-09-12 17:33:40 | 2008-09-12 17:33:40 | 2008-09-12 17:33:40 | |Desktop\My Computer\C:\Users\nguyen\Searches + +0x00000000: 7c 00 31 00 00 00 00 00 65 39 d3 88 11 00 44 4f |.1.....e9....DO +0x00000010: 43 55 4d 45 7e 31 00 00 64 00 07 00 04 00 ef be CUME~1..d....... +0x00000020: 2c 39 26 8c 65 39 d3 88 26 00 00 00 93 34 00 00 ,9&.e9..&....4.. +0x00000030: 00 00 05 00 00 00 00 00 00 00 00 00 3a 00 44 00 ............:.D. +0x00000040: 6f 00 63 00 75 00 6d 00 65 00 6e 00 74 00 73 00 o.c.u.m.e.n.t.s. +0x00000050: 00 00 40 00 73 00 68 00 65 00 6c 00 6c 00 33 00 ..@.s.h.e.l.l.3. +0x00000060: 32 00 2e 00 64 00 6c 00 6c 00 2c 00 2d 00 32 00 2...d.l.l.,.-.2. +0x00000070: 31 00 37 00 37 00 30 00 00 00 18 00 00 00 1.7.7.0....... + +2008-11-05 17:06:38 | 2008-11-05 17:06:38 | 2008-09-12 17:33:12 | |Desktop\My Computer\C:\Users\nguyen\Documents + +0x00000000: 7a 00 31 00 00 00 00 00 2c 39 34 8c 11 00 50 69 z.1.....,94...Pi +0x00000010: 63 74 75 72 65 73 00 00 62 00 07 00 04 00 ef be ctures..b....... +0x00000020: 2c 39 26 8c 2c 39 34 8c 26 00 00 00 c1 20 00 00 ,9&.,94.&.... .. +0x00000030: 00 00 05 00 00 00 00 00 00 00 00 00 38 00 50 00 ............8.P. +0x00000040: 69 00 63 00 74 00 75 00 72 00 65 00 73 00 00 00 i.c.t.u.r.e.s... +0x00000050: 40 00 73 00 68 00 65 00 6c 00 6c 00 33 00 32 00 @.s.h.e.l.l.3.2. +0x00000060: 2e 00 64 00 6c 00 6c 00 2c 00 2d 00 32 00 31 00 ..d.l.l.,.-.2.1. +0x00000070: 37 00 37 00 39 00 00 00 18 00 00 00 7.7.9....... + +2008-09-12 17:33:40 | 2008-09-12 17:33:40 | 2008-09-12 17:33:12 | |Desktop\My Computer\C:\Users\nguyen\Pictures + +0x00000000: 4a 00 31 00 00 00 00 00 64 3b 08 aa 10 00 53 50 J.1.....d;....SP +0x00000010: 53 53 7e 31 00 00 34 00 07 00 04 00 ef be 64 3b SS~1..4.......d; +0x00000020: 08 aa 64 3b 08 aa 26 00 00 00 ed 9b 01 00 00 00 ..d;..&......... +0x00000030: 87 00 00 00 00 00 00 00 00 00 00 00 2e 00 73 00 ..............s. +0x00000040: 70 00 73 00 73 00 00 00 16 00 00 00 p.s.s....... + +2009-11-04 21:16:16 | 2009-11-04 21:16:16 | 2009-11-04 21:16:16 | |Desktop\My Computer\C:\Users\nguyen\.spss + +0x00000000: 70 00 31 00 00 00 00 00 2c 39 34 8c 11 00 4d 75 p.1.....,94...Mu +0x00000010: 73 69 63 00 5c 00 07 00 04 00 ef be 2c 39 26 8c sic.\.......,9&. +0x00000020: 2c 39 34 8c 26 00 00 00 cb 20 00 00 00 00 0d 00 ,94.&.... ...... +0x00000030: 00 00 00 00 00 00 00 00 32 00 4d 00 75 00 73 00 ........2.M.u.s. +0x00000040: 69 00 63 00 00 00 40 00 73 00 68 00 65 00 6c 00 i.c...@.s.h.e.l. +0x00000050: 6c 00 33 00 32 00 2e 00 64 00 6c 00 6c 00 2c 00 l.3.2...d.l.l.,. +0x00000060: 2d 00 32 00 31 00 37 00 39 00 30 00 00 00 14 00 -.2.1.7.9.0..... +0x00000070: 00 00 .. + +2008-09-12 17:33:40 | 2008-09-12 17:33:40 | 2008-09-12 17:33:12 | |Desktop\My Computer\C:\Users\nguyen\Music + +0x00000000: 4c 00 31 00 00 00 00 00 ee 3c 41 7d 10 00 69 54 L.1..........Pu +0x00000010: 62 6c 69 63 00 00 5e 00 07 00 04 00 ef be 62 35 blic..^.......b5 +0x00000020: 52 5a e8 3e d4 80 26 00 00 00 ba 01 00 00 00 00 RZ.>..&......... +0x00000030: 01 00 00 00 00 00 00 00 00 00 34 00 50 00 75 00 ..........4.P.u. +0x00000040: 62 00 6c 00 69 00 63 00 00 00 40 00 73 00 68 00 b.l.i.c...@.s.h. +0x00000050: 65 00 6c 00 6c 00 33 00 32 00 2e 00 64 00 6c 00 e.l.l.3.2...d.l. +0x00000060: 6c 00 2c 00 2d 00 32 00 31 00 38 00 31 00 36 00 l.,.-.2.1.8.1.6. +0x00000070: 00 00 16 00 00 00 ...... + +2011-07-08 16:06:40 | 2011-07-08 16:06:40 | 2006-11-02 11:18:36 | |Desktop\My Computer\C:\Users\Public + +0x00000000: 7c 00 31 00 00 00 00 00 62 35 5d 66 11 00 44 4f |.1.....b5]f..DO +0x00000010: 57 4e 4c 4f 7e 31 00 00 64 00 07 00 04 00 ef be WNLO~1..d....... +0x00000020: 62 35 52 5a 62 35 5d 66 26 00 00 00 bd 01 00 00 b5RZb5]f&....... +0x00000030: 00 00 01 00 00 00 00 00 00 00 00 00 3a 00 44 00 ............:.D. +0x00000040: 6f 00 77 00 6e 00 6c 00 6f 00 61 00 64 00 73 00 o.w.n.l.o.a.d.s. +0x00000050: 00 00 40 00 73 00 68 00 65 00 6c 00 6c 00 33 00 ..@.s.h.e.l.l.3. +0x00000060: 32 00 2e 00 64 00 6c 00 6c 00 2c 00 2d 00 32 00 2...d.l.l.,.-.2. +0x00000070: 31 00 38 00 30 00 38 00 00 00 18 00 00 00 1.8.0.8....... + +2006-11-02 12:50:58 | 2006-11-02 12:50:58 | 2006-11-02 11:18:36 | |Desktop\My Computer\C:\Users\Public\Downloads + +0x00000000: 76 00 31 00 00 00 00 00 ed 3e 53 a8 13 00 44 65 v.1......>S...De +0x00000010: 73 6b 74 6f 70 00 60 00 07 00 04 00 ef be 62 35 sktop.`.......b5 +0x00000020: 52 5a ed 3e 53 a8 26 00 00 00 bb 01 00 00 00 00 RZ.>S.&......... +0x00000030: 01 00 00 00 00 00 00 00 00 00 36 00 44 00 65 00 ..........6.D.e. +0x00000040: 73 00 6b 00 74 00 6f 00 70 00 00 00 40 00 73 00 s.k.t.o.p...@.s. +0x00000050: 68 00 65 00 6c 00 6c 00 33 00 32 00 2e 00 64 00 h.e.l.l.3.2...d. +0x00000060: 6c 00 6c 00 2c 00 2d 00 32 00 31 00 37 00 39 00 l.l.,.-.2.1.7.9. +0x00000070: 39 00 00 00 16 00 00 00 9....... + +2011-07-13 21:02:38 | 2011-07-13 21:02:38 | 2006-11-02 11:18:36 | |Desktop\My Computer\C:\Users\Public\Desktop + +0x00000000: 4e 00 31 00 00 00 00 00 2c 39 ba 95 10 00 57 69 N.1.....,9....Wi +0x00000010: 6e 64 6f 77 73 00 38 00 07 00 04 00 ef be 62 35 ndows.8.......b5 +0x00000020: 52 5a 2c 39 ba 95 26 00 00 00 c5 01 00 00 00 00 RZ,9..&......... +0x00000030: 01 00 00 00 00 00 00 00 00 00 00 00 57 00 69 00 ............W.i. +0x00000040: 6e 00 64 00 6f 00 77 00 73 00 00 00 16 00 00 00 n.d.o.w.s....... + +2008-09-12 18:45:52 | 2008-09-12 18:45:52 | 2006-11-02 11:18:36 | |Desktop\My Computer\C:\Windows + +0x00000000: 42 00 31 00 00 00 00 00 62 35 b5 64 10 00 57 65 B.1.....b5.d..We +0x00000010: 62 00 30 00 07 00 04 00 ef be 62 35 57 5a 62 35 b.0.......b5WZb5 +0x00000020: b5 64 26 00 00 00 16 08 00 00 00 00 01 00 00 00 .d&............. +0x00000030: 00 00 00 00 00 00 00 00 57 00 65 00 62 00 00 00 ........W.e.b... +0x00000040: 12 00 00 00 .... + +2006-11-02 12:37:42 | 2006-11-02 12:37:42 | 2006-11-02 11:18:46 | |Desktop\My Computer\C:\Windows\Web + +0x00000000: 54 00 31 00 00 00 00 00 62 35 b5 64 10 00 57 41 T.1.....b5.d..WA +0x00000010: 4c 4c 50 41 7e 31 00 00 3c 00 07 00 04 00 ef be LLPA~1..<....... +0x00000020: 62 35 b5 64 62 35 b5 64 26 00 00 00 17 08 00 00 b5.db5.d&....... +0x00000030: 00 00 01 00 00 00 00 00 00 00 00 00 00 00 57 00 ..............W. +0x00000040: 61 00 6c 00 6c 00 70 00 61 00 70 00 65 00 72 00 a.l.l.p.a.p.e.r. +0x00000050: 00 00 18 00 00 00 ...... + +2006-11-02 12:37:42 | 2006-11-02 12:37:42 | 2006-11-02 12:37:42 | |Desktop\My Computer\C:\Windows\Web\Wallpaper + +0x00000000: 52 00 31 00 00 00 00 00 49 3a 84 93 10 00 53 79 R.1.....I:....Sy +0x00000010: 73 74 65 6d 33 32 00 00 3a 00 07 00 04 00 ef be stem32..:....... +0x00000020: 62 35 53 5a 49 3a 84 93 26 00 00 00 ce 04 00 00 b5SZI:..&....... +0x00000030: 00 00 01 00 00 00 00 00 00 00 00 00 00 00 53 00 ..............S. +0x00000040: 79 00 73 00 74 00 65 00 6d 00 33 00 32 00 00 00 y.s.t.e.m.3.2... +0x00000050: 18 00 00 00 .... + +2009-02-09 18:28:08 | 2009-02-09 18:28:08 | 2006-11-02 11:18:38 | |Desktop\My Computer\C:\Windows\System32 + +0x00000000: 9c 00 b1 00 00 00 00 00 00 00 00 00 14 00 44 6f ..............Do +0x00000010: 77 6e 6c 6f 61 64 65 64 20 50 72 6f 67 72 61 6d wnloaded Program +0x00000020: 20 46 69 6c 65 73 00 00 5a 00 07 00 04 00 ef be Files..Z....... +0x00000030: 00 00 00 00 00 00 00 00 26 00 00 00 00 00 00 00 ........&....... +0x00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 44 00 ..............D. +0x00000050: 6f 00 77 00 6e 00 6c 00 6f 00 61 00 64 00 65 00 o.w.n.l.o.a.d.e. +0x00000060: 64 00 20 00 50 00 72 00 6f 00 67 00 72 00 61 00 d. .P.r.o.g.r.a. +0x00000070: 6d 00 20 00 46 00 69 00 6c 00 65 00 73 00 00 00 m. .F.i.l.e.s... +0x00000080: 28 00 1a 00 00 00 03 00 ef be 81 c3 c6 88 85 2e (............... +0x00000090: d0 11 94 de 44 45 53 54 00 00 28 00 00 00 ....DEST..(... + + | | | |Desktop\My Computer\C:\Windows\Downloaded Program Files + +0x00000000: 46 00 31 00 00 00 00 00 2c 39 40 9a 10 00 4c 6f F.1.....,9@...Lo +0x00000010: 67 73 00 00 32 00 07 00 04 00 ef be 62 35 52 5a gs..2.......b5RZ +0x00000020: 2c 39 40 9a 26 00 00 00 1f 04 00 00 00 00 01 00 ,9@.&........... +0x00000030: 00 00 00 00 00 00 00 00 00 00 4c 00 6f 00 67 00 ..........L.o.g. +0x00000040: 73 00 00 00 14 00 00 00 s....... + +2008-09-12 19:18:00 | 2008-09-12 19:18:00 | 2006-11-02 11:18:36 | |Desktop\My Computer\C:\Windows\Logs + +0x00000000: 60 00 31 00 00 00 00 00 51 3b 00 3c 10 00 4d 49 `.1.....Q;.<..MI +0x00000010: 43 52 4f 53 7e 31 2e 4e 45 54 00 00 44 00 07 00 CROS~1.NET..D... +0x00000020: 04 00 ef be 62 35 52 5a 51 3b 00 3c 26 00 00 00 ....b5RZQ;.<&... +0x00000030: 22 04 00 00 00 00 01 00 00 00 00 00 00 00 00 00 "............... +0x00000040: 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 ..M.i.c.r.o.s.o. +0x00000050: 66 00 74 00 2e 00 4e 00 45 00 54 00 00 00 1c 00 f.t...N.E.T..... +0x00000060: 00 00 .. + +2009-10-17 07:32:00 | 2009-10-17 07:32:00 | 2006-11-02 11:18:36 | |Desktop\My Computer\C:\Windows\Microsoft.NET + +0x00000000: 54 00 31 00 00 00 00 00 3c 3b 63 7a 10 00 46 52 T.1.....<;cz..FR +0x00000010: 41 4d 45 57 7e 31 00 00 3c 00 07 00 04 00 ef be AMEW~1..<....... +0x00000020: 62 35 52 5a 3c 3b 63 7a 26 00 00 00 24 04 00 00 b5RZ<;cz&...$... +0x00000030: 00 00 01 00 00 00 00 00 00 00 00 00 00 00 46 00 ..............F. +0x00000040: 72 00 61 00 6d 00 65 00 77 00 6f 00 72 00 6b 00 r.a.m.e.w.o.r.k. +0x00000050: 00 00 18 00 00 00 ...... + +2009-09-28 15:19:06 | 2009-09-28 15:19:06 | 2006-11-02 11:18:36 | |Desktop\My Computer\C:\Windows\Microsoft.NET\Framework + +0x00000000: 56 00 31 00 00 00 00 00 51 3b 00 3c 10 00 56 32 V.1.....Q;.<..V2 +0x00000010: 30 7e 31 2e 35 30 37 00 3e 00 07 00 04 00 ef be 0~1.507.>....... +0x00000020: 62 35 52 5a 51 3b 00 3c 26 00 00 00 27 04 00 00 b5RZQ;.<&...'... +0x00000030: 00 00 01 00 00 00 00 00 00 00 00 00 00 00 76 00 ..............v. +0x00000040: 32 00 2e 00 30 00 2e 00 35 00 30 00 37 00 32 00 2...0...5.0.7.2. +0x00000050: 37 00 00 00 18 00 00 00 7....... + +2009-10-17 07:32:00 | 2009-10-17 07:32:00 | 2006-11-02 11:18:36 | |Desktop\My Computer\C:\Windows\Microsoft.NET\Framework\v2.0.50727 + +0x00000000: 84 00 31 00 00 00 00 00 54 39 84 96 11 00 50 52 ..1.....T9....PR +0x00000010: 4f 47 52 41 7e 31 00 00 6c 00 07 00 04 00 ef be OGRA~1..l....... +0x00000020: 62 35 51 5a 54 39 84 96 26 00 00 00 3d 00 00 00 b5QZT9..&...=... +0x00000030: 00 00 01 00 00 00 00 00 00 00 00 00 42 00 50 00 ............B.P. +0x00000040: 72 00 6f 00 67 00 72 00 61 00 6d 00 20 00 46 00 r.o.g.r.a.m. .F. +0x00000050: 69 00 6c 00 65 00 73 00 00 00 40 00 73 00 68 00 i.l.e.s...@.s.h. +0x00000060: 65 00 6c 00 6c 00 33 00 32 00 2e 00 64 00 6c 00 e.l.l.3.2...d.l. +0x00000070: 6c 00 2c 00 2d 00 32 00 31 00 37 00 38 00 31 00 l.,.-.2.1.7.8.1. +0x00000080: 00 00 18 00 00 00 ...... + +2008-10-20 18:52:08 | 2008-10-20 18:52:08 | 2006-11-02 11:18:34 | |Desktop\My Computer\C:\Program Files + +0x00000000: 48 00 31 00 00 00 00 00 54 39 84 96 10 00 6c 6f H.1.....T9....lo +0x00000010: 74 75 73 00 34 00 07 00 04 00 ef be 54 39 84 96 tus.4.......T9.. +0x00000020: 54 39 84 96 26 00 00 00 5e 70 00 00 00 00 0a 00 T9..&...^p...... +0x00000030: 00 00 00 00 00 00 00 00 00 00 6c 00 6f 00 74 00 ..........l.o.t. +0x00000040: 75 00 73 00 00 00 14 00 00 00 u.s....... + +2008-10-20 18:52:08 | 2008-10-20 18:52:08 | 2008-10-20 18:52:08 | |Desktop\My Computer\C:\Program Files\lotus + +0x00000000: 48 00 31 00 00 00 00 00 54 39 9a 96 10 00 6e 6f H.1.....T9....no +0x00000010: 74 65 73 00 34 00 07 00 04 00 ef be 54 39 84 96 tes.4.......T9.. +0x00000020: 54 39 9a 96 26 00 00 00 62 70 00 00 00 00 0b 00 T9..&...bp...... +0x00000030: 00 00 00 00 00 00 00 00 00 00 6e 00 6f 00 74 00 ..........n.o.t. +0x00000040: 65 00 73 00 00 00 14 00 00 00 e.s....... + +2008-10-20 18:52:52 | 2008-10-20 18:52:52 | 2008-10-20 18:52:08 | |Desktop\My Computer\C:\Program Files\lotus\notes + +0x00000000: 46 00 31 00 00 00 00 00 54 39 f6 96 10 00 64 61 F.1.....T9....da +0x00000010: 74 61 00 00 32 00 07 00 04 00 ef be 54 39 84 96 ta..2.......T9.. +0x00000020: 54 39 f6 96 26 00 00 00 ba 70 00 00 00 00 06 00 T9..&....p...... +0x00000030: 00 00 00 00 00 00 00 00 00 00 64 00 61 00 74 00 ..........d.a.t. +0x00000040: 61 00 00 00 14 00 00 00 a....... + +2008-10-20 18:55:44 | 2008-10-20 18:55:44 | 2008-10-20 18:52:08 | |Desktop\My Computer\C:\Program Files\lotus\notes\data + +0x00000000: 54 00 31 00 00 00 00 00 89 3a d1 85 10 00 44 4f T.1......:....DO +0x00000010: 4d 49 4e 4f 7e 31 00 00 3c 00 07 00 04 00 ef be MINO~1..<....... +0x00000020: 89 3a d1 85 89 3a d1 85 26 00 00 00 87 ff 00 00 .:...:..&....... +0x00000030: 00 00 97 00 00 00 00 00 00 00 00 00 00 00 64 00 ..............d. +0x00000040: 6f 00 6d 00 69 00 6e 00 6f 00 64 00 6f 00 63 00 o.m.i.n.o.d.o.c. +0x00000050: 00 00 18 00 00 00 ...... + +2009-04-09 16:46:34 | 2009-04-09 16:46:34 | 2009-04-09 16:46:34 | |Desktop\My Computer\C:\Program Files\lotus\notes\data\dominodoc + +0x00000000: 46 00 31 00 00 00 00 00 89 3a d1 85 10 00 74 65 F.1......:....te +0x00000010: 6d 70 00 00 32 00 07 00 04 00 ef be 89 3a d1 85 mp..2........:.. +0x00000020: 89 3a d1 85 26 00 00 00 8f 04 01 00 00 00 5b 00 .:..&.........[. +0x00000030: 00 00 00 00 00 00 00 00 00 00 74 00 65 00 6d 00 ..........t.e.m. +0x00000040: 70 00 00 00 14 00 00 00 p....... + +2009-04-09 16:46:34 | 2009-04-09 16:46:34 | 2009-04-09 16:46:34 | |Desktop\My Computer\C:\Program Files\lotus\notes\data\dominodoc\temp + +0x00000000: 46 00 31 00 00 00 00 00 89 3a d1 85 10 00 76 69 F.1......:....vi +0x00000010: 65 77 00 00 32 00 07 00 04 00 ef be 89 3a d1 85 ew..2........:.. +0x00000020: 89 3a d1 85 26 00 00 00 94 04 01 00 00 00 25 00 .:..&.........%. +0x00000030: 00 00 00 00 00 00 00 00 00 00 76 00 69 00 65 00 ..........v.i.e. +0x00000040: 77 00 00 00 14 00 00 00 w....... + +2009-04-09 16:46:34 | 2009-04-09 16:46:34 | 2009-04-09 16:46:34 | |Desktop\My Computer\C:\Program Files\lotus\notes\data\dominodoc\temp\view + +0x00000000: 52 00 31 00 00 00 00 00 4c 3a 13 74 10 00 57 69 R.1.....L:.t..Wi +0x00000010: 6e 42 61 74 63 68 00 00 3a 00 07 00 04 00 ef be nBatch..:....... +0x00000020: 4c 3a 03 74 4c 3a 13 74 26 00 00 00 0f 21 01 00 L:.tL:.t&....!.. +0x00000030: 00 00 04 00 00 00 00 00 00 00 00 00 00 00 57 00 ..............W. +0x00000040: 69 00 6e 00 42 00 61 00 74 00 63 00 68 00 00 00 i.n.B.a.t.c.h... +0x00000050: 18 00 00 00 .... + +2009-02-12 14:32:38 | 2009-02-12 14:32:38 | 2009-02-12 14:32:06 | |Desktop\My Computer\C:\Program Files\WinBatch + +0x00000000: 4c 00 31 00 00 00 00 00 4c 3a 13 74 10 00 53 79 L.1.....L:.t..Sy +0x00000010: 73 74 65 6d 00 00 36 00 07 00 04 00 ef be 4c 3a stem..6.......L: +0x00000020: 03 74 4c 3a 13 74 26 00 00 00 10 21 01 00 00 00 .tL:.t&....!.... +0x00000030: 04 00 00 00 00 00 00 00 00 00 00 00 53 00 79 00 ............S.y. +0x00000040: 73 00 74 00 65 00 6d 00 00 00 16 00 00 00 s.t.e.m....... + +2009-02-12 14:32:38 | 2009-02-12 14:32:38 | 2009-02-12 14:32:06 | |Desktop\My Computer\C:\Program Files\WinBatch\System + +0x00000000: 48 00 31 00 00 00 00 00 4c 3a 10 74 10 00 49 63 H.1.....L:.t..Ic +0x00000010: 6f 6e 73 00 34 00 07 00 04 00 ef be 4c 3a 0d 74 ons.4.......L:.t +0x00000020: 4c 3a 10 74 26 00 00 00 35 21 01 00 00 00 03 00 L:.t&...5!...... +0x00000030: 00 00 00 00 00 00 00 00 00 00 49 00 63 00 6f 00 ..........I.c.o. +0x00000040: 6e 00 73 00 00 00 14 00 00 00 n.s....... + +2009-02-12 14:32:32 | 2009-02-12 14:32:32 | 2009-02-12 14:32:26 | |Desktop\My Computer\C:\Program Files\WinBatch\Icons + +0x00000000: 52 00 31 00 00 00 00 00 4c 3a 10 74 10 00 52 65 R.1.....L:.t..Re +0x00000010: 64 69 73 74 72 62 00 00 3a 00 07 00 04 00 ef be distrb..:....... +0x00000020: 4c 3a 0d 74 4c 3a 10 74 26 00 00 00 37 21 01 00 L:.tL:.t&...7!.. +0x00000030: 00 00 03 00 00 00 00 00 00 00 00 00 00 00 52 00 ..............R. +0x00000040: 65 00 64 00 69 00 73 00 74 00 72 00 62 00 00 00 e.d.i.s.t.r.b... +0x00000050: 18 00 00 00 .... + +2009-02-12 14:32:32 | 2009-02-12 14:32:32 | 2009-02-12 14:32:26 | |Desktop\My Computer\C:\Program Files\WinBatch\Redistrb + +0x00000000: 4e 00 31 00 00 00 00 00 4c 3a 11 74 10 00 53 61 N.1.....L:.t..Sa +0x00000010: 6d 70 6c 65 73 00 38 00 07 00 04 00 ef be 4c 3a mples.8.......L: +0x00000020: 0d 74 4c 3a 11 74 26 00 00 00 34 21 01 00 00 00 .tL:.t&...4!.... +0x00000030: 03 00 00 00 00 00 00 00 00 00 00 00 53 00 61 00 ............S.a. +0x00000040: 6d 00 70 00 6c 00 65 00 73 00 00 00 16 00 00 00 m.p.l.e.s....... + +2009-02-12 14:32:34 | 2009-02-12 14:32:34 | 2009-02-12 14:32:26 | |Desktop\My Computer\C:\Program Files\WinBatch\Samples + +0x00000000: 46 00 31 00 00 00 00 00 67 39 26 b1 10 00 4a 61 F.1.....g9&...Ja +0x00000010: 76 61 00 00 32 00 07 00 04 00 ef be 67 39 01 b1 va..2.......g9.. +0x00000020: 67 39 26 b1 26 00 00 00 f0 f3 00 00 00 00 04 00 g9&.&........... +0x00000030: 00 00 00 00 00 00 00 00 00 00 4a 00 61 00 76 00 ..........J.a.v. +0x00000040: 61 00 00 00 14 00 00 00 a....... + +2008-11-07 22:09:12 | 2008-11-07 22:09:12 | 2008-11-07 22:08:02 | |Desktop\My Computer\C:\Program Files\Java + +0x00000000: 5a 00 31 00 00 00 00 00 67 39 22 b1 10 00 4a 52 Z.1.....g9"...JR +0x00000010: 45 31 35 7e 31 2e 30 5f 31 00 40 00 07 00 04 00 E15~1.0_1.@..... +0x00000020: ef be 67 39 01 b1 67 39 22 b1 26 00 00 00 f2 f3 ..g9..g9".&..... +0x00000030: 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 ................ +0x00000040: 6a 00 72 00 65 00 31 00 2e 00 35 00 2e 00 30 00 j.r.e.1...5...0. +0x00000050: 5f 00 31 00 35 00 00 00 1a 00 00 00 _.1.5....... + +2008-11-07 22:09:04 | 2008-11-07 22:09:04 | 2008-11-07 22:08:02 | |Desktop\My Computer\C:\Program Files\Java\jre1.5.0_15 + +0x00000000: 42 00 31 00 00 00 00 00 67 39 25 b1 10 00 6c 69 B.1.....g9%...li +0x00000010: 62 00 30 00 07 00 04 00 ef be 67 39 05 b1 67 39 b.0.......g9..g9 +0x00000020: 25 b1 26 00 00 00 5c f8 00 00 00 00 04 00 00 00 %.&...\......... +0x00000030: 00 00 00 00 00 00 00 00 6c 00 69 00 62 00 00 00 ........l.i.b... +0x00000040: 12 00 00 00 .... + +2008-11-07 22:09:10 | 2008-11-07 22:09:10 | 2008-11-07 22:08:10 | |Desktop\My Computer\C:\Program Files\Java\jre1.5.0_15\lib + +0x00000000: 52 00 31 00 00 00 00 00 67 39 1d b1 10 00 73 65 R.1.....g9....se +0x00000010: 63 75 72 69 74 79 00 00 3a 00 07 00 04 00 ef be curity..:....... +0x00000020: 67 39 05 b1 67 39 1d b1 26 00 00 00 aa f8 00 00 g9..g9..&....... +0x00000030: 00 00 03 00 00 00 00 00 00 00 00 00 00 00 73 00 ..............s. +0x00000040: 65 00 63 00 75 00 72 00 69 00 74 00 79 00 00 00 e.c.u.r.i.t.y... +0x00000050: 18 00 00 00 .... + +2008-11-07 22:08:58 | 2008-11-07 22:08:58 | 2008-11-07 22:08:10 | |Desktop\My Computer\C:\Program Files\Java\jre1.5.0_15\lib\security + +0x00000000: 46 00 31 00 00 00 00 00 9d 3a f2 78 10 00 6a 72 F.1......:.x..jr +0x00000010: 65 36 00 00 32 00 07 00 04 00 ef be 9d 3a d9 78 e6..2........:.x +0x00000020: 9d 3a f2 78 26 00 00 00 63 16 01 00 00 00 27 00 .:.x&...c.....'. +0x00000030: 00 00 00 00 00 00 00 00 00 00 6a 00 72 00 65 00 ..........j.r.e. +0x00000040: 36 00 00 00 14 00 00 00 6....... + +2009-04-29 15:07:36 | 2009-04-29 15:07:36 | 2009-04-29 15:06:50 | |Desktop\My Computer\C:\Program Files\Java\jre6 + +0x00000000: 42 00 31 00 00 00 00 00 9d 3a ea 78 10 00 6c 69 B.1......:.x..li +0x00000010: 62 00 30 00 07 00 04 00 ef be 9d 3a e2 78 9d 3a b.0........:.x.: +0x00000020: ea 78 26 00 00 00 d7 1d 01 00 00 00 19 00 00 00 .x&............. +0x00000030: 00 00 00 00 00 00 00 00 6c 00 69 00 62 00 00 00 ........l.i.b... +0x00000040: 12 00 00 00 .... + +2009-04-29 15:07:20 | 2009-04-29 15:07:20 | 2009-04-29 15:07:04 | |Desktop\My Computer\C:\Program Files\Java\jre6\lib + +0x00000000: 52 00 31 00 00 00 00 00 9d 3a 1b 7b 10 00 73 65 R.1......:.{..se +0x00000010: 63 75 72 69 74 79 00 00 3a 00 07 00 04 00 ef be curity..:....... +0x00000020: 9d 3a e4 78 9d 3a 1b 7b 26 00 00 00 05 1f 01 00 .:.x.:.{&....... +0x00000030: 00 00 05 00 00 00 00 00 00 00 00 00 00 00 73 00 ..............s. +0x00000040: 65 00 63 00 75 00 72 00 69 00 74 00 79 00 00 00 e.c.u.r.i.t.y... +0x00000050: 18 00 00 00 .... + +2009-04-29 15:24:54 | 2009-04-29 15:24:54 | 2009-04-29 15:07:08 | |Desktop\My Computer\C:\Program Files\Java\jre6\lib\security + +0x00000000: 42 00 31 00 00 00 00 00 b3 3c ca 75 10 00 62 69 B.1......<.u..bi +0x00000010: 6e 00 30 00 07 00 04 00 ef be 9d 3a da 78 b3 3c n.0........:.x.< +0x00000020: ca 75 26 00 00 00 6a 16 01 00 00 00 12 00 00 00 .u&...j......... +0x00000030: 00 00 00 00 00 00 00 00 62 00 69 00 6e 00 00 00 ........b.i.n... +0x00000040: 12 00 00 00 .... + +2010-05-19 14:46:20 | 2010-05-19 14:46:20 | 2009-04-29 15:06:52 | |Desktop\My Computer\C:\Program Files\Java\jre6\bin + +0x00000000: 60 00 31 00 00 00 00 00 5a 3b eb a3 10 00 42 49 `.1.....Z;....BI +0x00000010: 54 56 49 53 7e 31 00 00 48 00 07 00 04 00 ef be TVIS~1..H....... +0x00000020: 5a 3b 0f a3 5a 3b eb a3 26 00 00 00 8c 8a 01 00 Z;..Z;..&....... +0x00000030: 00 00 15 00 00 00 00 00 00 00 00 00 00 00 42 00 ..............B. +0x00000040: 69 00 74 00 76 00 69 00 73 00 65 00 20 00 57 00 i.t.v.i.s.e. .W. +0x00000050: 69 00 6e 00 53 00 53 00 48 00 44 00 00 00 18 00 i.n.S.S.H.D..... +0x00000060: 00 00 .. + +2009-10-26 20:31:22 | 2009-10-26 20:31:22 | 2009-10-26 20:24:30 | |Desktop\My Computer\C:\Program Files\Bitvise WinSSHD + +0x00000000: 46 00 31 00 00 00 00 00 5a 3b eb a3 10 00 4c 6f F.1.....Z;....Lo +0x00000010: 67 73 00 00 32 00 07 00 04 00 ef be 5a 3b eb a3 gs..2.......Z;.. +0x00000020: 5a 3b eb a3 26 00 00 00 5a 3f 01 00 00 00 3e 00 Z;..&...Z?....>. +0x00000030: 00 00 00 00 00 00 00 00 00 00 4c 00 6f 00 67 00 ..........L.o.g. +0x00000040: 73 00 00 00 14 00 00 00 s....... + +2009-10-26 20:31:22 | 2009-10-26 20:31:22 | 2009-10-26 20:31:22 | |Desktop\My Computer\C:\Program Files\Bitvise WinSSHD\Logs + +0x00000000: 4e 00 31 00 00 00 00 00 65 3b 5b 8e 10 00 53 50 N.1.....e;[...SP +0x00000010: 53 53 49 6e 63 00 38 00 07 00 04 00 ef be 65 3b SSInc.8.......e; +0x00000020: 5b 8e 65 3b 5b 8e 26 00 00 00 5d b5 01 00 00 00 [.e;[.&...]..... +0x00000030: 13 00 00 00 00 00 00 00 00 00 00 00 53 00 50 00 ............S.P. +0x00000040: 53 00 53 00 49 00 6e 00 63 00 00 00 16 00 00 00 S.S.I.n.c....... + +2009-11-05 17:50:54 | 2009-11-05 17:50:54 | 2009-11-05 17:50:54 | |Desktop\My Computer\C:\Program Files\SPSSInc + +0x00000000: 62 00 31 00 00 00 00 00 65 3b b3 8e 10 00 50 41 b.1.....e;....PA +0x00000010: 53 57 53 54 7e 31 00 00 4a 00 07 00 04 00 ef be SWST~1..J....... +0x00000020: 65 3b 5b 8e 65 3b b3 8e 26 00 00 00 65 b5 01 00 e;[.e;..&...e... +0x00000030: 00 00 10 00 00 00 00 00 00 00 00 00 00 00 50 00 ..............P. +0x00000040: 41 00 53 00 57 00 53 00 74 00 61 00 74 00 69 00 A.S.W.S.t.a.t.i. +0x00000050: 73 00 74 00 69 00 63 00 73 00 31 00 37 00 00 00 s.t.i.c.s.1.7... +0x00000060: 18 00 00 00 .... + +2009-11-05 17:53:38 | 2009-11-05 17:53:38 | 2009-11-05 17:50:54 | |Desktop\My Computer\C:\Program Files\SPSSInc\PASWStatistics17 + +0x00000000: 56 00 31 00 00 00 00 00 83 3b 05 8d 10 00 54 45 V.1......;....TE +0x00000010: 41 4d 56 49 7e 31 00 00 3e 00 07 00 04 00 ef be AMVI~1..>....... +0x00000020: 56 3b 32 96 83 3b 05 8d 26 00 00 00 03 c1 01 00 V;2..;..&....... +0x00000030: 00 00 05 00 00 00 00 00 00 00 00 00 00 00 54 00 ..............T. +0x00000040: 65 00 61 00 6d 00 56 00 69 00 65 00 77 00 65 00 e.a.m.V.i.e.w.e. +0x00000050: 72 00 00 00 18 00 00 00 r....... + +2009-12-03 17:40:10 | 2009-12-03 17:40:10 | 2009-10-22 18:49:36 | |Desktop\My Computer\C:\Program Files\TeamViewer + +0x00000000: 52 00 31 00 00 00 00 00 83 3b 0d 8d 10 00 56 65 R.1......;....Ve +0x00000010: 72 73 69 6f 6e 35 00 00 3a 00 07 00 04 00 ef be rsion5..:....... +0x00000020: 83 3b 05 8d 83 3b 0d 8d 26 00 00 00 ac dc 00 00 .;...;..&....... +0x00000030: 00 00 8e 00 00 00 00 00 00 00 00 00 00 00 56 00 ..............V. +0x00000040: 65 00 72 00 73 00 69 00 6f 00 6e 00 35 00 00 00 e.r.s.i.o.n.5... +0x00000050: 18 00 00 00 .... + +2009-12-03 17:40:26 | 2009-12-03 17:40:26 | 2009-12-03 17:40:10 | |Desktop\My Computer\C:\Program Files\TeamViewer\Version5 + +0x00000000: 6a 00 31 00 00 00 00 00 42 3e d8 aa 10 00 46 49 j.1.....B>....FI +0x00000010: 4c 45 5a 49 7e 31 00 00 52 00 07 00 04 00 ef be LEZI~1..R....... +0x00000020: 42 3e d4 aa 42 3e d8 aa 26 00 00 00 8a a3 02 00 B>..B>..&....... +0x00000030: 00 00 0b 01 00 00 00 00 00 00 00 00 00 00 46 00 ..............F. +0x00000040: 69 00 6c 00 65 00 5a 00 69 00 6c 00 6c 00 61 00 i.l.e.Z.i.l.l.a. +0x00000050: 20 00 46 00 54 00 50 00 20 00 43 00 6c 00 69 00 .F.T.P. .C.l.i. +0x00000060: 65 00 6e 00 74 00 00 00 18 00 00 00 e.n.t....... + +2011-02-02 21:22:48 | 2011-02-02 21:22:48 | 2011-02-02 21:22:40 | |Desktop\My Computer\C:\Program Files\FileZilla FTP Client + +0x00000000: 46 00 31 00 00 00 00 00 71 39 7d a2 10 00 64 65 F.1.....q9}...de +0x00000010: 6c 6c 00 00 32 00 07 00 04 00 ef be 71 39 7d a2 ll..2.......q9}. +0x00000020: 71 39 7d a2 26 00 00 00 9e 33 00 00 00 00 14 00 q9}.&....3...... +0x00000030: 00 00 00 00 00 00 00 00 00 00 64 00 65 00 6c 00 ..........d.e.l. +0x00000040: 6c 00 00 00 14 00 00 00 l....... + +2008-11-17 20:19:58 | 2008-11-17 20:19:58 | 2008-11-17 20:19:58 | |Desktop\My Computer\C:\dell + +0x00000000: 4e 00 31 00 00 00 00 00 71 39 7d a2 10 00 64 72 N.1.....q9}...dr +0x00000010: 69 76 65 72 73 00 38 00 07 00 04 00 ef be 71 39 ivers.8.......q9 +0x00000020: 7d a2 71 39 7d a2 26 00 00 00 5d 3b 00 00 00 00 }.q9}.&...];.... +0x00000030: 21 00 00 00 00 00 00 00 00 00 00 00 64 00 72 00 !...........d.r. +0x00000040: 69 00 76 00 65 00 72 00 73 00 00 00 16 00 00 00 i.v.e.r.s....... + +2008-11-17 20:19:58 | 2008-11-17 20:19:58 | 2008-11-17 20:19:58 | |Desktop\My Computer\C:\dell\drivers + +0x00000000: 56 00 31 00 00 00 00 00 71 39 82 a2 10 00 57 49 V.1.....q9....WI +0x00000010: 52 45 4c 45 7e 31 00 00 3e 00 07 00 04 00 ef be RELE~1..>....... +0x00000020: 71 39 7d a2 71 39 82 a2 26 00 00 00 0e 3c 00 00 q9}.q9..&....<.. +0x00000030: 00 00 18 00 00 00 00 00 00 00 00 00 00 00 57 00 ..............W. +0x00000040: 69 00 72 00 65 00 6c 00 65 00 73 00 73 00 20 00 i.r.e.l.e.s.s. . +0x00000050: 31 00 00 00 18 00 00 00 1....... + +2008-11-17 20:20:04 | 2008-11-17 20:20:04 | 2008-11-17 20:19:58 | |Desktop\My Computer\C:\dell\drivers\Wireless 1 + +0x00000000: 58 00 31 00 00 00 00 00 65 39 c7 88 12 20 50 52 X.1.....e9... PR +0x00000010: 4f 47 52 41 7e 32 00 00 40 00 07 00 04 00 ef be OGRA~2..@....... +0x00000020: 62 35 51 5a 65 39 c7 88 26 00 00 00 eb 00 00 00 b5QZe9..&....... +0x00000030: 00 00 01 00 00 00 00 00 00 00 00 00 00 00 50 00 ..............P. +0x00000040: 72 00 6f 00 67 00 72 00 61 00 6d 00 44 00 61 00 r.o.g.r.a.m.D.a. +0x00000050: 74 00 61 00 00 00 18 00 00 00 t.a....... + +2008-11-05 17:06:14 | 2008-11-05 17:06:14 | 2006-11-02 11:18:34 | |Desktop\My Computer\C:\ProgramData + +0x00000000: 54 00 31 00 00 00 00 00 ef 3a fc 82 14 20 4d 49 T.1......:... MI +0x00000010: 43 52 4f 53 7e 31 00 00 3c 00 07 00 04 00 ef be CROS~1..<....... +0x00000020: 62 35 51 5a ef 3a fc 82 26 00 00 00 ec 00 00 00 b5QZ.:..&....... +0x00000030: 00 00 01 00 00 00 00 00 00 00 00 00 00 00 4d 00 ..............M. +0x00000040: 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 i.c.r.o.s.o.f.t. +0x00000050: 00 00 18 00 00 00 ...... + +2009-07-15 16:23:56 | 2009-07-15 16:23:56 | 2006-11-02 11:18:34 | |Desktop\My Computer\C:\ProgramData\Microsoft + +0x00000000: 4e 00 31 00 00 00 00 00 62 35 b5 64 10 20 57 69 N.1.....b5.d. Wi +0x00000010: 6e 64 6f 77 73 00 38 00 07 00 04 00 ef be 62 35 ndows.8.......b5 +0x00000020: 51 5a 62 35 b5 64 26 00 00 00 0d 01 00 00 00 00 QZb5.d&......... +0x00000030: 01 00 00 00 00 00 00 00 00 00 00 00 57 00 69 00 ............W.i. +0x00000040: 6e 00 64 00 6f 00 77 00 73 00 00 00 16 00 00 00 n.d.o.w.s....... + +2006-11-02 12:37:42 | 2006-11-02 12:37:42 | 2006-11-02 11:18:34 | |Desktop\My Computer\C:\ProgramData\Microsoft\Windows + +0x00000000: 7e 00 31 00 00 00 00 00 1a 39 3a 7c 11 00 53 54 ~.1......9:|..ST +0x00000010: 41 52 54 4d 7e 31 00 00 66 00 07 00 04 00 ef be ARTM~1..f....... +0x00000020: 62 35 51 5a 62 35 f5 66 26 00 00 00 11 01 00 00 b5QZb5.f&....... +0x00000030: 00 00 01 00 00 00 00 00 00 00 00 00 3c 00 53 00 ............<.S. +0x00000040: 74 00 61 00 72 00 74 00 20 00 4d 00 65 00 6e 00 t.a.r.t. .M.e.n. +0x00000050: 75 00 00 00 40 00 73 00 68 00 65 00 6c 00 6c 00 u...@.s.h.e.l.l. +0x00000060: 33 00 32 00 2e 00 64 00 6c 00 6c 00 2c 00 2d 00 3.2...d.l.l.,.-. +0x00000070: 32 00 31 00 37 00 38 00 36 00 00 00 18 00 00 00 2.1.7.8.6....... + +2008-08-26 15:33:52 | 2006-11-02 12:55:42 | 2006-11-02 11:18:34 | |Desktop\My Computer\C:\ProgramData\Microsoft\Windows\Start Menu + +0x00000000: 52 00 31 00 00 00 00 00 00 00 00 00 10 00 50 72 R.1...........Pr +0x00000010: 6f 67 72 61 6d 73 00 00 3a 00 07 00 04 00 ef be ograms..:....... +0x00000020: 00 00 00 00 00 00 00 00 26 00 00 00 00 00 00 00 ........&....... +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 00 ..............P. +0x00000040: 72 00 6f 00 67 00 72 00 61 00 6d 00 73 00 00 00 r.o.g.r.a.m.s... +0x00000050: 18 00 00 00 .... + + | | | |Desktop\My Computer\C:\ProgramData\Microsoft\Windows\Start Menu\Programs + +0x00000000: 4c 00 31 00 00 00 00 00 00 00 00 00 10 00 57 69 L.1...........Wi +0x00000010: 6e 52 41 52 00 00 36 00 07 00 04 00 ef be 00 00 nRAR..6......... +0x00000020: 00 00 00 00 00 00 26 00 00 00 00 00 00 00 00 00 ......&......... +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 57 00 69 00 ............W.i. +0x00000040: 6e 00 52 00 41 00 52 00 00 00 16 00 00 00 n.R.A.R....... + + | | | |Desktop\My Computer\C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinRAR + +0x00000000: 56 00 31 00 00 00 00 00 57 3a a2 82 10 00 4e 45 V.1.....W:....NE +0x00000010: 57 46 4f 4c 7e 31 00 00 3e 00 07 00 04 00 ef be WFOL~1..>....... +0x00000020: 57 3a a2 82 57 3a a2 82 26 00 00 00 df 03 00 00 W:..W:..&....... +0x00000030: 00 00 52 00 00 00 00 00 00 00 00 00 00 00 4e 00 ..R...........N. +0x00000040: 65 00 77 00 20 00 46 00 6f 00 6c 00 64 00 65 00 e.w. .F.o.l.d.e. +0x00000050: 72 00 00 00 18 00 00 00 r....... + +2009-02-23 16:21:04 | 2009-02-23 16:21:04 | 2009-02-23 16:21:04 | |Desktop\My Computer\C:\New Folder + +0x00000000: 4c 00 31 00 00 00 00 00 57 3a a2 82 10 00 49 45 L.1.....W:....IE +0x00000010: 54 4d 50 7e 31 00 36 00 07 00 04 00 ef be 57 3a TMP~1.6.......W: +0x00000020: a2 82 57 3a a2 82 26 00 00 00 df 03 00 00 00 00 ..W:..&......... +0x00000030: 52 00 00 00 00 00 00 00 00 00 00 00 49 00 45 00 R...........I.E. +0x00000040: 20 00 54 00 6d 00 70 00 00 00 16 00 00 00 .T.m.p....... + +2009-02-23 16:21:04 | 2009-02-23 16:21:04 | 2009-02-23 16:21:04 | |Desktop\My Computer\C:\IE Tmp + +0x00000000: 50 00 31 00 00 00 00 00 57 3a a2 82 10 00 49 45 P.1.....W:....IE +0x00000010: 54 45 4d 50 7e 31 00 00 38 00 07 00 04 00 ef be TEMP~1..8....... +0x00000020: 57 3a a2 82 57 3a a2 82 26 00 00 00 df 03 00 00 W:..W:..&....... +0x00000030: 00 00 52 00 00 00 00 00 00 00 00 00 00 00 49 00 ..R...........I. +0x00000040: 45 00 20 00 54 00 65 00 6d 00 70 00 00 00 18 00 E. .T.e.m.p..... +0x00000050: 00 00 .. + +2009-02-23 16:21:04 | 2009-02-23 16:21:04 | 2009-02-23 16:21:04 | |Desktop\My Computer\C:\IE Temp + +0x00000000: 82 00 31 00 00 00 00 00 00 00 00 00 10 00 54 65 ..1...........Te +0x00000010: 6d 70 6f 72 61 72 79 20 49 6e 74 65 72 6e 65 74 mporary Internet +0x00000020: 20 46 69 6c 65 73 00 00 5a 00 07 00 04 00 ef be Files..Z....... +0x00000030: 00 00 00 00 00 00 00 00 26 00 00 00 00 00 00 00 ........&....... +0x00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 54 00 ..............T. +0x00000050: 65 00 6d 00 70 00 6f 00 72 00 61 00 72 00 79 00 e.m.p.o.r.a.r.y. +0x00000060: 20 00 49 00 6e 00 74 00 65 00 72 00 6e 00 65 00 .I.n.t.e.r.n.e. +0x00000070: 74 00 20 00 46 00 69 00 6c 00 65 00 73 00 00 00 t. .F.i.l.e.s... +0x00000080: 28 00 00 00 (... + + | | | |Desktop\My Computer\C:\IE Temp\Temporary Internet Files + +0x00000000: 5a 00 31 00 00 00 00 00 00 00 00 00 10 00 43 6f Z.1...........Co +0x00000010: 6e 74 65 6e 74 2e 49 45 35 00 40 00 07 00 04 00 ntent.IE5.@..... +0x00000020: ef be 00 00 00 00 00 00 00 00 26 00 00 00 00 00 ..........&..... +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ +0x00000040: 43 00 6f 00 6e 00 74 00 65 00 6e 00 74 00 2e 00 C.o.n.t.e.n.t... +0x00000050: 49 00 45 00 35 00 00 00 1a 00 00 00 I.E.5....... + + | | | |Desktop\My Computer\C:\IE Temp\Temporary Internet Files\Content.IE5 + +0x00000000: 52 00 31 00 00 00 00 00 00 00 00 00 10 00 59 53 R.1...........YS +0x00000010: 32 55 57 42 39 32 00 00 3a 00 07 00 04 00 ef be 2UWB92..:....... +0x00000020: 00 00 00 00 00 00 00 00 26 00 00 00 00 00 00 00 ........&....... +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 59 00 ..............Y. +0x00000040: 53 00 32 00 55 00 57 00 42 00 39 00 32 00 00 00 S.2.U.W.B.9.2... +0x00000050: 18 00 00 00 .... + + | | | |Desktop\My Computer\C:\IE Temp\Temporary Internet Files\Content.IE5\YS2UWB92 + +0x00000000: b2 00 32 00 00 00 00 00 00 00 00 00 20 20 48 75 ..2......... Hu +0x00000010: 72 73 74 25 32 30 76 65 72 69 66 69 65 64 25 32 rst%20verified%2 +0x00000020: 30 70 72 69 6e 74 65 72 25 32 30 6c 69 73 74 5b 0printer 0st[ +0x00000030: 31 5d 2e 7a 69 70 00 00 7a 00 07 00 04 00 ef be 1].zip..z....... +0x00000040: 00 00 00 00 00 00 00 00 26 00 00 00 00 00 00 00 ........&....... +0x00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 48 00 ..............H. +0x00000060: 75 00 72 00 73 00 74 00 25 00 32 00 30 00 76 00 u.r.s.t.%.2.0.v. +0x00000070: 65 00 72 00 69 00 66 00 69 00 65 00 64 00 25 00 e.r.i.f.i.e.d.%. +0x00000080: 32 00 30 00 70 00 72 00 69 00 6e 00 74 00 65 00 2.0.p.r.i.n.t.e. +0x00000090: 72 00 25 00 32 00 30 00 6c 00 69 00 73 00 74 00 r.%.2.0.l.i.s.t. +0x000000a0: 5b 00 31 00 5d 00 2e 00 7a 00 69 00 70 00 00 00 [.1.]...z.i.p... +0x000000b0: 38 00 00 00 8... + + | | | |Desktop\My Computer\C:\IE Temp\Temporary Internet Files\Content.IE5\YS2UWB92\Hurst%20verified 3e2f70rinter 0st[1].zip + | | | |Desktop\My Computer\C:\IE Temp\Temporary Internet Files\Content.IE5\YS2UWB92\Hurst%20verified 3e2f70rinter 0st[1].zip\xl + | | | |Desktop\My Computer\C:\IE Temp\Temporary Internet Files\Content.IE5\YS2UWB92\Hurst%20verified 3e2f70rinter 0st[1].zip\xl\printerSettings\xl + +0x00000000: 46 00 31 00 00 00 00 00 ba 3a 29 95 10 00 75 74 F.1......:)...ut +0x00000010: 69 6c 00 00 32 00 07 00 04 00 ef be ba 3a 29 95 il..2........:). +0x00000020: ba 3a 29 95 26 00 00 00 e8 0c 01 00 00 00 1f 01 .:).&........... +0x00000030: 00 00 00 00 00 00 00 00 00 00 75 00 74 00 69 00 ..........u.t.i. +0x00000040: 6c 00 00 00 14 00 00 00 l....... + +2009-05-26 18:41:18 | 2009-05-26 18:41:18 | 2009-05-26 18:41:18 | |Desktop\My Computer\C:\util + +0x00000000: 60 00 31 00 00 00 00 00 38 3d c2 79 10 00 4c 44 `.1.....8=.y..LD +0x00000010: 41 50 42 52 7e 31 00 00 48 00 07 00 04 00 ef be APBR~1..H....... +0x00000020: 38 3d c1 79 38 3d c2 79 26 00 00 00 e6 e0 02 00 8=.y8=.y&....... +0x00000030: 00 00 04 00 00 00 00 00 00 00 00 00 00 00 6c 00 ..............l. +0x00000040: 64 00 61 00 70 00 62 00 72 00 6f 00 77 00 73 00 d.a.p.b.r.o.w.s. +0x00000050: 65 00 72 00 5f 00 6c 00 62 00 65 00 00 00 18 00 e.r._.l.b.e..... +0x00000060: 00 00 .. + +2010-09-24 15:14:04 | 2010-09-24 15:14:04 | 2010-09-24 15:14:02 | |Desktop\My Computer\C:\ldapbrowser_lbe + +0x00000000: 58 00 31 00 00 00 00 00 38 3d c2 79 10 00 4c 44 X.1.....8=.y..LD +0x00000010: 41 50 42 52 7e 31 00 00 40 00 07 00 04 00 ef be APBR~1..@....... +0x00000020: 38 3d c1 79 38 3d c2 79 26 00 00 00 e6 e0 02 00 8=.y8=.y&....... +0x00000030: 00 00 04 00 00 00 00 00 00 00 00 00 00 00 6c 00 ..............l. +0x00000040: 64 00 61 00 70 00 62 00 72 00 6f 00 77 00 73 00 d.a.p.b.r.o.w.s. +0x00000050: 65 00 72 00 00 00 18 00 00 00 e.r....... + +2010-09-24 15:14:04 | 2010-09-24 15:14:04 | 2010-09-24 15:14:02 | |Desktop\My Computer\C:\ldapbrowser + +0x00000000: 4c 00 31 00 00 00 00 00 38 3d c1 79 10 00 61 70 L.1.....8=.y..ap +0x00000010: 70 6c 65 74 00 00 36 00 07 00 04 00 ef be 38 3d plet..6.......8= +0x00000020: c1 79 38 3d c1 79 26 00 00 00 07 e2 02 00 00 00 .y8=.y&......... +0x00000030: 03 00 00 00 00 00 00 00 00 00 00 00 61 00 70 00 ............a.p. +0x00000040: 70 00 6c 00 65 00 74 00 00 00 16 00 00 00 p.l.e.t....... + +2010-09-24 15:14:02 | 2010-09-24 15:14:02 | 2010-09-24 15:14:02 | |Desktop\My Computer\C:\ldapbrowser\applet + +0x00000000: 46 00 31 00 00 00 00 00 38 3d c1 79 10 00 68 65 F.1.....8=.y..he +0x00000010: 6c 70 00 00 32 00 07 00 04 00 ef be 38 3d c1 79 lp..2.......8=.y +0x00000020: 38 3d c1 79 26 00 00 00 18 e2 02 00 00 00 03 00 8=.y&........... +0x00000030: 00 00 00 00 00 00 00 00 00 00 68 00 65 00 6c 00 ..........h.e.l. +0x00000040: 70 00 00 00 14 00 00 00 p....... + +2010-09-24 15:14:02 | 2010-09-24 15:14:02 | 2010-09-24 15:14:02 | |Desktop\My Computer\C:\ldapbrowser\help + +0x00000000: 42 00 31 00 00 00 00 00 38 3d c2 79 10 00 6c 69 B.1.....8=.y..li +0x00000010: 62 00 30 00 07 00 04 00 ef be 38 3d c1 79 38 3d b.0.......8=.y8= +0x00000020: c2 79 26 00 00 00 1d e2 02 00 00 00 11 00 00 00 .y&............. +0x00000030: 00 00 00 00 00 00 00 00 6c 00 69 00 62 00 00 00 ........l.i.b... +0x00000040: 12 00 00 00 .... + +2010-09-24 15:14:04 | 2010-09-24 15:14:04 | 2010-09-24 15:14:02 | |Desktop\My Computer\C:\ldapbrowser\lib + +0x00000000: 54 00 31 00 00 00 00 00 38 3d c2 79 10 00 54 45 T.1.....8=.y..TE +0x00000010: 4d 50 4c 41 7e 31 00 00 3c 00 07 00 04 00 ef be MPLA~1..<....... +0x00000020: 38 3d c2 79 38 3d c2 79 26 00 00 00 7a e2 02 00 8=.y8=.y&...z... +0x00000030: 00 00 07 00 00 00 00 00 00 00 00 00 00 00 74 00 ..............t. +0x00000040: 65 00 6d 00 70 00 6c 00 61 00 74 00 65 00 73 00 e.m.p.l.a.t.e.s. +0x00000050: 00 00 18 00 00 00 ...... + +2010-09-24 15:14:04 | 2010-09-24 15:14:04 | 2010-09-24 15:14:04 | |Desktop\My Computer\C:\ldapbrowser\templates + | | | |Desktop\My Computer\D:\ + +0x00000000: 52 00 31 00 00 00 00 00 91 37 83 ae 10 00 64 6f R.1......7....do +0x00000010: 77 6e 6c 6f 61 64 00 00 3a 00 07 00 04 00 ef be wnload..:....... +0x00000020: 91 37 0b 97 91 37 83 ae 26 00 00 00 25 00 00 00 .7...7..&...%... +0x00000030: 00 00 01 00 00 00 00 00 00 00 00 00 00 00 64 00 ..............d. +0x00000040: 6f 00 77 00 6e 00 6c 00 6f 00 61 00 64 00 00 00 o.w.n.l.o.a.d... +0x00000050: 18 00 00 00 .... + +2007-12-17 21:52:06 | 2007-12-17 21:52:06 | 2007-12-17 18:56:22 | |Desktop\My Computer\D:\download + +0x00000000: 54 00 31 00 00 00 00 00 91 37 6c b2 10 00 49 4c T.1......7l...IL +0x00000010: 4f 4d 45 44 7e 31 00 00 3c 00 07 00 04 00 ef be OMED~1..<....... +0x00000020: 91 37 80 ae 91 37 6c b2 26 00 00 00 2f 00 00 00 .7...7l.&.../... +0x00000030: 00 00 02 00 00 00 00 00 00 00 00 00 00 00 69 00 ..............i. +0x00000040: 4c 00 4f 00 20 00 4d 00 65 00 64 00 69 00 61 00 L.O. .M.e.d.i.a. +0x00000050: 00 00 18 00 00 00 ...... + +2007-12-17 22:19:24 | 2007-12-17 22:19:24 | 2007-12-17 21:52:00 | |Desktop\My Computer\D:\download\iLO Media + +0x00000000: 56 00 31 00 00 00 00 00 39 39 08 97 10 00 4f 46 V.1.....99....OF +0x00000010: 46 49 43 45 7e 31 00 00 3e 00 07 00 04 00 ef be FICE~1..>....... +0x00000020: 39 39 fa 96 39 39 08 97 26 00 00 00 36 00 00 00 99..99..&...6... +0x00000030: 00 00 0f 00 00 00 00 00 00 00 00 00 00 00 6f 00 ..............o. +0x00000040: 66 00 66 00 69 00 63 00 65 00 32 00 30 00 30 00 f.f.i.c.e.2.0.0. +0x00000050: 37 00 00 00 18 00 00 00 7....... + +2008-09-25 18:56:16 | 2008-09-25 18:56:16 | 2008-09-25 18:55:52 | |Desktop\My Computer\D:\download\office2007 + +0x00000000: 5c 00 31 00 00 00 00 00 91 37 1a 97 10 00 4c 41 \.1......7....LA +0x00000010: 54 49 54 55 7e 31 00 00 44 00 07 00 04 00 ef be TITU~1..D....... +0x00000020: 91 37 10 97 91 37 1a 97 26 00 00 00 29 00 00 00 .7...7..&...)... +0x00000030: 00 00 01 00 00 00 00 00 00 00 00 00 00 00 4c 00 ..............L. +0x00000040: 61 00 74 00 69 00 74 00 75 00 64 00 65 00 20 00 a.t.i.t.u.d.e. . +0x00000050: 44 00 36 00 30 00 30 00 00 00 18 00 00 00 D.6.0.0....... + +2007-12-17 18:56:52 | 2007-12-17 18:56:52 | 2007-12-17 18:56:32 | |Desktop\My Computer\D:\download\Latitude D600 + +0x00000000: 4c 00 31 00 00 00 00 00 63 39 d0 85 10 00 53 53 L.1.....c9....SS +0x00000010: 4d 53 45 45 00 00 36 00 07 00 04 00 ef be 63 39 MSEE..6.......c9 +0x00000020: d0 85 63 39 d0 85 26 00 00 00 29 00 00 00 00 00 ..c9..&...)..... +0x00000030: 1f 00 00 00 00 00 00 00 00 00 00 00 53 00 53 00 ............S.S. +0x00000040: 4d 00 53 00 45 00 45 00 00 00 16 00 00 00 M.S.E.E....... + +2008-11-03 16:46:32 | 2008-11-03 16:46:32 | 2008-11-03 16:46:32 | |Desktop\My Computer\D:\download\SSMSEE + +0x00000000: 94 00 31 00 00 00 00 00 65 39 67 95 10 00 54 52 ..1.....e9g...TR +0x00000010: 41 49 4e 53 7e 31 00 00 7c 00 07 00 04 00 ef be AINS~1..|....... +0x00000020: 65 39 66 95 65 39 67 95 26 00 00 00 3f 00 00 00 e9f.e9g.&...?... +0x00000030: 00 00 09 00 00 00 00 00 00 00 00 00 00 00 54 00 ..............T. +0x00000040: 72 00 61 00 69 00 6e 00 53 00 69 00 67 00 6e 00 r.a.i.n.S.i.g.n. +0x00000050: 61 00 6c 00 20 00 56 00 4d 00 57 00 61 00 72 00 a.l. .V.M.W.a.r. +0x00000060: 65 00 20 00 53 00 65 00 72 00 76 00 65 00 72 00 e. .S.e.r.v.e.r. +0x00000070: 20 00 61 00 6e 00 64 00 20 00 57 00 6f 00 72 00 .a.n.d. .W.o.r. +0x00000080: 6b 00 73 00 74 00 61 00 74 00 69 00 6f 00 6e 00 k.s.t.a.t.i.o.n. +0x00000090: 00 00 18 00 00 00 ...... + +2008-11-05 18:43:14 | 2008-11-05 18:43:14 | 2008-11-05 18:43:12 | |Desktop\My Computer\D:\download\TrainSignal VMWare Server and Workstation + +0x00000000: 52 00 31 00 00 00 00 00 91 37 2f 97 10 00 56 69 R.1......7/...Vi +0x00000010: 74 75 61 6c 50 43 00 00 3a 00 07 00 04 00 ef be tualPC..:....... +0x00000020: 91 37 23 97 91 37 2f 97 26 00 00 00 2a 00 00 00 .7#..7/.&...*... +0x00000030: 00 00 01 00 00 00 00 00 00 00 00 00 00 00 56 00 ..............V. +0x00000040: 69 00 74 00 75 00 61 00 6c 00 50 00 43 00 00 00 i.t.u.a.l.P.C... +0x00000050: 18 00 00 00 .... + +2007-12-17 18:57:30 | 2007-12-17 18:57:30 | 2007-12-17 18:57:06 | |Desktop\My Computer\D:\VitualPC + +0x00000000: 50 00 31 00 00 00 00 00 91 37 e8 b1 10 00 58 50 P.1......7....XP +0x00000010: 42 41 53 45 7e 31 00 00 38 00 07 00 04 00 ef be BASE~1..8....... +0x00000020: 91 37 2d 97 91 37 e8 b1 26 00 00 00 2b 00 00 00 .7-..7..&...+... +0x00000030: 00 00 01 00 00 00 00 00 00 00 00 00 00 00 58 00 ..............X. +0x00000040: 50 00 20 00 42 00 61 00 73 00 65 00 00 00 18 00 P. .B.a.s.e..... +0x00000050: 00 00 .. + +2007-12-17 22:15:16 | 2007-12-17 22:15:16 | 2007-12-17 18:57:26 | |Desktop\My Computer\D:\VitualPC\XP Base + +0x00000000: 56 00 31 00 00 00 00 00 5d 39 53 98 10 00 4e 45 V.1.....]9S...NE +0x00000010: 57 46 4f 4c 7e 31 00 00 3e 00 07 00 04 00 ef be WFOL~1..>....... +0x00000020: 5d 39 53 98 5d 39 53 98 26 00 00 00 53 01 00 00 ]9S.]9S.&...S... +0x00000030: 00 00 0c 00 00 00 00 00 00 00 00 00 00 00 4e 00 ..............N. +0x00000040: 65 00 77 00 20 00 46 00 6f 00 6c 00 64 00 65 00 e.w. .F.o.l.d.e. +0x00000050: 72 00 00 00 18 00 00 00 r....... + +2008-10-29 19:02:38 | 2008-10-29 19:02:38 | 2008-10-29 19:02:38 | |Desktop\My Computer\D:\New Folder + +0x00000000: 54 00 31 00 00 00 00 00 5d 39 53 98 10 00 4f 4c T.1.....]9S...OL +0x00000010: 44 46 49 4c 7e 31 00 00 3c 00 07 00 04 00 ef be DFIL~1..<....... +0x00000020: 5d 39 53 98 5d 39 53 98 26 00 00 00 53 01 00 00 ]9S.]9S.&...S... +0x00000030: 00 00 0c 00 00 00 00 00 00 00 00 00 00 00 4f 00 ..............O. +0x00000040: 6c 00 64 00 20 00 46 00 69 00 6c 00 65 00 73 00 l.d. .F.i.l.e.s. +0x00000050: 00 00 18 00 00 00 ...... + +2008-10-29 19:02:38 | 2008-10-29 19:02:38 | 2008-10-29 19:02:38 | |Desktop\My Computer\D:\Old Files + +0x00000000: 7c 00 31 00 00 00 00 00 5d 39 66 98 11 00 46 41 |.1.....]9f...FA +0x00000010: 56 4f 52 49 7e 31 00 00 64 00 07 00 04 00 ef be VORI~1..d....... +0x00000020: 5d 39 66 98 5d 39 66 98 26 00 00 00 6a 01 00 00 ]9f.]9f.&...j... +0x00000030: 00 00 01 00 00 00 00 00 00 00 00 00 3a 00 46 00 ............:.F. +0x00000040: 61 00 76 00 6f 00 72 00 69 00 74 00 65 00 73 00 a.v.o.r.i.t.e.s. +0x00000050: 00 00 40 00 73 00 68 00 65 00 6c 00 6c 00 33 00 ..@.s.h.e.l.l.3. +0x00000060: 32 00 2e 00 64 00 6c 00 6c 00 2c 00 2d 00 31 00 2...d.l.l.,.-.1. +0x00000070: 32 00 36 00 39 00 33 00 00 00 18 00 00 00 2.6.9.3....... + +2008-10-29 19:03:12 | 2008-10-29 19:03:12 | 2008-10-29 19:03:12 | |Desktop\My Computer\D:\Old Files\Favorites + +0x00000000: 52 00 31 00 00 00 00 00 5d 39 66 98 10 00 41 75 R.1.....]9f...Au +0x00000010: 74 6f 64 65 73 6b 00 00 3a 00 07 00 04 00 ef be todesk..:....... +0x00000020: 5d 39 66 98 5d 39 66 98 26 00 00 00 9a 01 00 00 ]9f.]9f.&....... +0x00000030: 00 00 01 00 00 00 00 00 00 00 00 00 00 00 41 00 ..............A. +0x00000040: 75 00 74 00 6f 00 64 00 65 00 73 00 6b 00 00 00 u.t.o.d.e.s.k... +0x00000050: 18 00 00 00 .... + +2008-10-29 19:03:12 | 2008-10-29 19:03:12 | 2008-10-29 19:03:12 | |Desktop\My Computer\D:\Old Files\Favorites\Autodesk + +0x00000000: 5a 00 31 00 00 00 00 00 5d 39 66 98 11 00 4d 59 Z.1.....]9f...MY +0x00000010: 44 4f 43 55 7e 31 00 00 42 00 07 00 04 00 ef be DOCU~1..B....... +0x00000020: 5d 39 63 98 5d 39 66 98 26 00 00 00 54 01 00 00 ]9c.]9f.&...T... +0x00000030: 00 00 04 00 00 00 00 00 00 00 00 00 00 00 4d 00 ..............M. +0x00000040: 79 00 20 00 44 00 6f 00 63 00 75 00 6d 00 65 00 y. .D.o.c.u.m.e. +0x00000050: 6e 00 74 00 73 00 00 00 18 00 00 00 n.t.s....... + +2008-10-29 19:03:12 | 2008-10-29 19:03:12 | 2008-10-29 19:03:06 | |Desktop\My Computer\D:\Old Files\My Documents + +0x00000000: 60 00 31 00 00 00 00 00 5d 39 83 98 14 00 4d 59 `.1.....]9....MY +0x00000010: 44 41 54 41 7e 31 00 00 48 00 07 00 04 00 ef be DATA~1..H....... +0x00000020: 5d 39 83 98 5d 39 83 98 26 00 00 00 24 03 00 00 ]9..]9..&...$... +0x00000030: 00 00 01 00 00 00 00 00 00 00 00 00 00 00 4d 00 ..............M. +0x00000040: 79 00 20 00 44 00 61 00 74 00 61 00 20 00 53 00 y. .D.a.t.a. .S. +0x00000050: 6f 00 75 00 72 00 63 00 65 00 73 00 00 00 18 00 o.u.r.c.e.s..... +0x00000060: 00 00 .. + +2008-10-29 19:04:06 | 2008-10-29 19:04:06 | 2008-10-29 19:04:06 | |Desktop\My Computer\D:\Old Files\My Documents\My Data Sources + +0x00000000: 54 00 31 00 00 00 00 00 17 31 f3 88 10 00 4d 59 T.1......1....MY +0x00000010: 45 42 4f 4f 7e 31 00 00 3c 00 07 00 04 00 ef be EBOO~1..<....... +0x00000020: 5d 39 83 98 5d 39 83 98 26 00 00 00 2f 03 00 00 ]9..]9..&.../... +0x00000030: 00 00 01 00 00 00 00 00 00 00 00 00 00 00 4d 00 ..............M. +0x00000040: 79 00 20 00 65 00 42 00 6f 00 6f 00 6b 00 73 00 y. .e.B.o.o.k.s. +0x00000050: 00 00 18 00 00 00 ...... + +2004-08-23 17:07:38 | 2008-10-29 19:04:06 | 2008-10-29 19:04:06 | |Desktop\My Computer\D:\Old Files\My Documents\My eBooks + +0x00000000: 88 00 31 00 00 00 00 00 5d 39 82 98 10 00 41 50 ..1.....]9....AP +0x00000010: 50 4c 49 43 7e 31 00 00 70 00 07 00 04 00 ef be PLIC~1..p....... +0x00000020: 5d 39 82 98 5d 39 82 98 26 00 00 00 e4 02 00 00 ]9..]9..&....... +0x00000030: 00 00 01 00 00 00 00 00 00 00 00 00 00 00 41 00 ..............A. +0x00000040: 70 00 70 00 6c 00 69 00 63 00 61 00 74 00 69 00 p.p.l.i.c.a.t.i. +0x00000050: 6f 00 6e 00 20 00 69 00 6e 00 66 00 6f 00 20 00 o.n. .i.n.f.o. . +0x00000060: 6f 00 6e 00 20 00 57 00 69 00 6e 00 64 00 6f 00 o.n. .W.i.n.d.o. +0x00000070: 77 00 73 00 20 00 53 00 65 00 72 00 76 00 65 00 w.s. .S.e.r.v.e. +0x00000080: 72 00 73 00 00 00 18 00 00 00 r.s....... + +2008-10-29 19:04:04 | 2008-10-29 19:04:04 | 2008-10-29 19:04:04 | |Desktop\My Computer\D:\Old Files\My Documents\Application info on Windows Servers + +0x00000000: 4c 00 31 00 00 00 00 00 e8 3a 8f 7c 10 00 56 4d L.1......:.|..VM +0x00000010: 57 61 72 65 00 00 36 00 07 00 04 00 ef be e8 3a Ware..6........: +0x00000020: 8f 7c e8 3a 8f 7c 26 00 00 00 23 42 00 00 00 00 .|.:.|&...#B.... +0x00000030: 0b 00 00 00 00 00 00 00 00 00 00 00 56 00 4d 00 ............V.M. +0x00000040: 57 00 61 00 72 00 65 00 00 00 16 00 00 00 W.a.r.e....... + +2009-07-08 15:36:30 | 2009-07-08 15:36:30 | 2009-07-08 15:36:30 | |Desktop\My Computer\D:\Old Files\My Documents\VMWare + +0x00000000: 54 00 31 00 00 00 00 00 5d 39 ad 98 11 00 4d 59 T.1.....]9....MY +0x00000010: 56 49 44 45 7e 31 00 00 3c 00 07 00 04 00 ef be VIDE~1..<....... +0x00000020: 5d 39 ad 98 5d 39 ad 98 26 00 00 00 0d 05 00 00 ]9..]9..&....... +0x00000030: 00 00 01 00 00 00 00 00 00 00 00 00 00 00 4d 00 ..............M. +0x00000040: 79 00 20 00 56 00 69 00 64 00 65 00 6f 00 73 00 y. .V.i.d.e.o.s. +0x00000050: 00 00 18 00 00 00 ...... + +2008-10-29 19:05:26 | 2008-10-29 19:05:26 | 2008-10-29 19:05:26 | |Desktop\My Computer\D:\Old Files\My Documents\My Videos + +0x00000000: 5a 00 31 00 00 00 00 00 5d 39 ae 98 14 00 4d 59 Z.1.....]9....MY +0x00000010: 57 45 42 53 7e 31 00 00 42 00 07 00 04 00 ef be WEBS~1..B....... +0x00000020: 5d 39 ad 98 5d 39 ae 98 26 00 00 00 13 05 00 00 ]9..]9..&....... +0x00000030: 00 00 01 00 00 00 00 00 00 00 00 00 00 00 4d 00 ..............M. +0x00000040: 79 00 20 00 57 00 65 00 62 00 20 00 53 00 69 00 y. .W.e.b. .S.i. +0x00000050: 74 00 65 00 73 00 00 00 18 00 00 00 t.e.s....... + +2008-10-29 19:05:28 | 2008-10-29 19:05:28 | 2008-10-29 19:05:26 | |Desktop\My Computer\D:\Old Files\My Documents\My Web Sites + +0x00000000: 52 00 31 00 00 00 00 00 95 32 3b 7f 10 00 52 65 R.1......2;...Re +0x00000010: 64 53 70 61 72 6b 00 00 3a 00 07 00 04 00 ef be dSpark..:....... +0x00000020: 5d 39 b1 98 5d 39 b1 98 26 00 00 00 a6 05 00 00 ]9..]9..&....... +0x00000030: 00 00 01 00 00 00 00 00 00 00 00 00 00 00 52 00 ..............R. +0x00000040: 65 00 64 00 53 00 70 00 61 00 72 00 6b 00 00 00 e.d.S.p.a.r.k... +0x00000050: 18 00 00 00 .... + +2005-04-21 15:57:54 | 2008-10-29 19:05:34 | 2008-10-29 19:05:34 | |Desktop\My Computer\D:\Old Files\My Documents\RedSpark + +0x00000000: 5c 00 31 00 00 00 00 00 95 32 3b 7f 10 00 53 54 \.1......2;...ST +0x00000010: 41 4e 44 41 7e 31 00 00 44 00 07 00 04 00 ef be ANDA~1..D....... +0x00000020: 5d 39 b5 98 5d 39 b5 98 26 00 00 00 cd 05 00 00 ]9..]9..&....... +0x00000030: 00 00 01 00 00 00 00 00 00 00 00 00 00 00 53 00 ..............S. +0x00000040: 74 00 61 00 6e 00 64 00 61 00 72 00 64 00 50 00 t.a.n.d.a.r.d.P. +0x00000050: 61 00 72 00 74 00 73 00 00 00 18 00 00 00 a.r.t.s....... + +2005-04-21 15:57:54 | 2008-10-29 19:05:42 | 2008-10-29 19:05:42 | |Desktop\My Computer\D:\Old Files\My Documents\StandardParts + +0x00000000: 4e 00 31 00 00 00 00 00 ac 34 6e 21 10 00 55 70 N.1......4n!..Up +0x00000010: 64 61 74 65 72 00 38 00 07 00 04 00 ef be 5d 39 dater.8.......]9 +0x00000020: b7 98 5d 39 b7 98 26 00 00 00 df 05 00 00 00 00 ..]9..&......... +0x00000030: 01 00 00 00 00 00 00 00 00 00 00 00 55 00 70 00 ............U.p. +0x00000040: 64 00 61 00 74 00 65 00 72 00 00 00 16 00 00 00 d.a.t.e.r....... + +2006-05-12 04:11:28 | 2008-10-29 19:05:46 | 2008-10-29 19:05:46 | |Desktop\My Computer\D:\Old Files\My Documents\Updater + +0x00000000: 52 00 31 00 00 00 00 00 5d 39 86 98 11 00 4d 59 R.1.....]9....MY +0x00000010: 4d 55 53 49 7e 31 00 00 3a 00 07 00 04 00 ef be MUSI~1..:....... +0x00000020: 5d 39 83 98 5d 39 86 98 26 00 00 00 34 03 00 00 ]9..]9..&...4... +0x00000030: 00 00 01 00 00 00 00 00 00 00 00 00 00 00 4d 00 ..............M. +0x00000040: 79 00 20 00 4d 00 75 00 73 00 69 00 63 00 00 00 y. .M.u.s.i.c... +0x00000050: 18 00 00 00 .... + +2008-10-29 19:04:12 | 2008-10-29 19:04:12 | 2008-10-29 19:04:06 | |Desktop\My Computer\D:\Old Files\My Documents\My Music + +0x00000000: 58 00 31 00 00 00 00 00 5d 39 93 98 11 00 4d 59 X.1.....]9....MY +0x00000010: 50 49 43 54 7e 31 00 00 40 00 07 00 04 00 ef be PICT~1..@....... +0x00000020: 5d 39 86 98 5d 39 93 98 26 00 00 00 3d 03 00 00 ]9..]9..&...=... +0x00000030: 00 00 01 00 00 00 00 00 00 00 00 00 00 00 4d 00 ..............M. +0x00000040: 79 00 20 00 50 00 69 00 63 00 74 00 75 00 72 00 y. .P.i.c.t.u.r. +0x00000050: 65 00 73 00 00 00 18 00 00 00 e.s....... + +2008-10-29 19:04:38 | 2008-10-29 19:04:38 | 2008-10-29 19:04:12 | |Desktop\My Computer\D:\Old Files\My Documents\My Pictures + +0x00000000: 54 00 31 00 00 00 00 00 5d 39 ad 98 14 00 4d 59 T.1.....]9....MY +0x00000010: 53 48 41 50 7e 31 00 00 3c 00 07 00 04 00 ef be SHAP~1..<....... +0x00000020: 5d 39 ad 98 5d 39 ad 98 26 00 00 00 05 05 00 00 ]9..]9..&....... +0x00000030: 00 00 01 00 00 00 00 00 00 00 00 00 00 00 4d 00 ..............M. +0x00000040: 79 00 20 00 53 00 68 00 61 00 70 00 65 00 73 00 y. .S.h.a.p.e.s. +0x00000050: 00 00 18 00 00 00 ...... + +2008-10-29 19:05:26 | 2008-10-29 19:05:26 | 2008-10-29 19:05:26 | |Desktop\My Computer\D:\Old Files\My Documents\My Shapes + +0x00000000: 56 00 31 00 00 00 00 00 5d 39 ef 98 10 00 4e 45 V.1.....]9....NE +0x00000010: 57 46 4f 4c 7e 31 00 00 3e 00 07 00 04 00 ef be WFOL~1..>....... +0x00000020: 5d 39 ef 98 5d 39 ef 98 26 00 00 00 5f 06 00 00 ]9..]9..&..._... +0x00000030: 00 00 01 00 00 00 00 00 00 00 00 00 00 00 4e 00 ..............N. +0x00000040: 65 00 77 00 20 00 46 00 6f 00 6c 00 64 00 65 00 e.w. .F.o.l.d.e. +0x00000050: 72 00 00 00 18 00 00 00 r....... + +2008-10-29 19:07:30 | 2008-10-29 19:07:30 | 2008-10-29 19:07:30 | |Desktop\My Computer\D:\Old Files\New Folder + +0x00000000: 50 00 31 00 00 00 00 00 5d 39 ef 98 10 00 41 55 P.1.....]9....AU +0x00000010: 57 4f 52 4b 7e 31 00 00 38 00 07 00 04 00 ef be WORK~1..8....... +0x00000020: 5d 39 ef 98 5d 39 ef 98 26 00 00 00 5f 06 00 00 ]9..]9..&..._... +0x00000030: 00 00 01 00 00 00 00 00 00 00 00 00 00 00 41 00 ..............A. +0x00000040: 55 00 20 00 77 00 6f 00 72 00 6b 00 00 00 18 00 U. .w.o.r.k..... +0x00000050: 00 00 .. + +2008-10-29 19:07:30 | 2008-10-29 19:07:30 | 2008-10-29 19:07:30 | |Desktop\My Computer\D:\Old Files\AU work + +0x00000000: 48 00 31 00 00 00 00 00 5d 39 15 99 10 00 57 69 H.1.....]9....Wi +0x00000010: 6e 32 39 00 34 00 07 00 04 00 ef be 5d 39 15 99 n29.4.......]9.. +0x00000020: 5d 39 15 99 26 00 00 00 60 06 00 00 00 00 01 00 ]9..&...`....... +0x00000030: 00 00 00 00 00 00 00 00 00 00 57 00 69 00 6e 00 ..........W.i.n. +0x00000040: 32 00 39 00 00 00 14 00 00 00 2.9....... + +2008-10-29 19:08:42 | 2008-10-29 19:08:42 | 2008-10-29 19:08:42 | |Desktop\My Computer\D:\Old Files\AU work\Win29 + +0x00000000: 5c 00 31 00 00 00 00 00 5d 39 38 99 10 00 57 49 \.1.....]98...WI +0x00000010: 4e 44 4f 57 7e 32 00 00 44 00 07 00 04 00 ef be NDOW~2..D....... +0x00000020: 5d 39 25 99 5d 39 38 99 26 00 00 00 33 07 00 00 ]9%.]98.&...3... +0x00000030: 00 00 01 00 00 00 00 00 00 00 00 00 00 00 57 00 ..............W. +0x00000040: 69 00 6e 00 64 00 6f 00 77 00 73 00 20 00 54 00 i.n.d.o.w.s. .T. +0x00000050: 6f 00 6f 00 6c 00 73 00 00 00 18 00 00 00 o.o.l.s....... + +2008-10-29 19:09:48 | 2008-10-29 19:09:48 | 2008-10-29 19:09:10 | |Desktop\My Computer\D:\Old Files\AU work\Windows Tools + +0x00000000: 48 00 31 00 00 00 00 00 5d 39 18 99 10 00 57 69 H.1.....]9....Wi +0x00000010: 6e 33 30 00 34 00 07 00 04 00 ef be 5d 39 15 99 n30.4.......]9.. +0x00000020: 5d 39 18 99 26 00 00 00 6b 06 00 00 00 00 01 00 ]9..&...k....... +0x00000030: 00 00 00 00 00 00 00 00 00 00 57 00 69 00 6e 00 ..........W.i.n. +0x00000040: 33 00 30 00 00 00 14 00 00 00 3.0....... + +2008-10-29 19:08:48 | 2008-10-29 19:08:48 | 2008-10-29 19:08:42 | |Desktop\My Computer\D:\Old Files\AU work\Win30 + +0x00000000: 92 00 31 00 00 00 00 00 63 39 44 94 10 00 54 49 ..1.....c9D...TI +0x00000010: 54 41 4e 49 7e 31 00 00 7a 00 07 00 04 00 ef be TANI~1..z....... +0x00000020: 63 39 44 94 63 39 44 94 26 00 00 00 2c 00 00 00 c9D.c9D.&...,... +0x00000030: 00 00 08 00 00 00 00 00 00 00 00 00 00 00 54 00 ..............T. +0x00000040: 69 00 74 00 61 00 6e 00 69 00 75 00 6d 00 20 00 i.t.a.n.i.u.m. . +0x00000050: 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 20 00 W.i.n.d.o.w.s. . +0x00000060: 41 00 75 00 74 00 68 00 65 00 6e 00 74 00 69 00 A.u.t.h.e.n.t.i. +0x00000070: 63 00 61 00 74 00 69 00 6f 00 6e 00 20 00 53 00 c.a.t.i.o.n. .S. +0x00000080: 65 00 74 00 74 00 69 00 6e 00 67 00 73 00 00 00 e.t.t.i.n.g.s... +0x00000090: 18 00 00 00 .... + +2008-11-03 18:34:08 | 2008-11-03 18:34:08 | 2008-11-03 18:34:08 | |Desktop\My Computer\D:\Old Files\AU work\Win30\Titanium Windows Authentication Settings + +0x00000000: 4e 00 31 00 00 00 00 00 45 3b dc 90 10 00 57 42 N.1.....E;....WB +0x00000010: 68 6f 75 73 65 00 38 00 07 00 04 00 ef be 45 3b house.8.......E; +0x00000020: db 90 45 3b dc 90 26 00 00 00 31 43 00 00 00 00 ..E;..&...1C.... +0x00000030: 06 00 00 00 00 00 00 00 00 00 00 00 57 00 42 00 ............W.B. +0x00000040: 68 00 6f 00 75 00 73 00 65 00 00 00 16 00 00 00 h.o.u.s.e....... + +2009-10-05 18:06:56 | 2009-10-05 18:06:56 | 2009-10-05 18:06:54 | |Desktop\My Computer\D:\Old Files\WBhouse + +0x00000000: 4e 00 31 00 00 00 00 00 45 3b e2 90 10 00 4b 69 N.1.....E;....Ki +0x00000010: 74 63 68 65 6e 00 38 00 07 00 04 00 ef be 45 3b tchen.8.......E; +0x00000020: dd 90 45 3b e2 90 26 00 00 00 52 43 00 00 00 00 ..E;..&...RC.... +0x00000030: 01 00 00 00 00 00 00 00 00 00 00 00 4b 00 69 00 ............K.i. +0x00000040: 74 00 63 00 68 00 65 00 6e 00 00 00 16 00 00 00 t.c.h.e.n....... + +2009-10-05 18:07:04 | 2009-10-05 18:07:04 | 2009-10-05 18:06:58 | |Desktop\My Computer\D:\Old Files\WBhouse\Kitchen + +0x00000000: 46 00 31 00 00 00 00 00 45 3b e4 90 10 00 42 61 F.1.....E;....Ba +0x00000010: 74 68 00 00 32 00 07 00 04 00 ef be 45 3b e2 90 th..2.......E;.. +0x00000020: 45 3b e4 90 26 00 00 00 76 43 00 00 00 00 01 00 E;..&...vC...... +0x00000030: 00 00 00 00 00 00 00 00 00 00 42 00 61 00 74 00 ..........B.a.t. +0x00000040: 68 00 00 00 14 00 00 00 h....... + +2009-10-05 18:07:08 | 2009-10-05 18:07:08 | 2009-10-05 18:07:04 | |Desktop\My Computer\D:\Old Files\WBhouse\Bath + +0x00000000: 50 00 31 00 00 00 00 00 5d 39 67 9d 10 00 41 55 P.1.....]9g...AU +0x00000010: 57 4f 52 4b 7e 31 00 00 38 00 07 00 04 00 ef be WORK~1..8....... +0x00000020: 5d 39 ef 98 5d 39 67 9d 26 00 00 00 5f 06 00 00 ]9..]9g.&..._... +0x00000030: 00 00 01 00 00 00 00 00 00 00 00 00 00 00 41 00 ..............A. +0x00000040: 55 00 20 00 77 00 6f 00 72 00 6b 00 00 00 18 00 U. .w.o.r.k..... +0x00000050: 00 00 .. + +2008-10-29 19:43:14 | 2008-10-29 19:43:14 | 2008-10-29 19:07:30 | |Desktop\My Computer\D:\AU work + +0x00000000: 48 00 31 00 00 00 00 00 63 39 52 94 10 00 57 69 H.1.....c9R...Wi +0x00000010: 6e 33 30 00 34 00 07 00 04 00 ef be 5d 39 15 99 n30.4.......]9.. +0x00000020: 63 39 52 94 26 00 00 00 6b 06 00 00 00 00 01 00 c9R.&...k....... +0x00000030: 00 00 00 00 00 00 00 00 00 00 57 00 69 00 6e 00 ..........W.i.n. +0x00000040: 33 00 30 00 00 00 14 00 00 00 3.0....... + +2008-11-03 18:34:36 | 2008-11-03 18:34:36 | 2008-10-29 19:08:42 | |Desktop\My Computer\D:\AU work\Win30 + +0x00000000: 92 00 31 00 00 00 00 00 63 39 54 94 10 00 54 49 ..1.....c9T...TI +0x00000010: 54 41 4e 49 7e 31 00 00 7a 00 07 00 04 00 ef be TANI~1..z....... +0x00000020: 63 39 44 94 63 39 54 94 26 00 00 00 2c 00 00 00 c9D.c9T.&...,... +0x00000030: 00 00 08 00 00 00 00 00 00 00 00 00 00 00 54 00 ..............T. +0x00000040: 69 00 74 00 61 00 6e 00 69 00 75 00 6d 00 20 00 i.t.a.n.i.u.m. . +0x00000050: 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 20 00 W.i.n.d.o.w.s. . +0x00000060: 41 00 75 00 74 00 68 00 65 00 6e 00 74 00 69 00 A.u.t.h.e.n.t.i. +0x00000070: 63 00 61 00 74 00 69 00 6f 00 6e 00 20 00 53 00 c.a.t.i.o.n. .S. +0x00000080: 65 00 74 00 74 00 69 00 6e 00 67 00 73 00 00 00 e.t.t.i.n.g.s... +0x00000090: 18 00 00 00 .... + +2008-11-03 18:34:40 | 2008-11-03 18:34:40 | 2008-11-03 18:34:08 | |Desktop\My Computer\D:\AU work\Win30\Titanium Windows Authentication Settings + +0x00000000: 88 00 31 00 00 00 00 00 63 39 54 94 10 00 54 49 ..1.....c9T...TI +0x00000010: 54 41 4e 49 7e 31 00 00 70 00 07 00 04 00 ef be TANI~1..p....... +0x00000020: 63 39 44 94 63 39 54 94 26 00 00 00 2c 00 00 00 c9D.c9T.&...,... +0x00000030: 00 00 08 00 00 00 00 00 00 00 00 00 00 00 54 00 ..............T. +0x00000040: 69 00 74 00 61 00 6e 00 69 00 75 00 6d 00 20 00 i.t.a.n.i.u.m. . +0x00000050: 53 00 51 00 4c 00 20 00 57 00 69 00 6e 00 64 00 S.Q.L. .W.i.n.d. +0x00000060: 6f 00 77 00 73 00 20 00 41 00 75 00 74 00 68 00 o.w.s. .A.u.t.h. +0x00000070: 65 00 6e 00 74 00 69 00 63 00 61 00 74 00 69 00 e.n.t.i.c.a.t.i. +0x00000080: 6f 00 6e 00 00 00 18 00 00 00 o.n....... + +2008-11-03 18:34:40 | 2008-11-03 18:34:40 | 2008-11-03 18:34:08 | |Desktop\My Computer\D:\AU work\Win30\Titanium SQL Windows Authentication + +0x00000000: 78 00 32 00 5a 12 04 00 02 37 80 ac 20 00 54 49 x.2.Z....7.. .TI +0x00000010: 54 41 4e 49 7e 31 2e 5a 49 50 00 00 5c 00 07 00 TANI~1.ZIP..\... +0x00000020: 04 00 ef be 5d 39 16 99 5d 39 16 99 26 00 00 00 ....]9..]9..&... +0x00000030: 6f 06 00 00 00 00 01 00 00 00 00 00 00 00 00 00 o............... +0x00000040: 00 00 54 00 69 00 74 00 61 00 6e 00 69 00 75 00 ..T.i.t.a.n.i.u. +0x00000050: 6d 00 20 00 43 00 6c 00 69 00 65 00 6e 00 74 00 m. .C.l.i.e.n.t. +0x00000060: 20 00 53 00 65 00 74 00 75 00 70 00 2e 00 7a 00 .S.e.t.u.p...z. +0x00000070: 69 00 70 00 00 00 1c 00 00 00 i.p....... + +2007-08-02 21:36:00 | 2008-10-29 19:08:44 | 2008-10-29 19:08:44 | |Desktop\My Computer\D:\AU work\Win30\Titanium Client Setup.zip [266842] + +0x00000000: 74 00 32 00 12 54 84 01 a1 36 ad aa 20 00 54 49 t.2..T...6.. .TI +0x00000010: 54 41 4e 49 7e 32 2e 5a 49 50 00 00 58 00 07 00 TANI~2.ZIP..X... +0x00000020: 04 00 ef be 5d 39 16 99 5d 39 16 99 26 00 00 00 ....]9..]9..&... +0x00000030: 71 06 00 00 00 00 01 00 00 00 00 00 00 00 00 00 q............... +0x00000040: 00 00 54 00 69 00 74 00 61 00 6e 00 69 00 75 00 ..T.i.t.a.n.i.u. +0x00000050: 6d 00 41 00 70 00 70 00 6c 00 69 00 63 00 61 00 m.A.p.p.l.i.c.a. +0x00000060: 74 00 69 00 6f 00 6e 00 2e 00 7a 00 69 00 70 00 t.i.o.n...z.i.p. +0x00000070: 00 00 1c 00 00 00 ...... + +2007-05-01 21:21:26 | 2008-10-29 19:08:44 | 2008-10-29 19:08:44 | |Desktop\My Computer\D:\AU work\Win30\TitaniumApplication.zip [25449490] + +0x00000000: 82 00 32 00 62 20 00 00 01 39 20 91 20 00 54 49 ..2.b ...9 . .TI +0x00000010: 54 41 4e 49 7e 33 2e 5a 49 50 00 00 66 00 07 00 TANI~3.ZIP..f... +0x00000020: 04 00 ef be 5d 39 18 99 5d 39 18 99 26 00 00 00 ....]9..]9..&... +0x00000030: 72 06 00 00 00 00 01 00 00 00 00 00 00 00 00 00 r............... +0x00000040: 00 00 54 00 69 00 74 00 61 00 6e 00 69 00 75 00 ..T.i.t.a.n.i.u. +0x00000050: 6d 00 44 00 42 00 20 00 54 00 65 00 73 00 74 00 m.D.B. .T.e.s.t. +0x00000060: 69 00 6e 00 67 00 20 00 52 00 65 00 73 00 75 00 i.n.g. .R.e.s.u. +0x00000070: 6c 00 74 00 73 00 2e 00 7a 00 69 00 70 00 00 00 l.t.s...z.i.p... +0x00000080: 1c 00 00 00 .... + +2008-08-01 18:09:00 | 2008-10-29 19:08:48 | 2008-10-29 19:08:48 | |Desktop\My Computer\D:\AU work\Win30\TitaniumDB Testing Results.zip [8290] + +0x00000000: 5c 00 31 00 00 00 00 00 5d 39 38 99 10 00 57 49 \.1.....]98...WI +0x00000010: 4e 44 4f 57 7e 32 00 00 44 00 07 00 04 00 ef be NDOW~2..D....... +0x00000020: 5d 39 25 99 5d 39 38 99 26 00 00 00 33 07 00 00 ]9%.]98.&...3... +0x00000030: 00 00 01 00 00 00 00 00 00 00 00 00 00 00 57 00 ..............W. +0x00000040: 69 00 6e 00 64 00 6f 00 77 00 73 00 20 00 54 00 i.n.d.o.w.s. .T. +0x00000050: 6f 00 6f 00 6c 00 73 00 00 00 18 00 00 00 o.o.l.s....... + +2008-10-29 19:09:48 | 2008-10-29 19:09:48 | 2008-10-29 19:09:10 | |Desktop\My Computer\D:\AU work\Windows Tools + +0x00000000: 48 00 31 00 00 00 00 00 66 39 f2 ae 10 00 50 43 H.1.....f9....PC +0x00000010: 41 31 31 00 34 00 07 00 04 00 ef be 66 39 f2 ae A11.4.......f9.. +0x00000020: 66 39 f2 ae 26 00 00 00 45 00 00 00 00 00 01 00 f9..&...E....... +0x00000030: 00 00 00 00 00 00 00 00 00 00 50 00 43 00 41 00 ..........P.C.A. +0x00000040: 31 00 31 00 00 00 14 00 00 00 1.1....... + +2008-11-06 21:55:36 | 2008-11-06 21:55:36 | 2008-11-06 21:55:36 | |Desktop\My Computer\D:\AU work\Windows Tools\PCA11 + +0x00000000: 54 00 31 00 00 00 00 00 5d 39 44 99 10 00 49 4c T.1.....]9D...IL +0x00000010: 4f 4d 45 44 7e 31 00 00 3c 00 07 00 04 00 ef be OMED~1..<....... +0x00000020: 5d 39 43 99 5d 39 44 99 26 00 00 00 25 08 00 00 ]9C.]9D.&...%... +0x00000030: 00 00 01 00 00 00 00 00 00 00 00 00 00 00 69 00 ..............i. +0x00000040: 4c 00 4f 00 20 00 4d 00 65 00 64 00 69 00 61 00 L.O. .M.e.d.i.a. +0x00000050: 00 00 18 00 00 00 ...... + +2008-10-29 19:10:08 | 2008-10-29 19:10:08 | 2008-10-29 19:10:06 | |Desktop\My Computer\D:\AU work\iLO Media + +0x00000000: 4c 00 31 00 00 00 00 00 5d 39 38 99 10 00 77 69 L.1.....]98...wi +0x00000010: 6e 7a 69 70 00 00 36 00 07 00 04 00 ef be 5d 39 nzip..6.......]9 +0x00000020: 38 99 5d 39 38 99 26 00 00 00 9a 07 00 00 00 00 8.]98.&......... +0x00000030: 01 00 00 00 00 00 00 00 00 00 00 00 77 00 69 00 ............w.i. +0x00000040: 6e 00 7a 00 69 00 70 00 00 00 16 00 00 00 n.z.i.p....... + +2008-10-29 19:09:48 | 2008-10-29 19:09:48 | 2008-10-29 19:09:48 | |Desktop\My Computer\D:\AU work\winzip + +0x00000000: 54 00 31 00 00 00 00 00 63 39 dd a5 10 00 49 53 T.1.....c9....IS +0x00000010: 4f 44 52 49 7e 31 00 00 3c 00 07 00 04 00 ef be ODRI~1..<....... +0x00000020: 63 39 d2 a5 63 39 dd a5 26 00 00 00 36 00 00 00 c9..c9..&...6... +0x00000030: 00 00 10 00 00 00 00 00 00 00 00 00 00 00 69 00 ..............i. +0x00000040: 73 00 6f 00 20 00 64 00 72 00 69 00 76 00 65 00 s.o. .d.r.i.v.e. +0x00000050: 00 00 18 00 00 00 ...... + +2008-11-03 20:46:58 | 2008-11-03 20:46:58 | 2008-11-03 20:46:36 | |Desktop\My Computer\D:\AU work\iso drive + +0x00000000: 48 00 31 00 00 00 00 00 5d 39 3c 99 10 00 45 4d H.1.....]9<...EM +0x00000010: 53 44 43 00 34 00 07 00 04 00 ef be 5d 39 3c 99 SDC.4.......]9<. +0x00000020: 5d 39 3c 99 26 00 00 00 03 08 00 00 00 00 01 00 ]9<.&........... +0x00000030: 00 00 00 00 00 00 00 00 00 00 45 00 4d 00 53 00 ..........E.M.S. +0x00000040: 44 00 43 00 00 00 14 00 00 00 D.C....... + +2008-10-29 19:09:56 | 2008-10-29 19:09:56 | 2008-10-29 19:09:56 | |Desktop\My Computer\D:\AU work\EMSDC + +0x00000000: 52 00 31 00 00 00 00 00 67 39 6d af 10 00 6e 65 R.1.....g9m...ne +0x00000010: 74 77 6f 72 6b 72 00 00 3a 00 07 00 04 00 ef be tworkr..:....... +0x00000020: 67 39 53 af 67 39 6d af 26 00 00 00 49 00 00 00 g9S.g9m.&...I... +0x00000030: 00 00 04 00 00 00 00 00 00 00 00 00 00 00 6e 00 ..............n. +0x00000040: 65 00 74 00 77 00 6f 00 72 00 6b 00 72 00 00 00 e.t.w.o.r.k.r... +0x00000050: 18 00 00 00 .... + +2008-11-07 21:59:26 | 2008-11-07 21:59:26 | 2008-11-07 21:58:38 | |Desktop\My Computer\D:\AU work\networkr + +0x00000000: 48 00 31 00 00 00 00 00 5d 39 64 9d 10 00 57 69 H.1.....]9d...Wi +0x00000010: 6e 32 32 00 34 00 07 00 04 00 ef be 5d 39 03 9d n22.4.......]9.. +0x00000020: 5d 39 64 9d 26 00 00 00 0d 40 00 00 00 00 01 00 ]9d.&....@...... +0x00000030: 00 00 00 00 00 00 00 00 00 00 57 00 69 00 6e 00 ..........W.i.n. +0x00000040: 32 00 32 00 00 00 14 00 00 00 2.2....... + +2008-10-29 19:43:08 | 2008-10-29 19:43:08 | 2008-10-29 19:40:06 | |Desktop\My Computer\D:\AU work\Win22 + +0x00000000: 5e 00 32 00 2a 04 00 00 86 35 b3 a1 20 00 41 4d ^.2.*....5.. .AM +0x00000010: 45 52 55 57 30 33 2e 7a 69 70 00 00 42 00 07 00 ERUW03.zip..B... +0x00000020: 04 00 ef be 5d 39 03 9d 5d 39 03 9d 26 00 00 00 ....]9..]9..&... +0x00000030: 11 40 00 00 00 00 01 00 00 00 00 00 00 00 00 00 .@.............. +0x00000040: 00 00 41 00 4d 00 45 00 52 00 55 00 57 00 30 00 ..A.M.E.R.U.W.0. +0x00000050: 33 00 2e 00 7a 00 69 00 70 00 00 00 1c 00 00 00 3...z.i.p....... + +2006-12-06 20:13:38 | 2008-10-29 19:40:06 | 2008-10-29 19:40:06 | |Desktop\My Computer\D:\AU work\Win22\AMERUW03.zip [1066] + +0x00000000: 4c 00 31 00 00 00 00 00 75 39 d0 ad 10 00 57 69 L.1.....u9....Wi +0x00000010: 6e 31 30 33 00 00 36 00 07 00 04 00 ef be 75 39 n103..6.......u9 +0x00000020: d0 ad 75 39 d0 ad 26 00 00 00 6d 00 00 00 00 00 ..u9..&...m..... +0x00000030: 0a 00 00 00 00 00 00 00 00 00 00 00 57 00 69 00 ............W.i. +0x00000040: 6e 00 31 00 30 00 33 00 00 00 16 00 00 00 n.1.0.3....... + +2008-11-21 21:46:32 | 2008-11-21 21:46:32 | 2008-11-21 21:46:32 | |Desktop\My Computer\D:\AU work\Win103 + +0x00000000: 46 00 31 00 00 00 00 00 71 39 03 a2 10 00 44 65 F.1.....q9....De +0x00000010: 6c 6c 00 00 32 00 07 00 04 00 ef be 71 39 03 a2 ll..2.......q9.. +0x00000020: 71 39 03 a2 26 00 00 00 6d 00 00 00 00 00 06 00 q9..&...m....... +0x00000030: 00 00 00 00 00 00 00 00 00 00 44 00 65 00 6c 00 ..........D.e.l. +0x00000040: 6c 00 00 00 14 00 00 00 l....... + +2008-11-17 20:16:06 | 2008-11-17 20:16:06 | 2008-11-17 20:16:06 | |Desktop\My Computer\D:\Dell + +0x00000000: 4e 00 31 00 00 00 00 00 71 39 03 a2 10 00 44 72 N.1.....q9....Dr +0x00000010: 69 76 65 72 73 00 38 00 07 00 04 00 ef be 71 39 ivers.8.......q9 +0x00000020: 03 a2 71 39 03 a2 26 00 00 00 6e 00 00 00 00 00 ..q9..&...n..... +0x00000030: 06 00 00 00 00 00 00 00 00 00 00 00 44 00 72 00 ............D.r. +0x00000040: 69 00 76 00 65 00 72 00 73 00 00 00 16 00 00 00 i.v.e.r.s....... + +2008-11-17 20:16:06 | 2008-11-17 20:16:06 | 2008-11-17 20:16:06 | |Desktop\My Computer\D:\Dell\Drivers + +0x00000000: 4e 00 31 00 00 00 00 00 71 39 03 a2 10 00 52 31 N.1.....q9....R1 +0x00000010: 33 33 30 35 32 00 38 00 07 00 04 00 ef be 71 39 33052.8.......q9 +0x00000020: 03 a2 71 39 03 a2 26 00 00 00 6f 00 00 00 00 00 ..q9..&...o..... +0x00000030: 04 00 00 00 00 00 00 00 00 00 00 00 52 00 31 00 ............R.1. +0x00000040: 33 00 33 00 30 00 35 00 32 00 00 00 16 00 00 00 3.3.0.5.2....... + +2008-11-17 20:16:06 | 2008-11-17 20:16:06 | 2008-11-17 20:16:06 | |Desktop\My Computer\D:\Dell\Drivers\R133052 + +0x00000000: 5e 00 31 00 00 00 00 00 71 39 03 a2 10 00 57 49 ^.1.....q9....WI +0x00000010: 52 45 44 4e 7e 31 00 00 46 00 07 00 04 00 ef be REDN~1..F....... +0x00000020: 71 39 03 a2 71 39 03 a2 26 00 00 00 6f 00 00 00 q9..q9..&...o... +0x00000030: 00 00 04 00 00 00 00 00 00 00 00 00 00 00 57 00 ..............W. +0x00000040: 69 00 72 00 65 00 64 00 20 00 4e 00 49 00 43 00 i.r.e.d. .N.I.C. +0x00000050: 20 00 58 00 33 00 30 00 30 00 00 00 18 00 00 00 .X.3.0.0....... + +2008-11-17 20:16:06 | 2008-11-17 20:16:06 | 2008-11-17 20:16:06 | |Desktop\My Computer\D:\Dell\Drivers\Wired NIC X300 + +0x00000000: 50 00 31 00 00 00 00 00 75 39 d1 ad 10 00 57 4f P.1.....u9....WO +0x00000010: 52 4b 41 55 7e 31 00 00 38 00 07 00 04 00 ef be RKAU~1..8....... +0x00000020: 5d 39 ef 98 75 39 d1 ad 26 00 00 00 5f 06 00 00 ]9..u9..&..._... +0x00000030: 00 00 01 00 00 00 00 00 00 00 00 00 00 00 77 00 ..............w. +0x00000040: 6f 00 72 00 6b 00 20 00 41 00 55 00 00 00 18 00 o.r.k. .A.U..... +0x00000050: 00 00 .. + +2008-11-21 21:46:34 | 2008-11-21 21:46:34 | 2008-10-29 19:07:30 | |Desktop\My Computer\D:\work AU + +0x00000000: 4c 00 31 00 00 00 00 00 75 39 d4 ad 10 00 57 69 L.1.....u9....Wi +0x00000010: 6e 31 30 33 00 00 36 00 07 00 04 00 ef be 75 39 n103..6.......u9 +0x00000020: d0 ad 75 39 d4 ad 26 00 00 00 6d 00 00 00 00 00 ..u9..&...m..... +0x00000030: 0a 00 00 00 00 00 00 00 00 00 00 00 57 00 69 00 ............W.i. +0x00000040: 6e 00 31 00 30 00 33 00 00 00 16 00 00 00 n.1.0.3....... + +2008-11-21 21:46:40 | 2008-11-21 21:46:40 | 2008-11-21 21:46:32 | |Desktop\My Computer\D:\work AU\Win103 + +0x00000000: 46 00 31 00 00 00 00 00 5d 39 29 9b 10 00 49 4e F.1.....]9)...IN +0x00000010: 41 53 00 00 32 00 07 00 04 00 ef be 5d 39 28 9b AS..2.......]9(. +0x00000020: 5d 39 29 9b 26 00 00 00 28 08 00 00 00 00 01 00 ]9).&...(....... +0x00000030: 00 00 00 00 00 00 00 00 00 00 49 00 4e 00 41 00 ..........I.N.A. +0x00000040: 53 00 00 00 14 00 00 00 S....... + +2008-10-29 19:25:18 | 2008-10-29 19:25:18 | 2008-10-29 19:25:16 | |Desktop\My Computer\D:\work AU\INAS + +0x00000000: 54 00 31 00 00 00 00 00 5d 39 44 99 10 00 49 4c T.1.....]9D...IL +0x00000010: 4f 4d 45 44 7e 31 00 00 3c 00 07 00 04 00 ef be OMED~1..<....... +0x00000020: 5d 39 43 99 5d 39 44 99 26 00 00 00 25 08 00 00 ]9C.]9D.&...%... +0x00000030: 00 00 01 00 00 00 00 00 00 00 00 00 00 00 69 00 ..............i. +0x00000040: 4c 00 4f 00 20 00 4d 00 65 00 64 00 69 00 61 00 L.O. .M.e.d.i.a. +0x00000050: 00 00 18 00 00 00 ...... + +2008-10-29 19:10:08 | 2008-10-29 19:10:08 | 2008-10-29 19:10:06 | |Desktop\My Computer\D:\work AU\iLO Media + +0x00000000: 42 00 31 00 00 00 00 00 5d 39 88 9c 10 00 53 53 B.1.....]9....SS +0x00000010: 4c 00 30 00 07 00 04 00 ef be 5d 39 88 9c 5d 39 L.0.......]9..]9 +0x00000020: 88 9c 26 00 00 00 ce 3e 00 00 00 00 01 00 00 00 ..&....>........ +0x00000030: 00 00 00 00 00 00 00 00 53 00 53 00 4c 00 00 00 ........S.S.L... +0x00000040: 12 00 00 00 .... + +2008-10-29 19:36:16 | 2008-10-29 19:36:16 | 2008-10-29 19:36:16 | |Desktop\My Computer\D:\work AU\SSL + +0x00000000: 48 00 31 00 00 00 00 00 5d 39 fc 9c 10 00 57 69 H.1.....]9....Wi +0x00000010: 6e 30 31 00 34 00 07 00 04 00 ef be 5d 39 fc 9c n01.4.......]9.. +0x00000020: 5d 39 fc 9c 26 00 00 00 c5 3f 00 00 00 00 01 00 ]9..&....?...... +0x00000030: 00 00 00 00 00 00 00 00 00 00 57 00 69 00 6e 00 ..........W.i.n. +0x00000040: 30 00 31 00 00 00 14 00 00 00 0.1....... + +2008-10-29 19:39:56 | 2008-10-29 19:39:56 | 2008-10-29 19:39:56 | |Desktop\My Computer\D:\work AU\Win01 + +0x00000000: 6e 00 32 00 e1 8f 05 00 16 39 02 28 20 00 4f 4c n.2......9.( .OL +0x00000010: 4c 49 5f 41 7e 31 2e 5a 49 50 00 00 52 00 07 00 LI_A~1.ZIP..R... +0x00000020: 04 00 ef be 5d 39 39 99 5d 39 39 99 26 00 00 00 ....]99.]99.&... +0x00000030: 9d 07 00 00 00 00 01 00 00 00 00 00 00 00 00 00 ................ +0x00000040: 00 00 4f 00 4c 00 4c 00 49 00 5f 00 41 00 55 00 ..O.L.L.I._.A.U. +0x00000050: 5f 00 30 00 35 00 5f 00 32 00 33 00 5f 00 30 00 _.0.5._.2.3._.0. +0x00000060: 38 00 2e 00 7a 00 69 00 70 00 00 00 1c 00 00 00 8...z.i.p....... + +2008-08-22 05:00:04 | 2008-10-29 19:09:50 | 2008-10-29 19:09:50 | |Desktop\My Computer\D:\work AU\OLLI_AU_05_23_08.zip [364513] + +0x00000000: 48 00 31 00 00 00 00 00 5d 39 64 9d 10 00 57 69 H.1.....]9d...Wi +0x00000010: 6e 32 32 00 34 00 07 00 04 00 ef be 5d 39 03 9d n22.4.......]9.. +0x00000020: 5d 39 64 9d 26 00 00 00 0d 40 00 00 00 00 01 00 ]9d.&....@...... +0x00000030: 00 00 00 00 00 00 00 00 00 00 57 00 69 00 6e 00 ..........W.i.n. +0x00000040: 32 00 32 00 00 00 14 00 00 00 2.2....... + +2008-10-29 19:43:08 | 2008-10-29 19:43:08 | 2008-10-29 19:40:06 | |Desktop\My Computer\D:\work AU\Win22 + +0x00000000: 4c 00 31 00 00 00 00 00 5d 39 3a 9d 10 00 50 68 L.1.....]9:...Ph +0x00000010: 61 72 6f 73 00 00 36 00 07 00 04 00 ef be 5d 39 aros..6.......]9 +0x00000020: 28 9d 5d 39 3a 9d 26 00 00 00 20 40 00 00 00 00 (.]9:.&... @.... +0x00000030: 01 00 00 00 00 00 00 00 00 00 00 00 50 00 68 00 ............P.h. +0x00000040: 61 00 72 00 6f 00 73 00 00 00 16 00 00 00 a.r.o.s....... + +2008-10-29 19:41:52 | 2008-10-29 19:41:52 | 2008-10-29 19:41:16 | |Desktop\My Computer\D:\work AU\Win22\Pharos + +0x00000000: 5e 00 31 00 00 00 00 00 5d 39 3a 9d 10 00 50 48 ^.1.....]9:...PH +0x00000010: 41 52 4f 53 7e 31 00 00 46 00 07 00 04 00 ef be AROS~1..F....... +0x00000020: 5d 39 3a 9d 5d 39 3a 9d 26 00 00 00 25 40 00 00 ]9:.]9:.&...%@.. +0x00000030: 00 00 01 00 00 00 00 00 00 00 00 00 00 00 50 00 ..............P. +0x00000040: 68 00 61 00 72 00 6f 00 73 00 20 00 4c 00 69 00 h.a.r.o.s. .L.i. +0x00000050: 63 00 65 00 6e 00 73 00 65 00 00 00 18 00 00 00 c.e.n.s.e....... + +2008-10-29 19:41:52 | 2008-10-29 19:41:52 | 2008-10-29 19:41:52 | |Desktop\My Computer\D:\work AU\Win22\Pharos\Pharos License + +0x00000000: 58 00 31 00 00 00 00 00 78 39 b0 a0 10 00 50 48 X.1.....x9....PH +0x00000010: 41 52 4f 53 7e 31 2e 30 00 00 3e 00 07 00 04 00 AROS~1.0..>..... +0x00000020: ef be 78 39 b0 a0 78 39 b0 a0 26 00 00 00 6f 00 ..x9..x9..&...o. +0x00000030: 00 00 00 00 0d 00 00 00 00 00 00 00 00 00 00 00 ................ +0x00000040: 50 00 68 00 61 00 72 00 6f 00 73 00 20 00 38 00 P.h.a.r.o.s. .8. +0x00000050: 2e 00 30 00 00 00 1a 00 00 00 ..0....... + +2008-11-24 20:05:32 | 2008-11-24 20:05:32 | 2008-11-24 20:05:32 | |Desktop\My Computer\D:\work AU\Win22\Pharos 8.0 + +0x00000000: 8c 00 32 00 0c cb 9e 02 78 39 11 a2 20 00 55 50 ..2.....x9.. .UP +0x00000010: 38 2d 30 42 7e 31 2e 5a 49 50 00 00 70 00 07 00 8-0B~1.ZIP..p... +0x00000020: 04 00 ef be 78 39 0f a2 78 39 0f a2 26 00 00 00 ....x9..x9..&... +0x00000030: 70 00 00 00 00 00 08 00 00 00 00 00 00 00 00 00 p............... +0x00000040: 00 00 55 00 50 00 20 00 38 00 2d 00 30 00 20 00 ..U.P. .8.-.0. . +0x00000050: 62 00 75 00 69 00 6c 00 64 00 20 00 34 00 37 00 b.u.i.l.d. .4.7. +0x00000060: 38 00 36 00 20 00 44 00 6f 00 63 00 75 00 6d 00 8.6. .D.o.c.u.m. +0x00000070: 65 00 6e 00 74 00 61 00 74 00 69 00 6f 00 6e 00 e.n.t.a.t.i.o.n. +0x00000080: 2e 00 7a 00 69 00 70 00 00 00 1c 00 00 00 ..z.i.p....... + +2008-11-24 20:16:34 | 2008-11-24 20:16:30 | 2008-11-24 20:16:30 | |Desktop\My Computer\D:\work AU\Win22\Pharos 8.0\UP 8-0 build 4786 Documentation.zip [43961100] + +0x00000000: 70 00 32 00 82 4b 73 0d 78 39 1c a3 20 00 55 50 p.2..Ks.x9.. .UP +0x00000010: 38 2d 30 42 7e 32 2e 5a 49 50 00 00 54 00 07 00 8-0B~2.ZIP..T... +0x00000020: 04 00 ef be 78 39 15 a3 78 39 15 a3 26 00 00 00 ....x9..x9..&... +0x00000030: 71 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 q............... +0x00000040: 00 00 55 00 50 00 20 00 38 00 2d 00 30 00 20 00 ..U.P. .8.-.0. . +0x00000050: 62 00 75 00 69 00 6c 00 64 00 20 00 34 00 37 00 b.u.i.l.d. .4.7. +0x00000060: 38 00 36 00 2e 00 7a 00 69 00 70 00 00 00 1c 00 8.6...z.i.p..... +0x00000070: 00 00 .. + +2008-11-24 20:24:56 | 2008-11-24 20:24:42 | 2008-11-24 20:24:42 | |Desktop\My Computer\D:\work AU\Win22\Pharos 8.0\UP 8-0 build 4786.zip [225659778] + +0x00000000: 4c 00 31 00 00 00 00 00 5d 39 f9 9c 10 00 56 4d L.1.....]9....VM +0x00000010: 57 61 72 65 00 00 36 00 07 00 04 00 ef be 5d 39 Ware..6.......]9 +0x00000020: e3 9c 5d 39 f9 9c 26 00 00 00 8d 3f 00 00 00 00 ..]9..&....?.... +0x00000030: 01 00 00 00 00 00 00 00 00 00 00 00 56 00 4d 00 ............V.M. +0x00000040: 57 00 61 00 72 00 65 00 00 00 16 00 00 00 W.a.r.e....... + +2008-10-29 19:39:50 | 2008-10-29 19:39:50 | 2008-10-29 19:39:06 | |Desktop\My Computer\D:\work AU\VMWare + +0x00000000: 42 00 31 00 00 00 00 00 85 39 ca 8e 10 00 43 4d B.1......9....CM +0x00000010: 53 00 30 00 07 00 04 00 ef be 85 39 ca 8e 85 39 S.0........9...9 +0x00000020: ca 8e 26 00 00 00 73 00 00 00 00 00 0a 00 00 00 ..&...s......... +0x00000030: 00 00 00 00 00 00 00 00 43 00 4d 00 53 00 00 00 ........C.M.S... +0x00000040: 12 00 00 00 .... + +2008-12-05 17:54:20 | 2008-12-05 17:54:20 | 2008-12-05 17:54:20 | |Desktop\My Computer\D:\work AU\CMS + +0x00000000: 64 00 32 00 f6 ff 02 00 5c 39 6d b3 20 00 50 54 d.2.....\9m. .PT +0x00000010: 5f 43 41 4c 7e 31 2e 5a 49 50 00 00 48 00 07 00 _CAL~1.ZIP..H... +0x00000020: 04 00 ef be 5c 39 6d b3 5c 39 6d b3 26 00 00 00 ....\9m.\9m.&... +0x00000030: 74 00 00 00 00 00 08 00 00 00 00 00 00 00 00 00 t............... +0x00000040: 00 00 70 00 74 00 5f 00 63 00 61 00 6c 00 65 00 ..p.t._.c.a.l.e. +0x00000050: 6e 00 64 00 61 00 72 00 2e 00 7a 00 69 00 70 00 n.d.a.r...z.i.p. +0x00000060: 00 00 1c 00 00 00 ...... + +2008-10-28 22:27:26 | 2008-10-28 22:27:26 | 2008-10-28 22:27:26 | |Desktop\My Computer\D:\work AU\CMS\pt_calendar.zip [196598] + | | | |Desktop\My Computer\D:\work AU\CMS\pt_calendar.zip\pt_calendar + | | | 10/30/2007 09:55:10 |Desktop\My Computer\D:\work AU\CMS\pt_calendar.zip\pt_calendar\com\pt_calendar + | | | 10/30/2007 09:55:10 |Desktop\My Computer\D:\work AU\CMS\pt_calendar.zip\pt_calendar\customcf\pt_calendar + | | | 10/30/2007 09:55:10 |Desktop\My Computer\D:\work AU\CMS\pt_calendar.zip\pt_calendar\customfields\pt_calendar + | | | 10/30/2007 09:55:10 |Desktop\My Computer\D:\work AU\CMS\pt_calendar.zip\pt_calendar\data\pt_calendar + | | | 11/19/2007 18:32:48 |Desktop\My Computer\D:\work AU\CMS\pt_calendar.zip\pt_calendar\exportedObjects\pt_calendar + | | | 10/30/2007 09:55:10 |Desktop\My Computer\D:\work AU\CMS\pt_calendar.zip\pt_calendar\images\pt_calendar + +0x00000000: 60 00 31 00 00 00 00 00 5d 39 fa 9c 10 00 57 42 `.1.....]9....WB +0x00000010: 41 54 43 48 7e 31 00 00 48 00 07 00 04 00 ef be ATCH~1..H....... +0x00000020: 5d 39 f9 9c 5d 39 fa 9c 26 00 00 00 96 3f 00 00 ]9..]9..&....?.. +0x00000030: 00 00 01 00 00 00 00 00 00 00 00 00 00 00 57 00 ..............W. +0x00000040: 62 00 61 00 74 00 63 00 68 00 20 00 45 00 78 00 b.a.t.c.h. .E.x. +0x00000050: 74 00 65 00 6e 00 64 00 65 00 72 00 00 00 18 00 t.e.n.d.e.r..... +0x00000060: 00 00 .. + +2008-10-29 19:39:52 | 2008-10-29 19:39:52 | 2008-10-29 19:39:50 | |Desktop\My Computer\D:\work AU\Wbatch Extender + +0x00000000: 52 00 31 00 00 00 00 00 5d 39 25 99 10 00 57 69 R.1.....]9%...Wi +0x00000010: 6e 62 61 74 63 68 00 00 3a 00 07 00 04 00 ef be nbatch..:....... +0x00000020: 5d 39 23 99 5d 39 25 99 26 00 00 00 94 06 00 00 ]9#.]9%.&....... +0x00000030: 00 00 01 00 00 00 00 00 00 00 00 00 00 00 57 00 ..............W. +0x00000040: 69 00 6e 00 62 00 61 00 74 00 63 00 68 00 00 00 i.n.b.a.t.c.h... +0x00000050: 18 00 00 00 .... + +2008-10-29 19:09:10 | 2008-10-29 19:09:10 | 2008-10-29 19:09:06 | |Desktop\My Computer\D:\work AU\Winbatch + +0x00000000: 48 00 31 00 00 00 00 00 5d 39 02 9d 10 00 57 69 H.1.....]9....Wi +0x00000010: 6e 31 34 00 34 00 07 00 04 00 ef be 5d 39 00 9d n14.4.......]9.. +0x00000020: 5d 39 02 9d 26 00 00 00 e6 3f 00 00 00 00 01 00 ]9..&....?...... +0x00000030: 00 00 00 00 00 00 00 00 00 00 57 00 69 00 6e 00 ..........W.i.n. +0x00000040: 31 00 34 00 00 00 14 00 00 00 1.4....... + +2008-10-29 19:40:04 | 2008-10-29 19:40:04 | 2008-10-29 19:40:00 | |Desktop\My Computer\D:\work AU\Win14 + +0x00000000: 4c 00 31 00 00 00 00 00 5d 39 02 9d 10 00 73 63 L.1.....]9....sc +0x00000010: 72 69 70 74 00 00 36 00 07 00 04 00 ef be 5d 39 ript..6.......]9 +0x00000020: 02 9d 5d 39 02 9d 26 00 00 00 f3 3f 00 00 00 00 ..]9..&....?.... +0x00000030: 01 00 00 00 00 00 00 00 00 00 00 00 73 00 63 00 ............s.c. +0x00000040: 72 00 69 00 70 00 74 00 00 00 16 00 00 00 r.i.p.t....... + +2008-10-29 19:40:04 | 2008-10-29 19:40:04 | 2008-10-29 19:40:04 | |Desktop\My Computer\D:\work AU\Win14\script + +0x00000000: 60 00 31 00 00 00 00 00 5d 39 fc 9c 10 00 57 43 `.1.....]9....WC +0x00000010: 4c 44 52 49 7e 31 00 00 48 00 07 00 04 00 ef be LDRI~1..H....... +0x00000020: 5d 39 fa 9c 5d 39 fc 9c 26 00 00 00 a7 3f 00 00 ]9..]9..&....?.. +0x00000030: 00 00 01 00 00 00 00 00 00 00 00 00 00 00 57 00 ..............W. +0x00000040: 43 00 4c 00 20 00 44 00 72 00 69 00 76 00 65 00 C.L. .D.r.i.v.e. +0x00000050: 20 00 43 00 68 00 65 00 63 00 6b 00 00 00 18 00 .C.h.e.c.k..... +0x00000060: 00 00 .. + +2008-10-29 19:39:56 | 2008-10-29 19:39:56 | 2008-10-29 19:39:52 | |Desktop\My Computer\D:\work AU\WCL Drive Check + +0x00000000: 74 00 32 00 2f d3 47 00 89 39 88 84 20 00 57 43 t.2./.G..9.. .WC +0x00000010: 4c 44 52 49 7e 31 2e 5a 49 50 00 00 58 00 07 00 LDRI~1.ZIP..X... +0x00000020: 04 00 ef be 89 39 87 84 89 39 88 84 26 00 00 00 .....9...9..&... +0x00000030: 75 00 00 00 00 00 0b 00 00 00 00 00 00 00 00 00 u............... +0x00000040: 00 00 57 00 43 00 4c 00 20 00 44 00 72 00 69 00 ..W.C.L. .D.r.i. +0x00000050: 76 00 65 00 20 00 43 00 68 00 65 00 63 00 6b 00 v.e. .C.h.e.c.k. +0x00000060: 20 00 7a 00 69 00 70 00 2e 00 7a 00 69 00 70 00 .z.i.p...z.i.p. +0x00000070: 00 00 1c 00 00 00 ...... + +2008-12-09 16:36:16 | 2008-12-09 16:36:16 | 2008-12-09 16:36:14 | |Desktop\My Computer\D:\work AU\WCL Drive Check zip.zip [4707119] + | | | |Desktop\My Computer\D:\work AU\WCL Drive Check zip.zip\WCL Drive Check + +0x00000000: 48 00 31 00 00 00 00 00 5d 39 02 9d 10 00 57 69 H.1.....]9....Wi +0x00000010: 6e 32 31 00 34 00 07 00 04 00 ef be 5d 39 02 9d n21.4.......]9.. +0x00000020: 5d 39 02 9d 26 00 00 00 08 40 00 00 00 00 01 00 ]9..&....@...... +0x00000030: 00 00 00 00 00 00 00 00 00 00 57 00 69 00 6e 00 ..........W.i.n. +0x00000040: 32 00 31 00 00 00 14 00 00 00 2.1....... + +2008-10-29 19:40:04 | 2008-10-29 19:40:04 | 2008-10-29 19:40:04 | |Desktop\My Computer\D:\work AU\Win21 + +0x00000000: 5c 00 31 00 00 00 00 00 66 39 f2 ae 10 00 57 49 \.1.....f9....WI +0x00000010: 4e 44 4f 57 7e 32 00 00 44 00 07 00 04 00 ef be NDOW~2..D....... +0x00000020: 5d 39 25 99 66 39 f2 ae 26 00 00 00 33 07 00 00 ]909..&...3... +0x00000030: 00 00 01 00 00 00 00 00 00 00 00 00 00 00 57 00 ..............W. +0x00000040: 69 00 6e 00 64 00 6f 00 77 00 73 00 20 00 54 00 i.n.d.o.w.s. .T. +0x00000050: 6f 00 6f 00 6c 00 73 00 00 00 18 00 00 00 o.o.l.s....... + +2008-11-06 21:55:36 | 2008-11-06 21:55:36 | 2008-10-29 19:09:10 | |Desktop\My Computer\D:\work AU\Windows Tools + +0x00000000: 66 00 32 00 78 fb 3e 00 65 36 a0 10 80 00 50 41 f.2.x.>.e6....PA +0x00000010: 53 53 57 41 7e 31 2e 5a 49 50 00 00 4a 00 07 00 SSWA~1.ZIP..J... +0x00000020: 04 00 ef be 65 36 a0 10 65 36 a0 10 26 00 00 00 ....e6..e6..&... +0x00000030: 77 00 00 00 00 00 0e 00 00 00 00 00 00 00 00 00 w............... +0x00000040: 00 00 50 00 61 00 73 00 73 00 77 00 61 00 72 00 ..P.a.s.s.w.a.r. +0x00000050: 65 00 32 00 30 00 30 00 37 00 2e 00 7a 00 69 00 e.2.0.0.7...z.i. +0x00000060: 70 00 00 00 1c 00 00 00 p....... + +2007-03-05 02:05:00 | 2007-03-05 02:05:00 | 2007-03-05 02:05:00 | |Desktop\My Computer\D:\work AU\Windows Tools\Passware2007.zip [4127608] + | | | |Desktop\My Computer\D:\work AU\Windows Tools\Passware2007.zip\Passware2007 + +0x00000000: 48 00 31 00 00 00 00 00 8f 39 68 9d 10 00 57 69 H.1......9h...Wi +0x00000010: 6e 34 31 00 34 00 07 00 04 00 ef be 5d 39 21 99 n41.4.......]9!. +0x00000020: 8f 39 68 9d 26 00 00 00 89 06 00 00 00 00 01 00 .9h.&........... +0x00000030: 00 00 00 00 00 00 00 00 00 00 57 00 69 00 6e 00 ..........W.i.n. +0x00000040: 34 00 31 00 00 00 14 00 00 00 4.1....... + +2008-12-15 19:43:16 | 2008-12-15 19:43:16 | 2008-10-29 19:09:02 | |Desktop\My Computer\D:\work AU\Win41 + +0x00000000: 58 00 31 00 00 00 00 00 71 39 57 a3 10 00 4d 59 X.1.....q9W...MY +0x00000010: 44 4f 57 4e 7e 31 00 00 40 00 07 00 04 00 ef be DOWN~1..@....... +0x00000020: 91 37 0b 97 71 39 57 a3 26 00 00 00 25 00 00 00 .7..q9W.&...%... +0x00000030: 00 00 01 00 00 00 00 00 00 00 00 00 00 00 4d 00 ..............M. +0x00000040: 79 00 20 00 64 00 6f 00 77 00 6e 00 6c 00 6f 00 y. .d.o.w.n.l.o. +0x00000050: 61 00 64 00 00 00 18 00 00 00 a.d....... + +2008-11-17 20:26:46 | 2008-11-17 20:26:46 | 2007-12-17 18:56:22 | |Desktop\My Computer\D:\My download + +0x00000000: 62 00 31 00 00 00 00 00 89 39 91 84 10 00 57 4f b.1......9....WO +0x00000010: 52 4b 41 55 7e 31 00 00 4a 00 07 00 04 00 ef be RKAU~1..J....... +0x00000020: 5d 39 ef 98 89 39 91 84 26 00 00 00 5f 06 00 00 ]9...9..&..._... +0x00000030: 00 00 01 00 00 00 00 00 00 00 00 00 00 00 77 00 ..............w. +0x00000040: 6f 00 72 00 6b 00 20 00 41 00 55 00 20 00 44 00 o.r.k. .A.U. .D. +0x00000050: 6f 00 77 00 6e 00 6c 00 6f 00 61 00 64 00 00 00 o.w.n.l.o.a.d... +0x00000060: 18 00 00 00 .... + +2008-12-09 16:36:34 | 2008-12-09 16:36:34 | 2008-10-29 19:07:30 | |Desktop\My Computer\D:\work AU Download + +0x00000000: 5e 00 31 00 00 00 00 00 92 39 2a 15 10 00 4c 4f ^.1......9*...LO +0x00000010: 43 41 4c 44 7e 31 00 00 46 00 07 00 04 00 ef be CALD~1..F....... +0x00000020: 91 37 0b 97 92 39 2a 15 26 00 00 00 25 00 00 00 .7...9*.&...%... +0x00000030: 00 00 01 00 00 00 00 00 00 00 00 00 00 00 4c 00 ..............L. +0x00000040: 6f 00 63 00 61 00 6c 00 20 00 64 00 6f 00 77 00 o.c.a.l. .d.o.w. +0x00000050: 6e 00 6c 00 6f 00 61 00 64 00 00 00 18 00 00 00 n.l.o.a.d....... + +2008-12-18 02:41:20 | 2008-12-18 02:41:20 | 2007-12-17 18:56:22 | |Desktop\My Computer\D:\Local download + +0x00000000: 64 00 31 00 00 00 00 00 92 39 2a 2b 10 00 57 49 d.1......9*+..WI +0x00000010: 4e 44 4f 57 7e 31 00 00 4c 00 07 00 04 00 ef be NDOW~1..L....... +0x00000020: 92 39 2a 15 92 39 2a 2b 26 00 00 00 7b 00 00 00 .9*..9*+&...{... +0x00000030: 00 00 0a 00 00 00 00 00 00 00 00 00 00 00 57 00 ..............W. +0x00000040: 69 00 6e 00 64 00 6f 00 77 00 73 00 32 00 30 00 i.n.d.o.w.s.2.0. +0x00000050: 30 00 38 00 47 00 6f 00 6c 00 64 00 65 00 6e 00 0.8.G.o.l.d.e.n. +0x00000060: 00 00 18 00 00 00 ...... + +2008-12-18 05:25:20 | 2008-12-18 05:25:20 | 2008-12-18 02:41:20 | |Desktop\My Computer\D:\Local download\Windows2008Golden + +0x00000000: 66 00 32 00 3d 9e af 00 4c 3a bd 72 20 00 57 49 f.2.=...L:.r .WI +0x00000010: 4e 42 41 54 7e 31 2e 5a 49 50 00 00 4a 00 07 00 NBAT~1.ZIP..J... +0x00000020: 04 00 ef be 4c 3a f8 72 4c 3a f8 72 26 00 00 00 ....L:.rL:.r&... +0x00000030: 2f 41 00 00 00 00 07 00 00 00 00 00 00 00 00 00 /A.............. +0x00000040: 00 00 57 00 69 00 6e 00 62 00 61 00 74 00 63 00 ..W.i.n.b.a.t.c. +0x00000050: 68 00 32 00 30 00 30 00 38 00 2e 00 7a 00 69 00 h.2.0.0.8...z.i. +0x00000060: 70 00 00 00 1c 00 00 00 p....... + +2009-02-12 14:21:58 | 2009-02-12 14:23:48 | 2009-02-12 14:23:48 | |Desktop\My Computer\D:\Local download\Winbatch2008.zip [11509309] + +0x00000000: 54 00 31 00 00 00 00 00 4c 3a e5 73 10 00 45 58 T.1.....L:.s..EX +0x00000010: 54 52 41 43 7e 31 00 00 3c 00 07 00 04 00 ef be TRAC~1..<....... +0x00000020: 4c 3a e3 73 4c 3a e5 73 26 00 00 00 30 41 00 00 L:.sL:.s&...0A.. +0x00000030: 00 00 03 00 00 00 00 00 00 00 00 00 00 00 45 00 ..............E. +0x00000040: 78 00 74 00 72 00 61 00 63 00 74 00 65 00 64 00 x.t.r.a.c.t.e.d. +0x00000050: 00 00 18 00 00 00 ...... + +2009-02-12 14:31:10 | 2009-02-12 14:31:10 | 2009-02-12 14:31:06 | |Desktop\My Computer\D:\Local download\Extracted + +0x00000000: 66 00 31 00 00 00 00 00 4c 3a e5 73 10 00 57 49 f.1.....L:.s..WI +0x00000010: 4e 42 41 54 7e 31 00 00 4e 00 07 00 04 00 ef be NBAT~1..N....... +0x00000020: 4c 3a e3 73 4c 3a e5 73 26 00 00 00 30 41 00 00 L:.sL:.s&...0A.. +0x00000030: 00 00 03 00 00 00 00 00 00 00 00 00 00 00 57 00 ..............W. +0x00000040: 69 00 6e 00 62 00 61 00 74 00 63 00 68 00 5f 00 i.n.b.a.t.c.h._. +0x00000050: 45 00 78 00 74 00 72 00 61 00 63 00 74 00 65 00 E.x.t.r.a.c.t.e. +0x00000060: 64 00 00 00 18 00 00 00 d....... + +2009-02-12 14:31:10 | 2009-02-12 14:31:10 | 2009-02-12 14:31:06 | |Desktop\My Computer\D:\Local download\Winbatch_Extracted + +0x00000000: 64 00 31 00 00 00 00 00 4c 3a ee 73 10 00 57 49 d.1.....L:.s..WI +0x00000010: 4e 42 41 54 7e 31 00 00 4c 00 07 00 04 00 ef be NBAT~1..L....... +0x00000020: 4c 3a e5 73 4c 3a ee 73 26 00 00 00 34 41 00 00 L:.sL:.s&...4A.. +0x00000030: 00 00 01 00 00 00 00 00 00 00 00 00 00 00 57 00 ..............W. +0x00000040: 69 00 6e 00 62 00 61 00 74 00 63 00 68 00 5f 00 i.n.b.a.t.c.h._. +0x00000050: 63 00 6f 00 6d 00 70 00 69 00 6c 00 65 00 72 00 c.o.m.p.i.l.e.r. +0x00000060: 00 00 18 00 00 00 ...... + +2009-02-12 14:31:28 | 2009-02-12 14:31:28 | 2009-02-12 14:31:10 | |Desktop\My Computer\D:\Local download\Winbatch_Extracted\Winbatch_compiler + +0x00000000: 54 00 31 00 00 00 00 00 91 37 6c b2 10 00 49 4c T.1......7l...IL +0x00000010: 4f 4d 45 44 7e 31 00 00 3c 00 07 00 04 00 ef be OMED~1..<....... +0x00000020: 91 37 80 ae 91 37 6c b2 26 00 00 00 2f 00 00 00 .7...7l.&.../... +0x00000030: 00 00 02 00 00 00 00 00 00 00 00 00 00 00 69 00 ..............i. +0x00000040: 4c 00 4f 00 20 00 4d 00 65 00 64 00 69 00 61 00 L.O. .M.e.d.i.a. +0x00000050: 00 00 18 00 00 00 ...... + +2007-12-17 22:19:24 | 2007-12-17 22:19:24 | 2007-12-17 21:52:00 | |Desktop\My Computer\D:\Local download\iLO Media + +0x00000000: 94 00 31 00 00 00 00 00 65 39 67 95 10 00 54 52 ..1.....e9g...TR +0x00000010: 41 49 4e 53 7e 31 00 00 7c 00 07 00 04 00 ef be AINS~1..|....... +0x00000020: 65 39 66 95 65 39 67 95 26 00 00 00 3f 00 00 00 e9f.e9g.&...?... +0x00000030: 00 00 09 00 00 00 00 00 00 00 00 00 00 00 54 00 ..............T. +0x00000040: 72 00 61 00 69 00 6e 00 53 00 69 00 67 00 6e 00 r.a.i.n.S.i.g.n. +0x00000050: 61 00 6c 00 20 00 56 00 4d 00 57 00 61 00 72 00 a.l. .V.M.W.a.r. +0x00000060: 65 00 20 00 53 00 65 00 72 00 76 00 65 00 72 00 e. .S.e.r.v.e.r. +0x00000070: 20 00 61 00 6e 00 64 00 20 00 57 00 6f 00 72 00 .a.n.d. .W.o.r. +0x00000080: 6b 00 73 00 74 00 61 00 74 00 69 00 6f 00 6e 00 k.s.t.a.t.i.o.n. +0x00000090: 00 00 18 00 00 00 ...... + +2008-11-05 18:43:14 | 2008-11-05 18:43:14 | 2008-11-05 18:43:12 | |Desktop\My Computer\D:\Local download\TrainSignal VMWare Server and Workstation + +0x00000000: aa 00 31 00 00 00 00 00 7a 3a 09 90 10 00 54 52 ..1.....z:....TR +0x00000010: 41 49 4e 5f 7e 31 00 00 92 00 07 00 04 00 ef be AIN_~1.......... +0x00000020: 7a 3a 09 90 7a 3a 09 90 26 00 00 00 f1 41 00 00 z:..z:..&....A.. +0x00000030: 00 00 05 00 00 00 00 00 00 00 00 00 00 00 54 00 ..............T. +0x00000040: 72 00 61 00 69 00 6e 00 5f 00 53 00 69 00 67 00 r.a.i.n._.S.i.g. +0x00000050: 6e 00 61 00 6c 00 5f 00 4c 00 61 00 62 00 5f 00 n.a.l._.L.a.b._. +0x00000060: 32 00 37 00 5f 00 44 00 69 00 73 00 63 00 5f 00 2.7._.D.i.s.c._. +0x00000070: 31 00 5f 00 4d 00 69 00 63 00 72 00 6f 00 73 00 1._.M.i.c.r.o.s. +0x00000080: 6f 00 66 00 74 00 5f 00 56 00 69 00 72 00 74 00 o.f.t._.V.i.r.t. +0x00000090: 75 00 61 00 6c 00 5f 00 53 00 65 00 72 00 76 00 u.a.l._.S.e.r.v. +0x000000a0: 65 00 72 00 73 00 00 00 18 00 00 00 e.r.s....... + +2009-03-26 18:00:18 | 2009-03-26 18:00:18 | 2009-03-26 18:00:18 | |Desktop\My Computer\D:\Local download\Train_Signal_Lab_27_Disc_1_Microsoft_Virtual_Servers + +0x00000000: 42 00 31 00 00 00 00 00 8a 3a 2c 86 10 00 56 53 B.1......:,...VS +0x00000010: 53 00 30 00 07 00 04 00 ef be 8a 3a 2c 86 8a 3a S.0........:,..: +0x00000020: 2c 86 26 00 00 00 fb 41 00 00 00 00 01 00 00 00 ,.&....A........ +0x00000030: 00 00 00 00 00 00 00 00 56 00 53 00 53 00 00 00 ........V.S.S... +0x00000040: 12 00 00 00 .... + +2009-04-10 16:49:24 | 2009-04-10 16:49:24 | 2009-04-10 16:49:24 | |Desktop\My Computer\D:\Local download\VSS + +0x00000000: 54 00 31 00 00 00 00 00 00 00 00 00 10 00 56 69 T.1...........Vi +0x00000010: 73 69 6f 32 30 30 37 00 3c 00 07 00 04 00 ef be sio2007.<....... +0x00000020: 00 00 00 00 00 00 00 00 26 00 00 00 00 00 00 00 ........&....... +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 56 00 ..............V. +0x00000040: 69 00 73 00 69 00 6f 00 32 00 30 00 30 00 37 00 i.s.i.o.2.0.0.7. +0x00000050: 00 00 18 00 00 00 ...... + + | | | |Desktop\My Computer\D:\Local download\Visio2007 + +0x00000000: 66 00 31 00 00 00 00 00 ef 3a 1c 82 10 00 56 49 f.1......:....VI +0x00000010: 53 49 4f 5f 7e 31 00 00 4e 00 07 00 04 00 ef be SIO_~1..N....... +0x00000020: ef 3a 0e 82 ef 3a 1c 82 26 00 00 00 28 42 00 00 .:...:..&...(B.. +0x00000030: 00 00 06 00 00 00 00 00 00 00 00 00 00 00 56 00 ..............V. +0x00000040: 69 00 73 00 69 00 6f 00 5f 00 70 00 72 00 6f 00 i.s.i.o._.p.r.o. +0x00000050: 20 00 32 00 30 00 30 00 37 00 20 00 77 00 33 00 .2.0.0.7. .w.3. +0x00000060: 32 00 00 00 18 00 00 00 2....... + +2009-07-15 16:16:56 | 2009-07-15 16:16:56 | 2009-07-15 16:16:28 | |Desktop\My Computer\D:\Local download\Visio2007\Visio_pro 2007 w32 + +0x00000000: 52 00 31 00 00 00 00 00 de 3e 60 8b 10 00 61 70 R.1......>`...ap +0x00000010: 70 63 6d 64 55 49 00 00 3a 00 07 00 04 00 ef be pcmdUI..:....... +0x00000020: de 3e 60 8b de 3e 60 8b 26 00 00 00 c5 07 00 00 .>`..>`.&....... +0x00000030: 00 00 54 00 00 00 00 00 00 00 00 00 00 00 61 00 ..T...........a. +0x00000040: 70 00 70 00 63 00 6d 00 64 00 55 00 49 00 00 00 p.p.c.m.d.U.I... +0x00000050: 18 00 00 00 .... + +2011-06-30 17:27:00 | 2011-06-30 17:27:00 | 2011-06-30 17:27:00 | |Desktop\My Computer\D:\Local download\appcmdUI + +0x00000000: 5c 00 31 00 00 00 00 00 89 39 91 84 10 00 57 4f \.1......9....WO +0x00000010: 52 4b 44 4f 7e 31 00 00 44 00 07 00 04 00 ef be RKDO~1..D....... +0x00000020: 5d 39 ef 98 89 39 91 84 26 00 00 00 5f 06 00 00 ]9...9..&..._... +0x00000030: 00 00 01 00 00 00 00 00 00 00 00 00 00 00 77 00 ..............w. +0x00000040: 6f 00 72 00 6b 00 20 00 44 00 6f 00 77 00 6e 00 o.r.k. .D.o.w.n. +0x00000050: 6c 00 6f 00 61 00 64 00 00 00 18 00 00 00 l.o.a.d....... + +2008-12-09 16:36:34 | 2008-12-09 16:36:34 | 2008-10-29 19:07:30 | |Desktop\My Computer\D:\work Download + +0x00000000: 4e 00 31 00 00 00 00 00 5d 39 46 9b 10 00 4e 6f N.1.....]9F...No +0x00000010: 74 65 73 30 33 00 38 00 07 00 04 00 ef be 5d 39 tes03.8.......]9 +0x00000020: 46 9b 5d 39 46 9b 26 00 00 00 01 0e 00 00 00 00 F.]9F.&......... +0x00000030: 01 00 00 00 00 00 00 00 00 00 00 00 4e 00 6f 00 ............N.o. +0x00000040: 74 00 65 00 73 00 30 00 33 00 00 00 16 00 00 00 t.e.s.0.3....... + +2008-10-29 19:26:12 | 2008-10-29 19:26:12 | 2008-10-29 19:26:12 | |Desktop\My Computer\D:\work Download\Notes03 + +0x00000000: 48 00 31 00 00 00 00 00 78 39 b3 a0 10 00 57 69 H.1.....x9....Wi +0x00000010: 6e 32 32 00 34 00 07 00 04 00 ef be 5d 39 03 9d n22.4.......]9.. +0x00000020: 78 39 b3 a0 26 00 00 00 0d 40 00 00 00 00 01 00 x9..&....@...... +0x00000030: 00 00 00 00 00 00 00 00 00 00 57 00 69 00 6e 00 ..........W.i.n. +0x00000040: 32 00 32 00 00 00 14 00 00 00 2.2....... + +2008-11-24 20:05:38 | 2008-11-24 20:05:38 | 2008-10-29 19:40:06 | |Desktop\My Computer\D:\work Download\Win22 + +0x00000000: 74 00 32 00 0c c5 05 00 37 35 80 09 20 00 47 41 t.2.....75.. .GA +0x00000010: 54 45 57 41 7e 31 2e 5a 49 50 00 00 58 00 07 00 TEWA~1.ZIP..X... +0x00000020: 04 00 ef be 5d 39 05 9d 5d 39 05 9d 26 00 00 00 ....]9..]9..&... +0x00000030: 13 40 00 00 00 00 01 00 00 00 00 00 00 00 00 00 .@.............. +0x00000040: 00 00 47 00 61 00 74 00 65 00 77 00 61 00 79 00 ..G.a.t.e.w.a.y. +0x00000050: 20 00 53 00 63 00 72 00 65 00 65 00 6e 00 73 00 .S.c.r.e.e.n.s. +0x00000060: 68 00 6f 00 74 00 73 00 2e 00 7a 00 69 00 70 00 h.o.t.s...z.i.p. +0x00000070: 00 00 1c 00 00 00 ...... + +2006-09-23 01:12:00 | 2008-10-29 19:40:10 | 2008-10-29 19:40:10 | |Desktop\My Computer\D:\work Download\Win22\Gateway Screenshots.zip [378124] + +0x00000000: 5e 00 32 00 2a 04 00 00 86 35 b3 a1 20 00 41 4d ^.2.*....5.. .AM +0x00000010: 45 52 55 57 30 33 2e 7a 69 70 00 00 42 00 07 00 ERUW03.zip..B... +0x00000020: 04 00 ef be 5d 39 03 9d 5d 39 03 9d 26 00 00 00 ....]9..]9..&... +0x00000030: 11 40 00 00 00 00 01 00 00 00 00 00 00 00 00 00 .@.............. +0x00000040: 00 00 41 00 4d 00 45 00 52 00 55 00 57 00 30 00 ..A.M.E.R.U.W.0. +0x00000050: 33 00 2e 00 7a 00 69 00 70 00 00 00 1c 00 00 00 3...z.i.p....... + +2006-12-06 20:13:38 | 2008-10-29 19:40:06 | 2008-10-29 19:40:06 | |Desktop\My Computer\D:\work Download\Win22\AMERUW03.zip [1066] + +0x00000000: 56 00 31 00 00 00 00 00 92 39 ca b1 10 00 4e 45 V.1......9....NE +0x00000010: 57 46 4f 4c 7e 31 00 00 3e 00 07 00 04 00 ef be WFOL~1..>....... +0x00000020: 92 39 ca b1 92 39 ca b1 26 00 00 00 89 00 00 00 .9...9..&....... +0x00000030: 00 00 03 00 00 00 00 00 00 00 00 00 00 00 4e 00 ..............N. +0x00000040: 65 00 77 00 20 00 46 00 6f 00 6c 00 64 00 65 00 e.w. .F.o.l.d.e. +0x00000050: 72 00 00 00 18 00 00 00 r....... + +2008-12-18 22:14:20 | 2008-12-18 22:14:20 | 2008-12-18 22:14:20 | |Desktop\My Computer\D:\work Download\Win22\New Folder + +0x00000000: 48 00 31 00 00 00 00 00 92 39 ca b1 10 00 45 72 H.1......9....Er +0x00000010: 72 6f 72 00 34 00 07 00 04 00 ef be 92 39 ca b1 ror.4........9.. +0x00000020: 92 39 ca b1 26 00 00 00 89 00 00 00 00 00 03 00 .9..&........... +0x00000030: 00 00 00 00 00 00 00 00 00 00 45 00 72 00 72 00 ..........E.r.r. +0x00000040: 6f 00 72 00 00 00 14 00 00 00 o.r....... + +2008-12-18 22:14:20 | 2008-12-18 22:14:20 | 2008-12-18 22:14:20 | |Desktop\My Computer\D:\work Download\Win22\Error + +0x00000000: 56 00 31 00 00 00 00 00 92 39 d4 b1 10 00 4e 45 V.1......9....NE +0x00000010: 57 46 4f 4c 7e 31 00 00 3e 00 07 00 04 00 ef be WFOL~1..>....... +0x00000020: 92 39 d4 b1 92 39 d4 b1 26 00 00 00 8a 00 00 00 .9...9..&....... +0x00000030: 00 00 03 00 00 00 00 00 00 00 00 00 00 00 4e 00 ..............N. +0x00000040: 65 00 77 00 20 00 46 00 6f 00 6c 00 64 00 65 00 e.w. .F.o.l.d.e. +0x00000050: 72 00 00 00 18 00 00 00 r....... + +2008-12-18 22:14:40 | 2008-12-18 22:14:40 | 2008-12-18 22:14:40 | |Desktop\My Computer\D:\work Download\Win22\Error\New Folder + +0x00000000: 5c 00 31 00 00 00 00 00 92 39 d4 b1 10 00 47 41 \.1......9....GA +0x00000010: 54 45 57 41 7e 31 00 00 44 00 07 00 04 00 ef be TEWA~1..D....... +0x00000020: 92 39 d4 b1 92 39 d4 b1 26 00 00 00 8a 00 00 00 .9...9..&....... +0x00000030: 00 00 03 00 00 00 00 00 00 00 00 00 00 00 47 00 ..............G. +0x00000040: 61 00 74 00 65 00 77 00 61 00 79 00 20 00 45 00 a.t.e.w.a.y. .E. +0x00000050: 72 00 72 00 6f 00 72 00 00 00 18 00 00 00 r.r.o.r....... + +2008-12-18 22:14:40 | 2008-12-18 22:14:40 | 2008-12-18 22:14:40 | |Desktop\My Computer\D:\work Download\Win22\Error\Gateway Error + +0x00000000: 58 00 31 00 00 00 00 00 78 39 15 a3 10 00 50 48 X.1.....x9....PH +0x00000010: 41 52 4f 53 7e 31 2e 30 00 00 3e 00 07 00 04 00 AROS~1.0..>..... +0x00000020: ef be 78 39 b0 a0 78 39 15 a3 26 00 00 00 6f 00 ..x9..x9..&...o. +0x00000030: 00 00 00 00 0d 00 00 00 00 00 00 00 00 00 00 00 ................ +0x00000040: 50 00 68 00 61 00 72 00 6f 00 73 00 20 00 38 00 P.h.a.r.o.s. .8. +0x00000050: 2e 00 30 00 00 00 1a 00 00 00 ..0....... + +2008-11-24 20:24:42 | 2008-11-24 20:24:42 | 2008-11-24 20:05:32 | |Desktop\My Computer\D:\work Download\Win22\Pharos 8.0 + +0x00000000: 70 00 32 00 82 4b 73 0d 78 39 1c a3 20 00 55 50 p.2..Ks.x9.. .UP +0x00000010: 38 2d 30 42 7e 32 2e 5a 49 50 00 00 54 00 07 00 8-0B~2.ZIP..T... +0x00000020: 04 00 ef be 78 39 15 a3 78 39 15 a3 26 00 00 00 ....x9..x9..&... +0x00000030: 71 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 q............... +0x00000040: 00 00 55 00 50 00 20 00 38 00 2d 00 30 00 20 00 ..U.P. .8.-.0. . +0x00000050: 62 00 75 00 69 00 6c 00 64 00 20 00 34 00 37 00 b.u.i.l.d. .4.7. +0x00000060: 38 00 36 00 2e 00 7a 00 69 00 70 00 00 00 1c 00 8.6...z.i.p..... +0x00000070: 00 00 .. + +2008-11-24 20:24:56 | 2008-11-24 20:24:42 | 2008-11-24 20:24:42 | |Desktop\My Computer\D:\work Download\Win22\Pharos 8.0\UP 8-0 build 4786.zip [225659778] + +0x00000000: 48 00 31 00 00 00 00 00 a7 3a f8 74 10 00 50 4f H.1......:.t..PO +0x00000010: 50 55 50 00 34 00 07 00 04 00 ef be a7 3a ea 74 PUP.4........:.t +0x00000020: a7 3a f8 74 26 00 00 00 02 42 00 00 00 00 08 00 .:.t&....B...... +0x00000030: 00 00 00 00 00 00 00 00 00 00 50 00 4f 00 50 00 ..........P.O.P. +0x00000040: 55 00 50 00 00 00 14 00 00 00 U.P....... + +2009-05-07 14:39:48 | 2009-05-07 14:39:48 | 2009-05-07 14:39:20 | |Desktop\My Computer\D:\work Download\Win22\POPUP + +0x00000000: 78 00 32 00 00 00 00 00 00 00 00 00 20 00 55 50 x.2......... .UP +0x00000010: 20 38 2d 31 20 62 75 69 6c 64 20 35 32 39 33 2e 8-1 build 5293. +0x00000020: 7a 69 70 00 54 00 07 00 04 00 ef be 00 00 00 00 zip.T........... +0x00000030: 00 00 00 00 26 00 00 00 00 00 00 00 00 00 00 00 ....&........... +0x00000040: 00 00 00 00 00 00 00 00 00 00 55 00 50 00 20 00 ..........U.P. . +0x00000050: 38 00 2d 00 31 00 20 00 62 00 75 00 69 00 6c 00 8.-.1. .b.u.i.l. +0x00000060: 64 00 20 00 35 00 32 00 39 00 33 00 2e 00 7a 00 d. .5.2.9.3...z. +0x00000070: 69 00 70 00 00 00 24 00 00 00 i.p...$... + + | | | |Desktop\My Computer\D:\work Download\Win22\UP 8-1 build 5293.zip + | | | |Desktop\My Computer\D:\work Download\Win22\UP 8-1 build 5293.zip\Uniprint Suite 8-1 build 5293 + +0x00000000: 7c 00 31 00 00 00 00 00 34 3c 44 a5 10 00 55 4e |.1.....4..... +0x00000020: ef be 6c 3d 3b a9 6c 3d 3b a9 26 00 00 00 27 4d ..l=;.l=;.&...'M +0x00000030: 00 00 00 00 06 00 00 00 00 00 00 00 00 00 00 00 ................ +0x00000040: 50 00 68 00 61 00 72 00 6f 00 73 00 20 00 38 00 P.h.a.r.o.s. .8. +0x00000050: 2e 00 31 00 00 00 1a 00 00 00 ..1....... + +2010-11-12 21:09:54 | 2010-11-12 21:09:54 | 2010-11-12 21:09:54 | |Desktop\My Computer\D:\work Download\Win22\Pharos 8.1 + +0x00000000: 54 00 31 00 00 00 00 00 6c 3d 43 a9 10 00 48 4f T.1.....l=C...HO +0x00000010: 54 46 49 58 7e 31 00 00 3c 00 07 00 04 00 ef be TFIX~1..<....... +0x00000020: 6c 3d 43 a9 6c 3d 43 a9 26 00 00 00 28 4d 00 00 l=C.l=C.&...(M.. +0x00000030: 00 00 06 00 00 00 00 00 00 00 00 00 00 00 48 00 ..............H. +0x00000040: 6f 00 74 00 20 00 46 00 69 00 78 00 65 00 73 00 o.t. .F.i.x.e.s. +0x00000050: 00 00 18 00 00 00 ...... + +2010-11-12 21:10:06 | 2010-11-12 21:10:06 | 2010-11-12 21:10:06 | |Desktop\My Computer\D:\work Download\Win22\Pharos 8.1\Hot Fixes + +0x00000000: 5a 00 32 00 54 bd 13 00 6c 3d 56 a9 20 00 50 53 Z.2.T...l=V. .PS +0x00000010: 65 72 76 65 72 2e 7a 69 70 00 40 00 07 00 04 00 erver.zip.@..... +0x00000020: ef be 6c 3d 53 a9 6c 3d 55 a9 26 00 00 00 29 4d ..l=S.l=U.&...)M +0x00000030: 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 ................ +0x00000040: 50 00 53 00 65 00 72 00 76 00 65 00 72 00 2e 00 P.S.e.r.v.e.r... +0x00000050: 7a 00 69 00 70 00 00 00 1a 00 00 00 z.i.p....... + +2010-11-12 21:10:44 | 2010-11-12 21:10:42 | 2010-11-12 21:10:38 | |Desktop\My Computer\D:\work Download\Win22\Pharos 8.1\Hot Fixes\PServer.zip [1293652] + +0x00000000: 5e 00 32 00 58 87 09 00 7d 3d 2f a3 20 00 70 63 ^.2.X...}=/. .pc +0x00000010: 6f 75 6e 74 65 72 2e 7a 69 70 00 00 42 00 07 00 ounter.zip..B... +0x00000020: 04 00 ef be 7d 3d 29 a3 7d 3d 2d a3 26 00 00 00 ....}=).}=-.&... +0x00000030: 2d 4d 00 00 00 00 09 00 00 00 00 00 00 00 00 00 -M.............. +0x00000040: 00 00 70 00 63 00 6f 00 75 00 6e 00 74 00 65 00 ..p.c.o.u.n.t.e. +0x00000050: 72 00 2e 00 7a 00 69 00 70 00 00 00 1c 00 00 00 r...z.i.p....... + +2010-11-29 20:25:30 | 2010-11-29 20:25:26 | 2010-11-29 20:25:18 | |Desktop\My Computer\D:\work Download\Win22\Pharos 8.1\Hot Fixes\pcounter.zip [624472] + | | | |Desktop\My Computer\D:\work Download\Win22\Pharos 8.1\Hot Fixes\pcounter.zip\Page_Counter + +0x00000000: 48 00 31 00 00 00 00 00 5d 39 02 9d 10 00 77 69 H.1.....]9....wi +0x00000010: 6e 32 30 00 34 00 07 00 04 00 ef be 5d 39 02 9d n20.4.......]9.. +0x00000020: 5d 39 02 9d 26 00 00 00 04 40 00 00 00 00 01 00 ]9..&....@...... +0x00000030: 00 00 00 00 00 00 00 00 00 00 77 00 69 00 6e 00 ..........w.i.n. +0x00000040: 32 00 30 00 00 00 14 00 00 00 2.0....... + +2008-10-29 19:40:04 | 2008-10-29 19:40:04 | 2008-10-29 19:40:04 | |Desktop\My Computer\D:\work Download\win20 + +0x00000000: 48 00 31 00 00 00 00 00 5d 39 fd 9c 10 00 57 69 H.1.....]9....Wi +0x00000010: 6e 31 30 00 34 00 07 00 04 00 ef be 5d 39 fc 9c n10.4.......]9.. +0x00000020: 5d 39 fd 9c 26 00 00 00 cf 3f 00 00 00 00 01 00 ]9..&....?...... +0x00000030: 00 00 00 00 00 00 00 00 00 00 57 00 69 00 6e 00 ..........W.i.n. +0x00000040: 31 00 30 00 00 00 14 00 00 00 1.0....... + +2008-10-29 19:39:58 | 2008-10-29 19:39:58 | 2008-10-29 19:39:56 | |Desktop\My Computer\D:\work Download\Win10 + +0x00000000: 5c 00 31 00 00 00 00 00 8c 39 03 83 10 00 57 49 \.1......9....WI +0x00000010: 4e 44 4f 57 7e 32 00 00 44 00 07 00 04 00 ef be NDOW~2..D....... +0x00000020: 5d 39 25 99 8c 39 03 83 26 00 00 00 33 07 00 00 ]9%..9..&...3... +0x00000030: 00 00 01 00 00 00 00 00 00 00 00 00 00 00 57 00 ..............W. +0x00000040: 69 00 6e 00 64 00 6f 00 77 00 73 00 20 00 54 00 i.n.d.o.w.s. .T. +0x00000050: 6f 00 6f 00 6c 00 73 00 00 00 18 00 00 00 o.o.l.s....... + +2008-12-12 16:24:06 | 2008-12-12 16:24:06 | 2008-10-29 19:09:10 | |Desktop\My Computer\D:\work Download\Windows Tools + +0x00000000: 5e 00 32 00 d4 24 00 00 5b 31 46 05 20 00 61 64 ^.2..$..[1F. .ad +0x00000010: 64 75 73 65 72 73 2e 7a 69 70 00 00 42 00 07 00 dusers.zip..B... +0x00000020: 04 00 ef be 5d 39 25 99 5d 39 25 99 26 00 00 00 ....]9%.]9%.&... +0x00000030: 34 07 00 00 00 00 01 00 00 00 00 00 00 00 00 00 4............... +0x00000040: 00 00 61 00 64 00 64 00 75 00 73 00 65 00 72 00 ..a.d.d.u.s.e.r. +0x00000050: 73 00 2e 00 7a 00 69 00 70 00 00 00 1c 00 00 00 s...z.i.p....... + +2004-10-27 00:42:12 | 2008-10-29 19:09:10 | 2008-10-29 19:09:10 | |Desktop\My Computer\D:\work Download\Windows Tools\addusers.zip [9428] + +0x00000000: 4c 00 31 00 00 00 00 00 5d 39 31 99 10 00 53 53 L.1.....]91...SS +0x00000010: 4d 53 45 45 00 00 36 00 07 00 04 00 ef be 5d 39 MSEE..6.......]9 +0x00000020: 31 99 5d 39 31 99 26 00 00 00 3f 07 00 00 00 00 1.]91.&...?..... +0x00000030: 01 00 00 00 00 00 00 00 00 00 00 00 53 00 53 00 ............S.S. +0x00000040: 4d 00 53 00 45 00 45 00 00 00 16 00 00 00 M.S.E.E....... + +2008-10-29 19:09:34 | 2008-10-29 19:09:34 | 2008-10-29 19:09:34 | |Desktop\My Computer\D:\work Download\Windows Tools\SSMSEE + +0x00000000: 72 00 32 00 ae e3 14 0f ef 3a a0 80 80 00 56 49 r.2......:....VI +0x00000010: 53 49 4f 5f 7e 31 2e 5a 49 50 00 00 56 00 07 00 SIO_~1.ZIP..V... +0x00000020: 04 00 ef be ef 3a a0 80 ef 3a a0 80 26 00 00 00 .....:...:..&... +0x00000030: 24 42 00 00 00 00 13 00 00 00 00 00 00 00 00 00 $B.............. +0x00000040: 00 00 56 00 69 00 73 00 69 00 6f 00 5f 00 70 00 ..V.i.s.i.o._.p. +0x00000050: 72 00 6f 00 20 00 32 00 30 00 30 00 37 00 20 00 r.o. .2.0.0.7. . +0x00000060: 77 00 33 00 32 00 2e 00 7a 00 69 00 70 00 00 00 w.3.2...z.i.p... +0x00000070: 1c 00 00 00 .... + +2009-07-15 16:05:00 | 2009-07-15 16:05:00 | 2009-07-15 16:05:00 | |Desktop\My Computer\D:\work Download\Windows Tools\Visio_pro 2007 w32.zip [253027246] + | | | |Desktop\My Computer\D:\work Download\Windows Tools\Visio_pro 2007 w32.zip\Visio_pro 2007 w32 + +0x00000000: 5e 00 31 00 00 00 00 00 39 3b 41 8d 10 00 56 49 ^.1.....9;A...VI +0x00000010: 52 54 55 41 7e 31 00 00 46 00 07 00 04 00 ef be RTUA~1..F....... +0x00000020: 39 3b 10 8d 39 3b 41 8d 26 00 00 00 23 43 00 00 9;..9;A.&...#C.. +0x00000030: 00 00 1b 00 00 00 00 00 00 00 00 00 00 00 56 00 ..............V. +0x00000040: 69 00 72 00 74 00 75 00 61 00 6c 00 69 00 7a 00 i.r.t.u.a.l.i.z. +0x00000050: 61 00 74 00 69 00 6f 00 6e 00 00 00 18 00 00 00 a.t.i.o.n....... + +2009-09-25 17:42:02 | 2009-09-25 17:42:02 | 2009-09-25 17:40:32 | |Desktop\My Computer\D:\work Download\Windows Tools\Virtualization + +0x00000000: 6a 00 32 00 99 f7 13 00 49 3b 02 9b 20 00 50 52 j.2.....I;.. .PR +0x00000010: 4f 43 45 53 7e 31 2e 5a 49 50 00 00 4e 00 07 00 OCES~1.ZIP..N... +0x00000020: 04 00 ef be 49 3b f9 9a 49 3b f9 9a 26 00 00 00 ....I;..I;..&... +0x00000030: 7c 43 00 00 00 00 06 00 00 00 00 00 00 00 00 00 |C.............. +0x00000040: 00 00 50 00 72 00 6f 00 63 00 65 00 73 00 73 00 ..P.r.o.c.e.s.s. +0x00000050: 4d 00 6f 00 6e 00 69 00 74 00 6f 00 72 00 2e 00 M.o.n.i.t.o.r... +0x00000060: 7a 00 69 00 70 00 00 00 1c 00 00 00 z.i.p....... + +2009-10-09 19:24:04 | 2009-10-09 19:23:50 | 2009-10-09 19:23:50 | |Desktop\My Computer\D:\work Download\Windows Tools\ProcessMonitor.zip [1308569] + +0x00000000: 52 00 31 00 00 00 00 00 87 3b 5b 89 10 00 43 61 R.1......;[...Ca +0x00000010: 6d 74 61 73 69 61 00 00 3a 00 07 00 04 00 ef be mtasia..:....... +0x00000020: 87 3b 56 89 87 3b 5b 89 26 00 00 00 dd 43 00 00 .;V..;[.&....C.. +0x00000030: 00 00 06 00 00 00 00 00 00 00 00 00 00 00 43 00 ..............C. +0x00000040: 61 00 6d 00 74 00 61 00 73 00 69 00 61 00 00 00 a.m.t.a.s.i.a... +0x00000050: 18 00 00 00 .... + +2009-12-07 17:10:54 | 2009-12-07 17:10:54 | 2009-12-07 17:10:44 | |Desktop\My Computer\D:\work Download\Windows Tools\Camtasia + +0x00000000: 80 00 31 00 00 00 00 00 5d 39 38 99 10 00 57 49 ..1.....]98...WI +0x00000010: 4e 44 4f 57 7e 32 00 00 68 00 07 00 04 00 ef be NDOW~2..h....... +0x00000020: 5d 39 38 99 5d 39 38 99 26 00 00 00 98 07 00 00 ]98.]98.&....... +0x00000030: 00 00 01 00 00 00 00 00 00 00 00 00 00 00 57 00 ..............W. +0x00000040: 69 00 6e 00 64 00 6f 00 77 00 73 00 20 00 52 00 i.n.d.o.w.s. .R. +0x00000050: 6f 00 61 00 6d 00 69 00 6e 00 67 00 20 00 70 00 o.a.m.i.n.g. .p. +0x00000060: 72 00 6f 00 66 00 69 00 6c 00 65 00 20 00 43 00 r.o.f.i.l.e. .C. +0x00000070: 6c 00 65 00 61 00 6e 00 75 00 70 00 00 00 18 00 l.e.a.n.u.p..... +0x00000080: 00 00 .. + +2008-10-29 19:09:48 | 2008-10-29 19:09:48 | 2008-10-29 19:09:48 | |Desktop\My Computer\D:\work Download\Windows Tools\Windows Roaming profile Cleanup + +0x00000000: 58 00 31 00 00 00 00 00 9d 3c 01 b3 10 00 43 41 X.1......<....CA +0x00000010: 4e 4f 4e 43 7e 31 00 00 40 00 07 00 04 00 ef be NONC~1..@....... +0x00000020: 9d 3c 01 b3 9d 3c 01 b3 26 00 00 00 81 48 00 00 .<...<..&....H.. +0x00000030: 00 00 07 00 00 00 00 00 00 00 00 00 00 00 43 00 ..............C. +0x00000040: 61 00 6e 00 6f 00 6e 00 20 00 63 00 35 00 30 00 a.n.o.n. .c.5.0. +0x00000050: 33 00 35 00 00 00 18 00 00 00 3.5....... + +2010-04-29 22:24:02 | 2010-04-29 22:24:02 | 2010-04-29 22:24:02 | |Desktop\My Computer\D:\work Download\Windows Tools\Canon c5035 + +0x00000000: 78 00 31 00 00 00 00 00 9d 3c 36 b3 10 00 50 53 x.1......<6...PS +0x00000010: 33 5f 56 32 7e 31 2e 32 30 5f 00 00 5c 00 07 00 3_V2~1.20_..\... +0x00000020: 04 00 ef be 9d 3c 36 b3 9d 3c 36 b3 26 00 00 00 .....<6..<6.&... +0x00000030: 83 48 00 00 00 00 03 00 00 00 00 00 00 00 00 00 .H.............. +0x00000040: 00 00 50 00 53 00 33 00 5f 00 76 00 32 00 30 00 ..P.S.3._.v.2.0. +0x00000050: 2e 00 32 00 30 00 5f 00 77 00 69 00 6e 00 32 00 ..2.0._.w.i.n.2. +0x00000060: 6b 00 2d 00 77 00 69 00 6e 00 37 00 5f 00 49 00 k.-.w.i.n.7._.I. +0x00000070: 4e 00 46 00 00 00 1c 00 00 00 N.F....... + +2010-04-29 22:25:44 | 2010-04-29 22:25:44 | 2010-04-29 22:25:44 | |Desktop\My Computer\D:\work Download\Windows Tools\Canon c5035\PS3_v20.20_win2k-win7_INF + +0x00000000: 4c 00 31 00 00 00 00 00 9d 3c 36 b3 10 00 44 72 L.1......<6...Dr +0x00000010: 69 76 65 72 00 00 36 00 07 00 04 00 ef be 9d 3c iver..6........< +0x00000020: 36 b3 9d 3c 36 b3 26 00 00 00 84 48 00 00 00 00 6..<6.&....H.... +0x00000030: 03 00 00 00 00 00 00 00 00 00 00 00 44 00 72 00 ............D.r. +0x00000040: 69 00 76 00 65 00 72 00 00 00 16 00 00 00 i.v.e.r....... + +2010-04-29 22:25:44 | 2010-04-29 22:25:44 | 2010-04-29 22:25:44 | |Desktop\My Computer\D:\work Download\Windows Tools\Canon c5035\PS3_v20.20_win2k-win7_INF\Driver + +0x00000000: 42 00 31 00 00 00 00 00 9d 3c 61 b8 10 00 65 78 B.1..........SF +0x00000010: 54 50 46 4f 7e 31 00 00 54 00 07 00 04 00 ef be TPFO~1..T....... +0x00000020: 25 3e cd b0 25 3e cd b0 26 00 00 00 31 4d 00 00 %>..%>..&...1M.. +0x00000030: 00 00 13 00 00 00 00 00 00 00 00 00 00 00 53 00 ..............S. +0x00000040: 46 00 54 00 50 00 20 00 66 00 6f 00 72 00 20 00 F.T.P. .f.o.r. . +0x00000050: 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 20 00 W.i.n.d.o.w.s. . +0x00000060: 32 00 30 00 30 00 38 00 00 00 18 00 00 00 2.0.0.8....... + +2011-01-05 22:06:26 | 2011-01-05 22:06:26 | 2011-01-05 22:06:26 | |Desktop\My Computer\D:\work Download\Windows Tools\SFTP for Windows 2008 + +0x00000000: 52 00 31 00 00 00 00 00 4e 3e 74 85 10 00 48 6f R.1.....N>t...Ho +0x00000010: 74 66 69 78 65 73 00 00 3a 00 07 00 04 00 ef be tfixes..:....... +0x00000020: 4e 3e 74 85 4e 3e 74 85 26 00 00 00 47 4d 00 00 N>t.N>t.&...GM.. +0x00000030: 00 00 18 00 00 00 00 00 00 00 00 00 00 00 48 00 ..............H. +0x00000040: 6f 00 74 00 66 00 69 00 78 00 65 00 73 00 00 00 o.t.f.i.x.e.s... +0x00000050: 18 00 00 00 .... + +2011-02-14 16:43:40 | 2011-02-14 16:43:40 | 2011-02-14 16:43:40 | |Desktop\My Computer\D:\work Download\Windows Tools\Hotfixes + +0x00000000: 5a 00 31 00 00 00 00 00 e1 3c 01 94 10 00 53 43 Z.1......<....SC +0x00000010: 52 49 50 54 7e 31 00 00 42 00 07 00 04 00 ef be RIPT~1..B....... +0x00000020: e1 3c d2 82 e1 3c 01 94 26 00 00 00 33 49 00 00 .<...<..&...3I.. +0x00000030: 00 00 16 00 00 00 00 00 00 00 00 00 00 00 73 00 ..............s. +0x00000040: 63 00 72 00 69 00 70 00 74 00 6f 00 6d 00 61 00 c.r.i.p.t.o.m.a. +0x00000050: 74 00 69 00 63 00 00 00 18 00 00 00 t.i.c....... + +2010-07-01 18:32:02 | 2010-07-01 18:32:02 | 2010-07-01 16:22:36 | |Desktop\My Computer\D:\work Download\Windows Tools\scriptomatic + +0x00000000: 72 00 32 00 00 00 00 00 00 00 00 00 20 00 41 70 r.2......... .Ap +0x00000010: 70 63 6d 64 55 49 49 6e 73 74 61 6c 6c 2e 7a 69 pcmdUIInstall.zi +0x00000020: 70 00 50 00 07 00 04 00 ef be 00 00 00 00 00 00 p.P............. +0x00000030: 00 00 26 00 00 00 00 00 00 00 00 00 00 00 00 00 ..&............. +0x00000040: 00 00 00 00 00 00 00 00 41 00 70 00 70 00 63 00 ........A.p.p.c. +0x00000050: 6d 00 64 00 55 00 49 00 49 00 6e 00 73 00 74 00 m.d.U.I.I.n.s.t. +0x00000060: 61 00 6c 00 6c 00 2e 00 7a 00 69 00 70 00 00 00 a.l.l...z.i.p... +0x00000070: 22 00 00 00 "... + + | | | |Desktop\My Computer\D:\work Download\Windows Tools\AppcmdUIInstall.zip + +0x00000000: 48 00 31 00 00 00 00 00 30 3a 47 80 10 00 57 69 H.1.....0:G...Wi +0x00000010: 6e 32 31 00 34 00 07 00 04 00 ef be 5d 39 02 9d n21.4.......]9.. +0x00000020: 30 3a 47 80 26 00 00 00 08 40 00 00 00 00 01 00 0:G.&....@...... +0x00000030: 00 00 00 00 00 00 00 00 00 00 57 00 69 00 6e 00 ..........W.i.n. +0x00000040: 32 00 31 00 00 00 14 00 00 00 2.1....... + +2009-01-16 16:02:14 | 2009-01-16 16:02:14 | 2008-10-29 19:40:04 | |Desktop\My Computer\D:\work Download\Win21 + +0x00000000: 4c 00 31 00 00 00 00 00 75 39 41 b2 10 00 57 69 L.1.....u9A...Wi +0x00000010: 6e 31 30 33 00 00 36 00 07 00 04 00 ef be 75 39 n103..6.......u9 +0x00000020: d0 ad 75 39 41 b2 26 00 00 00 6d 00 00 00 00 00 ..u9A.&...m..... +0x00000030: 0a 00 00 00 00 00 00 00 00 00 00 00 57 00 69 00 ............W.i. +0x00000040: 6e 00 31 00 30 00 33 00 00 00 16 00 00 00 n.1.0.3....... + +2008-11-21 22:18:02 | 2008-11-21 22:18:02 | 2008-11-21 21:46:32 | |Desktop\My Computer\D:\work Download\Win103 + +0x00000000: 58 00 31 00 00 00 00 00 5d 39 2a 9b 10 00 4c 4f X.1.....]9*...LO +0x00000010: 43 41 4c 42 7e 31 00 00 40 00 07 00 04 00 ef be CALB~1..@....... +0x00000020: 5d 39 29 9b 5d 39 2a 9b 26 00 00 00 48 08 00 00 ]9).]9*.&...H... +0x00000030: 00 00 01 00 00 00 00 00 00 00 00 00 00 00 6c 00 ..............l. +0x00000040: 6f 00 63 00 61 00 6c 00 62 00 61 00 63 00 6b 00 o.c.a.l.b.a.c.k. +0x00000050: 75 00 70 00 00 00 18 00 00 00 u.p....... + +2008-10-29 19:25:20 | 2008-10-29 19:25:20 | 2008-10-29 19:25:18 | |Desktop\My Computer\D:\work Download\localbackup + +0x00000000: 54 00 31 00 00 00 00 00 49 3a 1c 7d 10 00 57 49 T.1.....I:.}..WI +0x00000010: 4e 32 31 54 7e 31 00 00 3c 00 07 00 04 00 ef be N21T~1..<....... +0x00000020: 49 3a 1c 7d 49 3a 1c 7d 26 00 00 00 8e 00 00 00 I:.}I:.}&....... +0x00000030: 00 00 12 00 00 00 00 00 00 00 00 00 00 00 57 00 ..............W. +0x00000040: 69 00 6e 00 32 00 31 00 74 00 65 00 73 00 74 00 i.n.2.1.t.e.s.t. +0x00000050: 00 00 18 00 00 00 ...... + +2009-02-09 15:40:56 | 2009-02-09 15:40:56 | 2009-02-09 15:40:56 | |Desktop\My Computer\D:\work Download\Win21test + +0x00000000: 4c 00 31 00 00 00 00 00 49 3a 70 94 10 00 44 72 L.1.....I:p...Dr +0x00000010: 69 76 65 72 00 00 36 00 07 00 04 00 ef be 49 3a iver..6.......I: +0x00000020: 63 94 49 3a 70 94 26 00 00 00 92 00 00 00 00 00 c.I:p.&......... +0x00000030: 0b 00 00 00 00 00 00 00 00 00 00 00 44 00 72 00 ............D.r. +0x00000040: 69 00 76 00 65 00 72 00 00 00 16 00 00 00 i.v.e.r....... + +2009-02-09 18:35:32 | 2009-02-09 18:35:32 | 2009-02-09 18:35:06 | |Desktop\My Computer\D:\work Download\Win21test\Driver + +0x00000000: 4e 00 31 00 00 00 00 00 49 3a 6e 94 10 00 44 72 N.1.....I:n...Dr +0x00000010: 69 76 65 72 73 00 38 00 07 00 04 00 ef be 49 3a ivers.8.......I: +0x00000020: 66 94 49 3a 6e 94 26 00 00 00 9f 00 00 00 00 00 f.I:n.&......... +0x00000030: 03 00 00 00 00 00 00 00 00 00 00 00 44 00 72 00 ............D.r. +0x00000040: 69 00 76 00 65 00 72 00 73 00 00 00 16 00 00 00 i.v.e.r.s....... + +2009-02-09 18:35:28 | 2009-02-09 18:35:28 | 2009-02-09 18:35:12 | |Desktop\My Computer\D:\work Download\Win21test\Driver\Drivers + +0x00000000: 40 00 31 00 00 00 00 00 49 3a 6f 94 10 00 50 53 @.1.....I:o...PS +0x00000010: 00 00 2e 00 07 00 04 00 ef be 49 3a 6e 94 49 3a ..........I:n.I: +0x00000020: 6f 94 26 00 00 00 a3 02 00 00 00 00 02 00 00 00 o.&............. +0x00000030: 00 00 00 00 00 00 00 00 50 00 53 00 00 00 12 00 ........P.S..... +0x00000040: 00 00 .. + +2009-02-09 18:35:30 | 2009-02-09 18:35:30 | 2009-02-09 18:35:28 | |Desktop\My Computer\D:\work Download\Win21test\Driver\Drivers\PS + +0x00000000: 4e 00 31 00 00 00 00 00 49 3a 70 94 10 00 57 69 N.1.....I:p...Wi +0x00000010: 6e 5f 78 38 36 00 38 00 07 00 04 00 ef be 49 3a n_x86.8.......I: +0x00000020: 6f 94 49 3a 70 94 26 00 00 00 e8 40 00 00 00 00 o.I:p.&....@.... +0x00000030: 01 00 00 00 00 00 00 00 00 00 00 00 57 00 69 00 ............W.i. +0x00000040: 6e 00 5f 00 78 00 38 00 36 00 00 00 16 00 00 00 n._.x.8.6....... + +2009-02-09 18:35:32 | 2009-02-09 18:35:32 | 2009-02-09 18:35:30 | |Desktop\My Computer\D:\work Download\Win21test\Driver\Drivers\PS\Win_x86 + +0x00000000: 8a 00 32 00 55 79 15 02 49 3a 6e 7b 20 00 43 36 ..2.Uy..I:n{ .C6 +0x00000010: 35 30 5f 53 7e 31 2e 5a 49 50 00 00 6e 00 07 00 50_S~1.ZIP..n... +0x00000020: 04 00 ef be 49 3a 6c 7b 49 3a 6e 7b 26 00 00 00 ....I:l{I:n{&... +0x00000030: 8f 00 00 00 00 00 17 00 00 00 00 00 00 00 00 00 ................ +0x00000040: 00 00 43 00 36 00 35 00 30 00 5f 00 53 00 65 00 ..C.6.5.0._.S.e. +0x00000050: 72 00 69 00 65 00 73 00 5f 00 50 00 53 00 5f 00 r.i.e.s._.P.S._. +0x00000060: 50 00 43 00 4c 00 5f 00 46 00 61 00 78 00 5f 00 P.C.L._.F.a.x._. +0x00000070: 36 00 2e 00 33 00 2e 00 31 00 2e 00 30 00 2e 00 6...3...1...0... +0x00000080: 7a 00 69 00 70 00 00 00 1c 00 00 00 z.i.p....... + +2009-02-09 15:27:28 | 2009-02-09 15:27:28 | 2009-02-09 15:27:24 | |Desktop\My Computer\D:\work Download\Win21test\C650_Series_PS_PCL_Fax_6.3.1.0.zip [34961749] + +0x00000000: 52 00 31 00 00 00 00 00 5d 39 25 99 10 00 57 69 R.1.....]9%...Wi +0x00000010: 6e 62 61 74 63 68 00 00 3a 00 07 00 04 00 ef be nbatch..:....... +0x00000020: 5d 39 23 99 5d 39 25 99 26 00 00 00 94 06 00 00 ]9#.]9%.&....... +0x00000030: 00 00 01 00 00 00 00 00 00 00 00 00 00 00 57 00 ..............W. +0x00000040: 69 00 6e 00 62 00 61 00 74 00 63 00 68 00 00 00 i.n.b.a.t.c.h... +0x00000050: 18 00 00 00 .... + +2008-10-29 19:09:10 | 2008-10-29 19:09:10 | 2008-10-29 19:09:06 | |Desktop\My Computer\D:\work Download\Winbatch + +0x00000000: 72 00 31 00 00 00 00 00 5d 39 24 99 10 00 45 4e r.1.....]9$...EN +0x00000010: 56 49 53 49 7e 31 00 00 5a 00 07 00 04 00 ef be VISI~1..Z....... +0x00000020: 5d 39 23 99 5d 39 24 99 26 00 00 00 a4 06 00 00 ]9#.]9$.&....... +0x00000030: 00 00 01 00 00 00 00 00 00 00 00 00 00 00 45 00 ..............E. +0x00000040: 6e 00 76 00 69 00 73 00 69 00 6f 00 6e 00 20 00 n.v.i.s.i.o.n. . +0x00000050: 44 00 69 00 6e 00 69 00 6e 00 67 00 20 00 53 00 D.i.n.i.n.g. .S. +0x00000060: 72 00 76 00 20 00 48 00 6f 00 73 00 74 00 00 00 r.v. .H.o.s.t... +0x00000070: 18 00 00 00 .... + +2008-10-29 19:09:08 | 2008-10-29 19:09:08 | 2008-10-29 19:09:06 | |Desktop\My Computer\D:\work Download\Winbatch\Envision Dining Srv Host + +0x00000000: 46 00 31 00 00 00 00 00 5d 39 25 99 10 00 74 65 F.1.....]9%...te +0x00000010: 73 74 00 00 32 00 07 00 04 00 ef be 5d 39 25 99 st..2.......]9%. +0x00000020: 5d 39 25 99 26 00 00 00 23 07 00 00 00 00 01 00 ]9%.&...#....... +0x00000030: 00 00 00 00 00 00 00 00 00 00 74 00 65 00 73 00 ..........t.e.s. +0x00000040: 74 00 00 00 14 00 00 00 t....... + +2008-10-29 19:09:10 | 2008-10-29 19:09:10 | 2008-10-29 19:09:10 | |Desktop\My Computer\D:\work Download\Winbatch\test + +0x00000000: 52 00 31 00 00 00 00 00 b6 3a 34 99 10 00 49 6e R.1......:4...In +0x00000010: 66 6f 72 6d 65 72 00 00 3a 00 07 00 04 00 ef be former..:....... +0x00000020: b6 3a 34 99 b6 3a 34 99 26 00 00 00 09 42 00 00 .:4..:4.&....B.. +0x00000030: 00 00 05 00 00 00 00 00 00 00 00 00 00 00 49 00 ..............I. +0x00000040: 6e 00 66 00 6f 00 72 00 6d 00 65 00 72 00 00 00 n.f.o.r.m.e.r... +0x00000050: 18 00 00 00 .... + +2009-05-22 19:09:40 | 2009-05-22 19:09:40 | 2009-05-22 19:09:40 | |Desktop\My Computer\D:\work Download\Winbatch\Informer + +0x00000000: 42 00 31 00 00 00 00 00 74 3b 38 84 10 00 49 44 B.1.....t;8...ID +0x00000010: 4d 00 30 00 07 00 04 00 ef be 74 3b 38 84 74 3b M.0.......t;8.t; +0x00000020: 38 84 26 00 00 00 c1 43 00 00 00 00 12 00 00 00 8.&....C........ +0x00000030: 00 00 00 00 00 00 00 00 49 00 44 00 4d 00 00 00 ........I.D.M... +0x00000040: 12 00 00 00 .... + +2009-11-20 16:33:48 | 2009-11-20 16:33:48 | 2009-11-20 16:33:48 | |Desktop\My Computer\D:\work Download\Winbatch\IDM + +0x00000000: 5e 00 31 00 00 00 00 00 6c 3c ee a4 10 00 50 41 ^.1.....l<....PA +0x00000010: 53 53 57 4f 7e 31 00 00 46 00 07 00 04 00 ef be SSWO~1..F....... +0x00000020: 6c 3c ee a4 6c 3c ee a4 26 00 00 00 6e 48 00 00 l<..l<..&...nH.. +0x00000030: 00 00 01 00 00 00 00 00 00 00 00 00 00 00 50 00 ..............P. +0x00000040: 61 00 73 00 73 00 77 00 6f 00 72 00 64 00 20 00 a.s.s.w.o.r.d. . +0x00000050: 52 00 65 00 73 00 65 00 74 00 00 00 18 00 00 00 R.e.s.e.t....... + +2010-03-12 20:39:28 | 2010-03-12 20:39:28 | 2010-03-12 20:39:28 | |Desktop\My Computer\D:\work Download\Winbatch\Password Reset + +0x00000000: 56 00 31 00 00 00 00 00 5d 39 85 9b 10 00 4f 50 V.1.....]9....OP +0x00000010: 45 4e 4f 46 7e 31 00 00 3e 00 07 00 04 00 ef be ENOF~1..>....... +0x00000020: 5d 39 7c 9b 5d 39 85 9b 26 00 00 00 26 13 00 00 ]9|.]9..&...&... +0x00000030: 00 00 01 00 00 00 00 00 00 00 00 00 00 00 4f 00 ..............O. +0x00000040: 70 00 65 00 6e 00 4f 00 66 00 66 00 69 00 63 00 p.e.n.O.f.f.i.c. +0x00000050: 65 00 00 00 18 00 00 00 e....... + +2008-10-29 19:28:10 | 2008-10-29 19:28:10 | 2008-10-29 19:27:56 | |Desktop\My Computer\D:\work Download\OpenOffice + +0x00000000: 48 00 31 00 00 00 00 00 63 39 8a 99 10 00 57 69 H.1.....c9....Wi +0x00000010: 6e 33 30 00 34 00 07 00 04 00 ef be 5d 39 15 99 n30.4.......]9.. +0x00000020: 63 39 8a 99 26 00 00 00 6b 06 00 00 00 00 01 00 c9..&...k....... +0x00000030: 00 00 00 00 00 00 00 00 00 00 57 00 69 00 6e 00 ..........W.i.n. +0x00000040: 33 00 30 00 00 00 14 00 00 00 3.0....... + +2008-11-03 19:12:20 | 2008-11-03 19:12:20 | 2008-10-29 19:08:42 | |Desktop\My Computer\D:\work Download\Win30 + +0x00000000: 5a 00 31 00 00 00 00 00 27 3c af a4 10 00 57 45 Z.1.....'<....WE +0x00000010: 42 43 4f 4d 7e 31 00 00 42 00 07 00 04 00 ef be BCOM~1..B....... +0x00000020: 27 3c ab a4 27 3c af a4 26 00 00 00 eb 43 00 00 '<..'<..&....C.. +0x00000030: 00 00 1a 00 00 00 00 00 00 00 00 00 00 00 57 00 ..............W. +0x00000040: 65 00 62 00 43 00 6f 00 6d 00 70 00 6f 00 6e 00 e.b.C.o.m.p.o.n. +0x00000050: 65 00 6e 00 74 00 00 00 18 00 00 00 e.n.t....... + +2010-01-07 20:37:30 | 2010-01-07 20:37:30 | 2010-01-07 20:37:22 | |Desktop\My Computer\D:\work Download\Win30\WebComponent + +0x00000000: 54 00 31 00 00 00 00 00 5d 39 44 99 10 00 49 4c T.1.....]9D...IL +0x00000010: 4f 4d 45 44 7e 31 00 00 3c 00 07 00 04 00 ef be OMED~1..<....... +0x00000020: 5d 39 43 99 5d 39 44 99 26 00 00 00 25 08 00 00 ]9C.]9D.&...%... +0x00000030: 00 00 01 00 00 00 00 00 00 00 00 00 00 00 69 00 ..............i. +0x00000040: 4c 00 4f 00 20 00 4d 00 65 00 64 00 69 00 61 00 L.O. .M.e.d.i.a. +0x00000050: 00 00 18 00 00 00 ...... + +2008-10-29 19:10:08 | 2008-10-29 19:10:08 | 2008-10-29 19:10:06 | |Desktop\My Computer\D:\work Download\iLO Media + +0x00000000: 56 00 31 00 00 00 00 00 57 3a 8f 9a 10 00 44 41 V.1.....W:....DA +0x00000010: 54 41 54 45 7e 31 00 00 3e 00 07 00 04 00 ef be TATE~1..>....... +0x00000020: 57 3a 8f 9a 57 3a 8f 9a 26 00 00 00 30 00 00 00 W:..W:..&...0... +0x00000030: 00 00 0c 00 00 00 00 00 00 00 00 00 00 00 44 00 ..............D. +0x00000040: 61 00 74 00 61 00 74 00 65 00 6c 00 77 00 65 00 a.t.a.t.e.l.w.e. +0x00000050: 62 00 00 00 18 00 00 00 b....... + +2009-02-23 19:20:30 | 2009-02-23 19:20:30 | 2009-02-23 19:20:30 | |Desktop\My Computer\D:\work Download\Datatelweb + +0x00000000: 46 00 31 00 00 00 00 00 75 39 41 b2 10 00 49 4e F.1.....u9A...IN +0x00000010: 41 53 00 00 32 00 07 00 04 00 ef be 5d 39 28 9b AS..2.......]9(. +0x00000020: 75 39 41 b2 26 00 00 00 28 08 00 00 00 00 01 00 u9A.&...(....... +0x00000030: 00 00 00 00 00 00 00 00 00 00 49 00 4e 00 41 00 ..........I.N.A. +0x00000040: 53 00 00 00 14 00 00 00 S....... + +2008-11-21 22:18:02 | 2008-11-21 22:18:02 | 2008-10-29 19:25:16 | |Desktop\My Computer\D:\work Download\INAS + +0x00000000: 42 00 31 00 00 00 00 00 85 39 ce 8e 10 00 43 4d B.1......9....CM +0x00000010: 53 00 30 00 07 00 04 00 ef be 85 39 ca 8e 85 39 S.0........9...9 +0x00000020: ce 8e 26 00 00 00 73 00 00 00 00 00 0a 00 00 00 ..&...s......... +0x00000030: 00 00 00 00 00 00 00 00 43 00 4d 00 53 00 00 00 ........C.M.S... +0x00000040: 12 00 00 00 .... + +2008-12-05 17:54:28 | 2008-12-05 17:54:28 | 2008-12-05 17:54:20 | |Desktop\My Computer\D:\work Download\CMS + +0x00000000: 5c 00 31 00 00 00 00 00 dd 3e 73 87 10 00 46 55 \.1......>s...FU +0x00000010: 53 49 4f 4e 7e 31 00 00 44 00 07 00 04 00 ef be SION~1..D....... +0x00000020: dd 3e 73 87 dd 3e 73 87 26 00 00 00 c4 07 00 00 .>s..>s.&....... +0x00000030: 00 00 55 00 00 00 00 00 00 00 00 00 00 00 46 00 ..U...........F. +0x00000040: 75 00 73 00 69 00 6f 00 6e 00 52 00 65 00 61 00 u.s.i.o.n.R.e.a. +0x00000050: 63 00 74 00 6f 00 72 00 00 00 18 00 00 00 c.t.o.r....... + +2011-06-29 16:59:38 | 2011-06-29 16:59:38 | 2011-06-29 16:59:38 | |Desktop\My Computer\D:\work Download\CMS\FusionReactor + +0x00000000: 58 00 31 00 00 00 00 00 04 3f a1 a8 10 00 43 46 X.1......?....CF +0x00000010: 48 4f 54 46 7e 31 00 00 40 00 07 00 04 00 ef be HOTF~1..@....... +0x00000020: 04 3f a1 a8 04 3f a1 a8 26 00 00 00 cc 07 00 00 .?...?..&....... +0x00000030: 00 00 e1 00 00 00 00 00 00 00 00 00 00 00 43 00 ..............C. +0x00000040: 46 00 20 00 48 00 6f 00 74 00 66 00 69 00 78 00 F. .H.o.t.f.i.x. +0x00000050: 65 00 73 00 00 00 18 00 00 00 e.s....... + +2011-08-04 21:05:02 | 2011-08-04 21:05:02 | 2011-08-04 21:05:02 | |Desktop\My Computer\D:\work Download\CMS\CF Hotfixes + +0x00000000: 5e 00 31 00 00 00 00 00 5d 39 43 99 10 00 47 4f ^.1.....]9C...GO +0x00000010: 4f 47 4c 45 7e 31 00 00 46 00 07 00 04 00 ef be OGLE~1..F....... +0x00000020: 5d 39 43 99 5d 39 43 99 26 00 00 00 1f 08 00 00 ]9C.]9C.&....... +0x00000030: 00 00 01 00 00 00 00 00 00 00 00 00 00 00 47 00 ..............G. +0x00000040: 6f 00 6f 00 67 00 6c 00 65 00 20 00 4c 00 69 00 o.o.g.l.e. .L.i. +0x00000050: 63 00 65 00 6e 00 73 00 65 00 00 00 18 00 00 00 c.e.n.s.e....... + +2008-10-29 19:10:06 | 2008-10-29 19:10:06 | 2008-10-29 19:10:06 | |Desktop\My Computer\D:\work Download\Google License + +0x00000000: 5c 00 31 00 00 00 00 00 5d 39 29 9b 10 00 49 4e \.1.....]9)...IN +0x00000010: 53 49 47 48 7e 31 00 00 44 00 07 00 04 00 ef be SIGH~1..D....... +0x00000020: 5d 39 29 9b 5d 39 29 9b 26 00 00 00 2c 08 00 00 ]9).]9).&...,... +0x00000030: 00 00 01 00 00 00 00 00 00 00 00 00 00 00 69 00 ..............i. +0x00000040: 6e 00 73 00 69 00 67 00 68 00 74 00 73 00 65 00 n.s.i.g.h.t.s.e. +0x00000050: 72 00 76 00 65 00 72 00 00 00 18 00 00 00 r.v.e.r....... + +2008-10-29 19:25:18 | 2008-10-29 19:25:18 | 2008-10-29 19:25:18 | |Desktop\My Computer\D:\work Download\insightserver + +0x00000000: 48 00 31 00 00 00 00 00 67 39 45 a6 10 00 45 4d H.1.....g9E...EM +0x00000010: 53 44 43 00 34 00 07 00 04 00 ef be 5d 39 3c 99 SDC.4.......]9<. +0x00000020: 67 39 45 a6 26 00 00 00 03 08 00 00 00 00 01 00 g9E.&........... +0x00000030: 00 00 00 00 00 00 00 00 00 00 45 00 4d 00 53 00 ..........E.M.S. +0x00000040: 44 00 43 00 00 00 14 00 00 00 D.C....... + +2008-11-07 20:50:10 | 2008-11-07 20:50:10 | 2008-10-29 19:09:56 | |Desktop\My Computer\D:\work Download\EMSDC + +0x00000000: 48 00 31 00 00 00 00 00 5d 39 3c 99 10 00 43 65 H.1.....]9<...Ce +0x00000010: 72 74 73 00 34 00 07 00 04 00 ef be 5d 39 3b 99 rts.4.......]9;. +0x00000020: 5d 39 3c 99 26 00 00 00 dd 07 00 00 00 00 01 00 ]9<.&........... +0x00000030: 00 00 00 00 00 00 00 00 00 00 43 00 65 00 72 00 ..........C.e.r. +0x00000040: 74 00 73 00 00 00 14 00 00 00 t.s....... + +2008-10-29 19:09:56 | 2008-10-29 19:09:56 | 2008-10-29 19:09:54 | |Desktop\My Computer\D:\work Download\Certs + +0x00000000: 66 00 31 00 00 00 00 00 65 3a 00 aa 10 00 4e 45 f.1.....e:....NE +0x00000010: 57 41 4d 45 7e 31 2e 45 44 55 00 00 4a 00 07 00 WAME~1.EDU..J... +0x00000020: 04 00 ef be 65 3a 00 aa 65 3a 00 aa 26 00 00 00 ....e:..e:..&... +0x00000030: e7 41 00 00 00 00 04 00 00 00 00 00 00 00 00 00 .A.............. +0x00000040: 00 00 6e 00 65 00 77 00 2e 00 61 00 6d 00 65 00 ..n.e.w...a.m.e. +0x00000050: 72 00 69 00 63 00 61 00 6e 00 2e 00 65 00 64 00 r.i.c.a.n...e.d. +0x00000060: 75 00 00 00 1c 00 00 00 u....... + +2009-03-05 21:16:00 | 2009-03-05 21:16:00 | 2009-03-05 21:16:00 | |Desktop\My Computer\D:\work Download\Certs\new.american.edu + +0x00000000: 76 00 32 00 00 00 00 00 00 00 00 00 20 00 6e 65 v.2......... .ne +0x00000010: 77 5f 61 6d 65 72 69 63 61 6e 5f 65 64 75 2e 7a w_american_edu.z +0x00000020: 69 70 00 00 52 00 07 00 04 00 ef be 00 00 00 00 ip..R........... +0x00000030: 00 00 00 00 26 00 00 00 00 00 00 00 00 00 00 00 ....&........... +0x00000040: 00 00 00 00 00 00 00 00 00 00 6e 00 65 00 77 00 ..........n.e.w. +0x00000050: 5f 00 61 00 6d 00 65 00 72 00 69 00 63 00 61 00 _.a.m.e.r.i.c.a. +0x00000060: 6e 00 5f 00 65 00 64 00 75 00 2e 00 7a 00 69 00 n._.e.d.u...z.i. +0x00000070: 70 00 00 00 24 00 00 00 p...$... + + | | | |Desktop\My Computer\D:\work Download\Certs\new.american.edu\new_american_edu.zip + +0x00000000: 48 00 31 00 00 00 00 00 6c 3b 98 a1 10 00 57 69 H.1.....l;....Wi +0x00000010: 6e 31 31 00 34 00 07 00 04 00 ef be 6c 3b 98 a1 n11.4.......l;.. +0x00000020: 6c 3b 98 a1 26 00 00 00 bf 43 00 00 00 00 16 00 l;..&....C...... +0x00000030: 00 00 00 00 00 00 00 00 00 00 57 00 69 00 6e 00 ..........W.i.n. +0x00000040: 31 00 31 00 00 00 14 00 00 00 1.1....... + +2009-11-12 20:12:48 | 2009-11-12 20:12:48 | 2009-11-12 20:12:48 | |Desktop\My Computer\D:\work Download\Certs\Win11 + +0x00000000: 42 00 31 00 00 00 00 00 82 3b f8 ab 10 00 41 43 B.1......;....AC +0x00000010: 50 00 30 00 07 00 04 00 ef be 82 3b f8 ab 82 3b P.0........;...; +0x00000020: f8 ab 26 00 00 00 da 43 00 00 00 00 09 00 00 00 ..&....C........ +0x00000030: 00 00 00 00 00 00 00 00 41 00 43 00 50 00 00 00 ........A.C.P... +0x00000040: 12 00 00 00 .... + +2009-12-02 21:31:48 | 2009-12-02 21:31:48 | 2009-12-02 21:31:48 | |Desktop\My Computer\D:\work Download\Certs\ACP + +0x00000000: 4c 00 31 00 00 00 00 00 5d 39 f9 9c 10 00 56 4d L.1.....]9....VM +0x00000010: 57 61 72 65 00 00 36 00 07 00 04 00 ef be 5d 39 Ware..6.......]9 +0x00000020: e3 9c 5d 39 f9 9c 26 00 00 00 8d 3f 00 00 00 00 ..]9..&....?.... +0x00000030: 01 00 00 00 00 00 00 00 00 00 00 00 56 00 4d 00 ............V.M. +0x00000040: 57 00 61 00 72 00 65 00 00 00 16 00 00 00 W.a.r.e....... + +2008-10-29 19:39:50 | 2008-10-29 19:39:50 | 2008-10-29 19:39:06 | |Desktop\My Computer\D:\work Download\VMWare + +0x00000000: 56 00 31 00 00 00 00 00 7a 3a d6 7e 10 00 4e 45 V.1.....z:.~..NE +0x00000010: 57 46 4f 4c 7e 31 00 00 3e 00 07 00 04 00 ef be WFOL~1..>....... +0x00000020: 7a 3a d6 7e 7a 3a d6 7e 26 00 00 00 ec 41 00 00 z:.~z:.~&....A.. +0x00000030: 00 00 09 00 00 00 00 00 00 00 00 00 00 00 4e 00 ..............N. +0x00000040: 65 00 77 00 20 00 46 00 6f 00 6c 00 64 00 65 00 e.w. .F.o.l.d.e. +0x00000050: 72 00 00 00 18 00 00 00 r....... + +2009-03-26 15:54:44 | 2009-03-26 15:54:44 | 2009-03-26 15:54:44 | |Desktop\My Computer\D:\work Download\VMWare\New Folder + +0x00000000: 52 00 31 00 00 00 00 00 7a 3a d6 7e 10 00 46 69 R.1.....z:.~..Fi +0x00000010: 72 6d 77 61 72 65 00 00 3a 00 07 00 04 00 ef be rmware..:....... +0x00000020: 7a 3a d6 7e 7a 3a d6 7e 26 00 00 00 ec 41 00 00 z:.~z:.~&....A.. +0x00000030: 00 00 09 00 00 00 00 00 00 00 00 00 00 00 46 00 ..............F. +0x00000040: 69 00 72 00 6d 00 77 00 61 00 72 00 65 00 00 00 i.r.m.w.a.r.e... +0x00000050: 18 00 00 00 .... + +2009-03-26 15:54:44 | 2009-03-26 15:54:44 | 2009-03-26 15:54:44 | |Desktop\My Computer\D:\work Download\VMWare\Firmware + +0x00000000: 52 00 31 00 00 00 00 00 2d 3e 36 82 10 00 54 65 R.1.....->6...Te +0x00000010: 6d 70 6c 61 74 65 00 00 3a 00 07 00 04 00 ef be mplate..:....... +0x00000020: 2d 3e 2e 82 2d 3e 36 82 26 00 00 00 34 4d 00 00 ->..->6.&...4M.. +0x00000030: 00 00 15 00 00 00 00 00 00 00 00 00 00 00 54 00 ..............T. +0x00000040: 65 00 6d 00 70 00 6c 00 61 00 74 00 65 00 00 00 e.m.p.l.a.t.e... +0x00000050: 18 00 00 00 .... + +2011-01-13 16:17:44 | 2011-01-13 16:17:44 | 2011-01-13 16:17:28 | |Desktop\My Computer\D:\work Download\VMWare\Template + +0x00000000: 72 00 31 00 00 00 00 00 2d 3e 70 8a 10 00 57 32 r.1.....->p...W2 +0x00000010: 4b 38 52 32 7e 31 00 00 5a 00 07 00 04 00 ef be K8R2~1..Z....... +0x00000020: 2d 3e 36 82 2d 3e 70 8a 26 00 00 00 35 4d 00 00 ->6.->p.&...5M.. +0x00000030: 00 00 0b 00 00 00 00 00 00 00 00 00 00 00 77 00 ..............w. +0x00000040: 32 00 6b 00 38 00 52 00 32 00 65 00 6e 00 74 00 2.k.8.R.2.e.n.t. +0x00000050: 2d 00 36 00 34 00 62 00 69 00 74 00 2d 00 74 00 -.6.4.b.i.t.-.t. +0x00000060: 65 00 6d 00 70 00 6c 00 61 00 74 00 65 00 00 00 e.m.p.l.a.t.e... +0x00000070: 18 00 00 00 .... + +2011-01-13 17:19:32 | 2011-01-13 17:19:32 | 2011-01-13 16:17:44 | |Desktop\My Computer\D:\work Download\VMWare\Template\w2k8R2ent-64bit-template + +0x00000000: 4e 00 31 00 00 00 00 00 ad 3a 7a 85 10 00 4d 65 N.1......:z...Me +0x00000010: 64 69 61 30 31 00 38 00 07 00 04 00 ef be ad 3a dia01.8........: +0x00000020: 7a 85 ad 3a 7a 85 26 00 00 00 03 42 00 00 00 00 z..:z.&....B.... +0x00000030: 0d 00 00 00 00 00 00 00 00 00 00 00 4d 00 65 00 ............M.e. +0x00000040: 64 00 69 00 61 00 30 00 31 00 00 00 16 00 00 00 d.i.a.0.1....... + +2009-05-13 16:43:52 | 2009-05-13 16:43:52 | 2009-05-13 16:43:52 | |Desktop\My Computer\D:\work Download\Media01 + +0x00000000: 54 00 31 00 00 00 00 00 b6 3a 1b 73 10 00 45 4e T.1......:.s..EN +0x00000010: 43 4f 44 45 7e 31 00 00 3c 00 07 00 04 00 ef be CODE~1..<....... +0x00000020: b6 3a 1b 73 b6 3a 1b 73 26 00 00 00 f4 41 00 00 .:.s.:.s&....A.. +0x00000030: 00 00 11 00 00 00 00 00 00 00 00 00 00 00 45 00 ..............E. +0x00000040: 6e 00 63 00 6f 00 64 00 65 00 72 00 30 00 31 00 n.c.o.d.e.r.0.1. +0x00000050: 00 00 18 00 00 00 ...... + +2009-05-22 14:24:54 | 2009-05-22 14:24:54 | 2009-05-22 14:24:54 | |Desktop\My Computer\D:\work Download\Encoder01 + +0x00000000: 60 00 31 00 00 00 00 00 5d 39 fa 9c 10 00 57 42 `.1.....]9....WB +0x00000010: 41 54 43 48 7e 31 00 00 48 00 07 00 04 00 ef be ATCH~1..H....... +0x00000020: 5d 39 f9 9c 5d 39 fa 9c 26 00 00 00 96 3f 00 00 ]9..]9..&....?.. +0x00000030: 00 00 01 00 00 00 00 00 00 00 00 00 00 00 57 00 ..............W. +0x00000040: 62 00 61 00 74 00 63 00 68 00 20 00 45 00 78 00 b.a.t.c.h. .E.x. +0x00000050: 74 00 65 00 6e 00 64 00 65 00 72 00 00 00 18 00 t.e.n.d.e.r..... +0x00000060: 00 00 .. + +2008-10-29 19:39:52 | 2008-10-29 19:39:52 | 2008-10-29 19:39:50 | |Desktop\My Computer\D:\work Download\Wbatch Extender + +0x00000000: 6a 00 32 00 3d a4 6f 00 07 35 6f 98 20 00 45 58 j.2.=.o..5o. .EX +0x00000010: 54 45 4e 44 7e 31 2e 5a 49 50 00 00 4e 00 07 00 TEND~1.ZIP..N... +0x00000020: 04 00 ef be 5d 39 f9 9c 5d 39 f9 9c 26 00 00 00 ....]9..]9..&... +0x00000030: 97 3f 00 00 00 00 01 00 00 00 00 00 00 00 00 00 .?.............. +0x00000040: 00 00 65 00 78 00 74 00 65 00 6e 00 64 00 65 00 ..e.x.t.e.n.d.e. +0x00000050: 72 00 73 00 32 00 30 00 30 00 34 00 61 00 2e 00 r.s.2.0.0.4.a... +0x00000060: 7a 00 69 00 70 00 00 00 1c 00 00 00 z.i.p....... + +2006-08-07 19:03:30 | 2008-10-29 19:39:50 | 2008-10-29 19:39:50 | |Desktop\My Computer\D:\work Download\Wbatch Extender\extenders2004a.zip [7316541] + | | | |Desktop\My Computer\D:\work Download\Wbatch Extender\extenders2004a.zip\ADSI + +0x00000000: 48 00 31 00 00 00 00 00 bc 3a d5 8a 10 00 57 69 H.1......:....Wi +0x00000010: 6e 35 37 00 34 00 07 00 04 00 ef be bc 3a d5 8a n57.4........:.. +0x00000020: bc 3a d5 8a 26 00 00 00 10 42 00 00 00 00 02 00 .:..&....B...... +0x00000030: 00 00 00 00 00 00 00 00 00 00 57 00 69 00 6e 00 ..........W.i.n. +0x00000040: 35 00 37 00 00 00 14 00 00 00 5.7....... + +2009-05-28 17:22:42 | 2009-05-28 17:22:42 | 2009-05-28 17:22:42 | |Desktop\My Computer\D:\work Download\Win57 + +0x00000000: 56 00 31 00 00 00 00 00 5d 39 3c 99 10 00 43 4f V.1.....]9<...CO +0x00000010: 4c 44 46 55 7e 31 00 00 3e 00 07 00 04 00 ef be LDFU~1..>....... +0x00000020: 5d 39 3c 99 5d 39 3c 99 26 00 00 00 fe 07 00 00 ]9<.]9<.&....... +0x00000030: 00 00 01 00 00 00 00 00 00 00 00 00 00 00 43 00 ..............C. +0x00000040: 6f 00 6c 00 64 00 46 00 75 00 73 00 69 00 6f 00 o.l.d.F.u.s.i.o. +0x00000050: 6e 00 00 00 18 00 00 00 n....... + +2008-10-29 19:09:56 | 2008-10-29 19:09:56 | 2008-10-29 19:09:56 | |Desktop\My Computer\D:\work Download\ColdFusion + +0x00000000: 54 00 31 00 00 00 00 00 63 39 dd a5 10 00 49 53 T.1.....c9....IS +0x00000010: 4f 44 52 49 7e 31 00 00 3c 00 07 00 04 00 ef be ODRI~1..<....... +0x00000020: 63 39 d2 a5 63 39 dd a5 26 00 00 00 36 00 00 00 c9..c9..&...6... +0x00000030: 00 00 10 00 00 00 00 00 00 00 00 00 00 00 69 00 ..............i. +0x00000040: 73 00 6f 00 20 00 64 00 72 00 69 00 76 00 65 00 s.o. .d.r.i.v.e. +0x00000050: 00 00 18 00 00 00 ...... + +2008-11-03 20:46:58 | 2008-11-03 20:46:58 | 2008-11-03 20:46:36 | |Desktop\My Computer\D:\work Download\iso drive + +0x00000000: 48 00 31 00 00 00 00 00 63 39 db a5 10 00 69 73 H.1.....c9....is +0x00000010: 6f 36 34 00 34 00 07 00 04 00 ef be 63 39 da a5 o64.4.......c9.. +0x00000020: 63 39 db a5 26 00 00 00 39 00 00 00 00 00 08 00 c9..&...9....... +0x00000030: 00 00 00 00 00 00 00 00 00 00 69 00 73 00 6f 00 ..........i.s.o. +0x00000040: 36 00 34 00 00 00 14 00 00 00 6.4....... + +2008-11-03 20:46:54 | 2008-11-03 20:46:54 | 2008-11-03 20:46:52 | |Desktop\My Computer\D:\work Download\iso drive\iso64 + +0x00000000: 4e 00 31 00 00 00 00 00 5d 39 cf 9c 10 00 73 79 N.1.....]9....sy +0x00000010: 73 69 6e 66 6f 00 38 00 07 00 04 00 ef be 5d 39 sinfo.8.......]9 +0x00000020: cd 9c 5d 39 cf 9c 26 00 00 00 ec 3e 00 00 00 00 ..]9..&....>.... +0x00000030: 01 00 00 00 00 00 00 00 00 00 00 00 73 00 79 00 ............s.y. +0x00000040: 73 00 69 00 6e 00 66 00 6f 00 00 00 16 00 00 00 s.i.n.f.o....... + +2008-10-29 19:38:30 | 2008-10-29 19:38:30 | 2008-10-29 19:38:26 | |Desktop\My Computer\D:\work Download\sysinfo + +0x00000000: 5a 00 31 00 00 00 00 00 5d 39 cd 9c 10 00 53 54 Z.1.....]9....ST +0x00000010: 52 4f 48 4c 7e 31 2e 30 00 00 40 00 07 00 04 00 ROHL~1.0..@..... +0x00000020: ef be 5d 39 cd 9c 5d 39 cd 9c 26 00 00 00 e8 3e ..]9..]9..&....> +0x00000030: 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................ +0x00000040: 53 00 74 00 72 00 6f 00 68 00 6c 00 20 00 31 00 S.t.r.o.h.l. .1. +0x00000050: 30 00 2e 00 30 00 00 00 1a 00 00 00 0...0....... + +2008-10-29 19:38:26 | 2008-10-29 19:38:26 | 2008-10-29 19:38:26 | |Desktop\My Computer\D:\work Download\Strohl 10.0 + +0x00000000: 5e 00 31 00 00 00 00 00 39 3b 41 8d 10 00 56 49 ^.1.....9;A...VI +0x00000010: 52 54 55 41 7e 31 00 00 46 00 07 00 04 00 ef be RTUA~1..F....... +0x00000020: 39 3b 10 8d 39 3b 41 8d 26 00 00 00 23 43 00 00 9;..9;A.&...#C.. +0x00000030: 00 00 1b 00 00 00 00 00 00 00 00 00 00 00 56 00 ..............V. +0x00000040: 69 00 72 00 74 00 75 00 61 00 6c 00 69 00 7a 00 i.r.t.u.a.l.i.z. +0x00000050: 61 00 74 00 69 00 6f 00 6e 00 00 00 18 00 00 00 a.t.i.o.n....... + +2009-09-25 17:42:02 | 2009-09-25 17:42:02 | 2009-09-25 17:40:32 | |Desktop\My Computer\D:\work Download\Virtualization + +0x00000000: 42 00 31 00 00 00 00 00 42 3b 56 9f 10 00 49 44 B.1.....B;V...ID +0x00000010: 4d 00 30 00 07 00 04 00 ef be 42 3b 4f 9f 42 3b M.0.......B;O.B; +0x00000020: 56 9f 26 00 00 00 2f 43 00 00 00 00 0c 00 00 00 V.&.../C........ +0x00000030: 00 00 00 00 00 00 00 00 49 00 44 00 4d 00 00 00 ........I.D.M... +0x00000040: 12 00 00 00 .... + +2009-10-02 19:58:44 | 2009-10-02 19:58:44 | 2009-10-02 19:58:30 | |Desktop\My Computer\D:\work Download\IDM + +0x00000000: 6a 00 32 00 ff 5b 00 00 49 3b 84 89 20 00 49 44 j.2..[..I;.. .ID +0x00000010: 4d 54 45 53 7e 31 2e 5a 49 50 00 00 4e 00 07 00 MTES~1.ZIP..N... +0x00000020: 04 00 ef be 49 3b 56 8a 49 3b 56 8a 26 00 00 00 ....I;V.I;V.&... +0x00000030: 7a 43 00 00 00 00 04 00 00 00 00 00 00 00 00 00 zC.............. +0x00000040: 00 00 49 00 44 00 4d 00 20 00 54 00 65 00 73 00 ..I.D.M. .T.e.s. +0x00000050: 74 00 20 00 43 00 61 00 73 00 65 00 73 00 2e 00 t. .C.a.s.e.s... +0x00000060: 7a 00 69 00 70 00 00 00 1c 00 00 00 z.i.p....... + +2009-10-09 17:12:08 | 2009-10-09 17:18:44 | 2009-10-09 17:18:44 | |Desktop\My Computer\D:\work Download\IDM\IDM Test Cases.zip [23551] + +0x00000000: 5a 00 31 00 00 00 00 00 97 3c 69 7c 10 00 49 44 Z.1........... +0x00000020: ef be 50 3c 31 87 50 3c 67 87 26 00 00 00 76 47 ..P<1.P........ +0x00000030: 00 00 00 00 00 00 00 00 53 00 53 00 4c 00 00 00 ........S.S.L... +0x00000040: 12 00 00 00 .... + +2008-10-29 19:36:16 | 2008-10-29 19:36:16 | 2008-10-29 19:36:16 | |Desktop\My Computer\D:\work Download\SSL + +0x00000000: 4c 00 31 00 00 00 00 00 5d 39 43 99 10 00 47 6f L.1.....]9C...Go +0x00000010: 6f 67 6c 65 00 00 36 00 07 00 04 00 ef be 5d 39 ogle..6.......]9 +0x00000020: 43 99 5d 39 43 99 26 00 00 00 1c 08 00 00 00 00 C.]9C.&......... +0x00000030: 01 00 00 00 00 00 00 00 00 00 00 00 47 00 6f 00 ............G.o. +0x00000040: 6f 00 67 00 6c 00 65 00 00 00 16 00 00 00 o.g.l.e....... + +2008-10-29 19:10:06 | 2008-10-29 19:10:06 | 2008-10-29 19:10:06 | |Desktop\My Computer\D:\work Download\Google + +0x00000000: 6c 00 31 00 00 00 00 00 16 3f eb 9d 10 00 56 45 l.1......?....VE +0x00000010: 52 53 49 4f 7e 31 2e 33 32 2d 00 00 50 00 07 00 RSIO~1.32-..P... +0x00000020: 04 00 ef be 16 3f eb 9d 16 3f eb 9d 26 00 00 00 .....?...?..&... +0x00000030: 05 42 00 00 00 00 0c 00 00 00 00 00 00 00 00 00 .B.............. +0x00000040: 00 00 56 00 65 00 72 00 73 00 69 00 6f 00 6e 00 ..V.e.r.s.i.o.n. +0x00000050: 20 00 36 00 2e 00 30 00 2e 00 30 00 2e 00 33 00 .6...0...0...3. +0x00000060: 32 00 2d 00 50 00 36 00 00 00 1c 00 00 00 2.-.P.6....... + +2011-08-22 19:47:22 | 2011-08-22 19:47:22 | 2011-08-22 19:47:22 | |Desktop\My Computer\D:\work Download\Google\Version 6.0.0.32-P6 + +0x00000000: 56 00 31 00 00 00 00 00 51 3c 44 96 10 00 4e 45 V.1.....Q....... +0x00000020: 51 3c 44 96 51 3c 44 96 26 00 00 00 78 47 00 00 Q........ +0x00000030: 00 00 00 00 00 00 00 00 53 00 41 00 56 00 00 00 ........S.A.V... +0x00000040: 12 00 00 00 .... + +2008-10-29 19:36:08 | 2008-10-29 19:36:08 | 2008-10-29 19:34:16 | |Desktop\My Computer\D:\work Download\SAV + +0x00000000: 56 00 31 00 00 00 00 00 b3 3c c0 79 10 00 53 54 V.1......<.y..ST +0x00000010: 41 54 43 52 7e 31 00 00 3e 00 07 00 04 00 ef be ATCR~1..>....... +0x00000020: 5d 39 88 9c b3 3c c0 79 26 00 00 00 d0 3e 00 00 ]9...<.y&....>.. +0x00000030: 00 00 01 00 00 00 00 00 00 00 00 00 00 00 53 00 ..............S. +0x00000040: 74 00 61 00 74 00 63 00 72 00 75 00 6e 00 63 00 t.a.t.c.r.u.n.c. +0x00000050: 68 00 00 00 18 00 00 00 h....... + +2010-05-19 15:14:00 | 2010-05-19 15:14:00 | 2008-10-29 19:36:16 | |Desktop\My Computer\D:\work Download\Statcrunch + +0x00000000: 52 00 31 00 00 00 00 00 12 3d c0 7b 10 00 74 69 R.1......=.{..ti +0x00000010: 74 61 6e 69 75 6d 00 00 3a 00 07 00 04 00 ef be tanium..:....... +0x00000020: 12 3d c0 7b 12 3d c0 7b 26 00 00 00 3c 49 00 00 .=.{.=.{&...[...IN +0x00000010: 53 50 49 52 7e 31 00 00 44 00 07 00 04 00 ef be SPIR~1..D....... +0x00000020: d6 3e 5b 96 d6 3e 5b 96 26 00 00 00 b5 07 00 00 .>[..>[.&....... +0x00000030: 00 00 77 00 00 00 00 00 00 00 00 00 00 00 49 00 ..w...........I. +0x00000040: 6e 00 73 00 70 00 69 00 72 00 6f 00 6e 00 20 00 n.s.p.i.r.o.n. . +0x00000050: 31 00 37 00 32 00 30 00 00 00 18 00 00 00 1.7.2.0....... + +2011-06-22 18:50:54 | 2011-06-22 18:50:54 | 2011-06-22 18:50:54 | |Desktop\My Computer\D:\work Download\Drivers\Inspiron 1720 + +0x00000000: 48 00 31 00 00 00 00 00 5d 39 29 9b 10 00 6b 6f H.1.....]9)...ko +0x00000010: 67 6f 64 00 34 00 07 00 04 00 ef be 5d 39 29 9b god.4.......]9). +0x00000020: 5d 39 29 9b 26 00 00 00 31 08 00 00 00 00 01 00 ]9).&...1....... +0x00000030: 00 00 00 00 00 00 00 00 00 00 6b 00 6f 00 67 00 ..........k.o.g. +0x00000040: 6f 00 64 00 00 00 14 00 00 00 o.d....... + +2008-10-29 19:25:18 | 2008-10-29 19:25:18 | 2008-10-29 19:25:18 | |Desktop\My Computer\D:\work Download\kogod + +0x00000000: 52 00 31 00 00 00 00 00 61 3d 24 7a 10 00 52 65 R.1.....a=$z..Re +0x00000010: 64 69 72 65 63 74 00 00 3a 00 07 00 04 00 ef be direct..:....... +0x00000020: 61 3d 24 7a 61 3d 24 7a 26 00 00 00 ed 4c 00 00 a=$za=$z&....L.. +0x00000030: 00 00 08 00 00 00 00 00 00 00 00 00 00 00 52 00 ..............R. +0x00000040: 65 00 64 00 69 00 72 00 65 00 63 00 74 00 00 00 e.d.i.r.e.c.t... +0x00000050: 18 00 00 00 .... + +2010-11-01 15:17:08 | 2010-11-01 15:17:08 | 2010-11-01 15:17:08 | |Desktop\My Computer\D:\work Download\kogod\Redirect + +0x00000000: 56 00 31 00 00 00 00 00 61 3d 21 7b 10 00 4e 45 V.1.....a=!{..NE +0x00000010: 57 46 4f 4c 7e 31 00 00 3e 00 07 00 04 00 ef be WFOL~1..>....... +0x00000020: 61 3d 21 7b 61 3d 21 7b 26 00 00 00 f9 4c 00 00 a=!{a=!{&....L.. +0x00000030: 00 00 01 00 00 00 00 00 00 00 00 00 00 00 4e 00 ..............N. +0x00000040: 65 00 77 00 20 00 46 00 6f 00 6c 00 64 00 65 00 e.w. .F.o.l.d.e. +0x00000050: 72 00 00 00 18 00 00 00 r....... + +2010-11-01 15:25:02 | 2010-11-01 15:25:02 | 2010-11-01 15:25:02 | |Desktop\My Computer\D:\work Download\kogod\Redirect\New Folder + +0x00000000: 4c 00 31 00 00 00 00 00 61 3d 21 7b 10 00 42 61 L.1.....a=!{..Ba +0x00000010: 63 6b 75 70 00 00 36 00 07 00 04 00 ef be 61 3d ckup..6.......a= +0x00000020: 21 7b 61 3d 21 7b 26 00 00 00 f9 4c 00 00 00 00 !{a=!{&....L.... +0x00000030: 01 00 00 00 00 00 00 00 00 00 00 00 42 00 61 00 ............B.a. +0x00000040: 63 00 6b 00 75 00 70 00 00 00 16 00 00 00 c.k.u.p....... + +2010-11-01 15:25:02 | 2010-11-01 15:25:02 | 2010-11-01 15:25:02 | |Desktop\My Computer\D:\work Download\kogod\Redirect\Backup + +0x00000000: 42 00 31 00 00 00 00 00 5d 39 86 9b 10 00 52 32 B.1.....]9....R2 +0x00000010: 35 00 30 00 07 00 04 00 ef be 5d 39 85 9b 5d 39 5.0.......]9..]9 +0x00000020: 86 9b 26 00 00 00 40 13 00 00 00 00 01 00 00 00 ..&...@......... +0x00000030: 00 00 00 00 00 00 00 00 52 00 32 00 35 00 00 00 ........R.2.5... +0x00000040: 12 00 00 00 .... + +2008-10-29 19:28:12 | 2008-10-29 19:28:12 | 2008-10-29 19:28:10 | |Desktop\My Computer\D:\work Download\R25 + +0x00000000: 4c 00 31 00 00 00 00 00 6c 3d fd 89 10 00 45 6d L.1.....l=....Em +0x00000010: 62 61 72 6b 00 00 36 00 07 00 04 00 ef be 6c 3d bark..6.......l= +0x00000020: fd 89 6c 3d fd 89 26 00 00 00 22 4d 00 00 00 00 ..l=..&..."M.... +0x00000030: 13 00 00 00 00 00 00 00 00 00 00 00 45 00 6d 00 ............E.m. +0x00000040: 62 00 61 00 72 00 6b 00 00 00 16 00 00 00 b.a.r.k....... + +2010-11-12 17:15:58 | 2010-11-12 17:15:58 | 2010-11-12 17:15:58 | |Desktop\My Computer\D:\work Download\Embark + +0x00000000: 54 00 31 00 00 00 00 00 94 3d 47 83 10 00 54 49 T.1......=G...TI +0x00000010: 4d 45 43 4c 7e 31 00 00 3c 00 07 00 04 00 ef be MECL~1..<....... +0x00000020: 94 3d 42 83 94 3d 47 83 26 00 00 00 2e 4d 00 00 .=B..=G.&....M.. +0x00000030: 00 00 1b 00 00 00 00 00 00 00 00 00 00 00 54 00 ..............T. +0x00000040: 69 00 6d 00 65 00 43 00 6c 00 6f 00 63 00 6b 00 i.m.e.C.l.o.c.k. +0x00000050: 00 00 18 00 00 00 ...... + +2010-12-20 16:26:14 | 2010-12-20 16:26:14 | 2010-12-20 16:26:04 | |Desktop\My Computer\D:\work Download\TimeClock + +0x00000000: 52 00 31 00 00 00 00 00 2d 3e 35 af 10 00 46 61 R.1.....->5...Fa +0x00000010: 63 4d 61 69 6e 74 00 00 3a 00 07 00 04 00 ef be cMaint..:....... +0x00000020: 2d 3e 35 af 2d 3e 35 af 26 00 00 00 44 4d 00 00 ->5.->5.&...DM.. +0x00000030: 00 00 01 00 00 00 00 00 00 00 00 00 00 00 46 00 ..............F. +0x00000040: 61 00 63 00 4d 00 61 00 69 00 6e 00 74 00 00 00 a.c.M.a.i.n.t... +0x00000050: 18 00 00 00 .... + +2011-01-13 21:57:42 | 2011-01-13 21:57:42 | 2011-01-13 21:57:42 | |Desktop\My Computer\D:\work Download\FacMaint + +0x00000000: 46 00 31 00 00 00 00 00 5d 39 3a 99 10 00 61 6e F.1.....]9:...an +0x00000010: 6e 61 00 00 32 00 07 00 04 00 ef be 5d 39 39 99 na..2.......]99. +0x00000020: 5d 39 3a 99 26 00 00 00 9f 07 00 00 00 00 01 00 ]9:.&........... +0x00000030: 00 00 00 00 00 00 00 00 00 00 61 00 6e 00 6e 00 ..........a.n.n. +0x00000040: 61 00 00 00 14 00 00 00 a....... + +2008-10-29 19:09:52 | 2008-10-29 19:09:52 | 2008-10-29 19:09:50 | |Desktop\My Computer\D:\work Download\anna + +0x00000000: 42 00 31 00 00 00 00 00 5d 39 3a 99 10 00 61 73 B.1.....]9:...as +0x00000010: 70 00 30 00 07 00 04 00 ef be 5d 39 3a 99 5d 39 p.0.......]9:.]9 +0x00000020: 3a 99 26 00 00 00 ad 07 00 00 00 00 01 00 00 00 :.&............. +0x00000030: 00 00 00 00 00 00 00 00 61 00 73 00 70 00 00 00 ........a.s.p... +0x00000040: 12 00 00 00 .... + +2008-10-29 19:09:52 | 2008-10-29 19:09:52 | 2008-10-29 19:09:52 | |Desktop\My Computer\D:\work Download\asp + +0x00000000: 5a 00 31 00 00 00 00 00 5d 39 3a 99 10 00 41 55 Z.1.....]9:...AU +0x00000010: 57 45 42 53 7e 31 00 00 42 00 07 00 04 00 ef be WEBS~1..B....... +0x00000020: 5d 39 3a 99 5d 39 3a 99 26 00 00 00 be 07 00 00 ]9:.]9:.&....... +0x00000030: 00 00 01 00 00 00 00 00 00 00 00 00 00 00 41 00 ..............A. +0x00000040: 55 00 20 00 57 00 65 00 62 00 20 00 53 00 69 00 U. .W.e.b. .S.i. +0x00000050: 74 00 65 00 73 00 00 00 18 00 00 00 t.e.s....... + +2008-10-29 19:09:52 | 2008-10-29 19:09:52 | 2008-10-29 19:09:52 | |Desktop\My Computer\D:\work Download\AU Web Sites + +0x00000000: 4e 00 31 00 00 00 00 00 5d 39 3a 99 10 00 61 75 N.1.....]9:...au +0x00000010: 6d 61 69 6c 37 00 38 00 07 00 04 00 ef be 5d 39 mail7.8.......]9 +0x00000020: 3a 99 5d 39 3a 99 26 00 00 00 ce 07 00 00 00 00 :.]9:.&......... +0x00000030: 01 00 00 00 00 00 00 00 00 00 00 00 61 00 75 00 ............a.u. +0x00000040: 6d 00 61 00 69 00 6c 00 37 00 00 00 16 00 00 00 m.a.i.l.7....... + +2008-10-29 19:09:52 | 2008-10-29 19:09:52 | 2008-10-29 19:09:52 | |Desktop\My Computer\D:\work Download\aumail7 + +0x00000000: 48 00 31 00 00 00 00 00 4b 3d a9 7a 10 00 41 55 H.1.....K=.z..AU +0x00000010: 4d 41 53 00 34 00 07 00 04 00 ef be 4b 3d 97 7a MAS.4.......K=.z +0x00000020: 4b 3d a9 7a 26 00 00 00 44 49 00 00 00 00 21 00 K=.z&...DI....!. +0x00000030: 00 00 00 00 00 00 00 00 00 00 41 00 55 00 4d 00 ..........A.U.M. +0x00000040: 41 00 53 00 00 00 14 00 00 00 A.S....... + +2010-10-11 15:21:18 | 2010-10-11 15:21:18 | 2010-10-11 15:20:46 | |Desktop\My Computer\D:\work Download\AUMAS + +0x00000000: 58 00 31 00 00 00 00 00 ed 3e b8 80 10 00 4e 45 X.1......>....NE +0x00000010: 58 55 53 4d 7e 31 00 00 40 00 07 00 04 00 ef be XUSM~1..@....... +0x00000020: ed 3e b8 80 ed 3e b8 80 26 00 00 00 c7 07 00 00 .>...>..&....... +0x00000030: 00 00 73 00 00 00 00 00 00 00 00 00 00 00 4e 00 ..s...........N. +0x00000040: 65 00 78 00 75 00 73 00 20 00 4d 00 65 00 74 00 e.x.u.s. .M.e.t. +0x00000050: 65 00 72 00 00 00 18 00 00 00 e.r....... + +2011-07-13 16:05:48 | 2011-07-13 16:05:48 | 2011-07-13 16:05:48 | |Desktop\My Computer\D:\work Download\Nexus Meter + +0x00000000: 62 00 32 00 b0 34 05 00 ed 3e 99 80 20 00 49 4e b.2..4...>.. .IN +0x00000010: 50 32 30 30 7e 31 2e 5a 49 50 00 00 46 00 07 00 P200~1.ZIP..F... +0x00000020: 04 00 ef be ed 3e 99 80 ed 3e 99 80 26 00 00 00 .....>...>..&... +0x00000030: ca 07 00 00 00 00 8c 00 00 00 00 00 00 00 00 00 ................ +0x00000040: 00 00 49 00 4e 00 50 00 32 00 30 00 30 00 20 00 ..I.N.P.2.0.0. . +0x00000050: 33 00 2e 00 58 00 2e 00 7a 00 69 00 70 00 00 00 3...X...z.i.p... +0x00000060: 1c 00 00 00 .... + +2011-07-13 16:04:50 | 2011-07-13 16:04:50 | 2011-07-13 16:04:50 | |Desktop\My Computer\D:\work Download\Nexus Meter\INP200 3.X.zip [341168] + +0x00000000: 4c 00 31 00 00 00 00 00 19 3f e1 a4 10 00 4f 72 L.1......?....Or +0x00000010: 61 63 6c 65 00 00 36 00 07 00 04 00 ef be 19 3f acle..6........? +0x00000020: e1 a4 19 3f e1 a4 26 00 00 00 ec 47 00 00 00 00 ...?..&....G.... +0x00000030: c6 00 00 00 00 00 00 00 00 00 00 00 4f 00 72 00 ............O.r. +0x00000040: 61 00 63 00 6c 00 65 00 00 00 16 00 00 00 a.c.l.e....... + +2011-08-25 20:39:02 | 2011-08-25 20:39:02 | 2011-08-25 20:39:02 | |Desktop\My Computer\D:\work Download\Oracle + +0x00000000: 84 00 32 00 b8 5d 0d 78 19 3f 2c a6 20 00 57 49 ..2..].x.?,. .WI +0x00000010: 4e 36 34 5f 7e 31 2e 5a 49 50 00 00 68 00 07 00 N64_~1.ZIP..h... +0x00000020: 04 00 ef be 19 3f eb a5 19 3f eb a5 26 00 00 00 .....?...?..&... +0x00000030: ed 47 00 00 00 00 c7 00 00 00 00 00 00 00 00 00 .G.............. +0x00000040: 00 00 77 00 69 00 6e 00 36 00 34 00 5f 00 31 00 ..w.i.n.6.4._.1. +0x00000050: 31 00 67 00 52 00 31 00 5f 00 64 00 61 00 74 00 1.g.R.1._.d.a.t. +0x00000060: 61 00 62 00 61 00 73 00 65 00 5f 00 31 00 31 00 a.b.a.s.e._.1.1. +0x00000070: 31 00 30 00 37 00 30 00 2e 00 7a 00 69 00 70 00 1.0.7.0...z.i.p. +0x00000080: 00 00 1c 00 00 00 ...... + +2011-08-25 20:49:24 | 2011-08-25 20:47:22 | 2011-08-25 20:47:22 | |Desktop\My Computer\D:\work Download\Oracle\win64_11gR1_database_111070.zip [2014141880] + +0x00000000: 8e 00 32 00 fa 70 30 1f 1f 3f c0 a0 20 00 31 31 ..2..p0..?.. .11 +0x00000010: 31 30 37 5f 7e 31 2e 5a 49 50 00 00 72 00 07 00 107_~1.ZIP..r... +0x00000020: 04 00 ef be 1f 3f ae a0 1f 3f ae a0 26 00 00 00 .....?...?..&... +0x00000030: f1 47 00 00 00 00 bf 00 00 00 00 00 00 00 00 00 .G.............. +0x00000040: 00 00 31 00 31 00 31 00 30 00 37 00 5f 00 77 00 ..1.1.1.0.7._.w. +0x00000050: 32 00 6b 00 38 00 5f 00 78 00 36 00 34 00 5f 00 2.k.8._.x.6.4._. +0x00000060: 70 00 72 00 6f 00 64 00 75 00 63 00 74 00 69 00 p.r.o.d.u.c.t.i. +0x00000070: 6f 00 6e 00 5f 00 63 00 6c 00 69 00 65 00 6e 00 o.n._.c.l.i.e.n. +0x00000080: 74 00 2e 00 7a 00 69 00 70 00 00 00 1c 00 00 00 t...z.i.p....... + +2011-08-31 20:06:00 | 2011-08-31 20:05:28 | 2011-08-31 20:05:28 | |Desktop\My Computer\D:\work Download\Oracle\11107_w2k8_x64_production_client.zip [523268346] + | | | 03/10/2009 04:12:16 |Desktop\My Computer\D:\work Download\Oracle\11107_w2k8_x64_production_client.zip\client + | | | 03/01/2009 14:35:42 |Desktop\My Computer\D:\work Download\Oracle\11107_w2k8_x64_production_client.zip\client\stage\client + +0x00000000: 54 00 31 00 00 00 00 00 3a 3f fa 8d 10 00 43 4f T.1.....:?....CO +0x00000010: 4d 4d 56 41 7e 31 00 00 3c 00 07 00 04 00 ef be MMVA~1..<....... +0x00000020: 3a 3f fa 8d 3a 3f fa 8d 26 00 00 00 12 48 00 00 :?..:?..&....H.. +0x00000030: 00 00 b6 00 00 00 00 00 00 00 00 00 00 00 43 00 ..............C. +0x00000040: 6f 00 6d 00 6d 00 56 00 61 00 75 00 6c 00 74 00 o.m.m.V.a.u.l.t. +0x00000050: 00 00 18 00 00 00 ...... + +2011-09-26 17:47:52 | 2011-09-26 17:47:52 | 2011-09-26 17:47:52 | |Desktop\My Computer\D:\work Download\CommVault + +0x00000000: 4e 00 31 00 00 00 00 00 3c 3f e9 96 10 00 6d 79 N.1............ +0x00000020: 54 3c 3c 2b 6c 3c 47 a3 26 00 00 00 ed 47 00 00 T<<+l....... +0x00000020: 4c 3a 61 7a 4c 3a 00 28 26 00 00 00 20 ce 03 00 L:azL:.(&... ... +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 00 ..............N. +0x00000040: 65 00 77 00 20 00 46 00 6f 00 6c 00 64 00 65 00 e.w. .F.o.l.d.e. +0x00000050: 72 00 00 00 18 00 00 00 r....... + +2009-02-12 15:19:02 | 2009-02-12 05:00:00 | 2009-02-12 15:19:02 | |Desktop\My Computer\G:\New Folder + +0x00000000: 56 00 31 00 00 00 00 00 4c 3a 61 7a 10 00 4f 50 V.1.....L:az..OP +0x00000010: 45 4e 4f 46 7e 31 00 00 3e 00 07 00 04 00 ef be ENOF~1..>....... +0x00000020: 4c 3a 61 7a 4c 3a 00 28 26 00 00 00 20 ce 03 00 L:azL:.(&... ... +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4f 00 ..............O. +0x00000040: 70 00 65 00 6e 00 4f 00 66 00 66 00 69 00 63 00 p.e.n.O.f.f.i.c. +0x00000050: 65 00 00 00 18 00 00 00 e....... + +2009-02-12 15:19:02 | 2009-02-12 05:00:00 | 2009-02-12 15:19:02 | |Desktop\My Computer\G:\OpenOffice + +0x00000000: 4e 00 31 00 00 00 00 00 45 3b 84 6e 10 00 57 42 N.1.....E;.n..WB +0x00000010: 48 4f 55 53 45 00 38 00 07 00 04 00 ef be 45 3b HOUSE.8.......E; +0x00000020: 84 6e 45 3b 00 20 26 00 00 00 00 a3 78 00 00 00 .nE;. &.....x... +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 57 00 42 00 ............W.B. +0x00000040: 68 00 6f 00 75 00 73 00 65 00 00 00 16 00 00 00 h.o.u.s.e....... + +2009-10-05 13:52:08 | 2009-10-05 04:00:00 | 2009-10-05 13:52:08 | |Desktop\My Computer\G:\WBhouse + +0x00000000: 4e 00 31 00 00 00 00 00 45 3b 8c 6e 10 00 4b 49 N.1.....E;.n..KI +0x00000010: 54 43 48 45 4e 00 38 00 07 00 04 00 ef be 45 3b TCHEN.8.......E; +0x00000020: 8c 6e 45 3b 00 20 26 00 00 00 c0 99 78 30 00 00 .nE;. &.....x0.. +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 4b 00 69 00 ............K.i. +0x00000040: 74 00 63 00 68 00 65 00 6e 00 00 00 16 00 00 00 t.c.h.e.n....... + +2009-10-05 13:52:24 | 2009-10-05 04:00:00 | 2009-10-05 13:52:24 | |Desktop\My Computer\G:\WBhouse\Kitchen + +0x00000000: 62 00 31 00 00 00 00 00 51 3b 64 a0 10 00 57 49 b.1.....Q;d...WI +0x00000010: 4e 44 4f 57 7e 31 00 00 4a 00 07 00 04 00 ef be NDOW~1..J....... +0x00000020: 51 3b 64 a0 51 3b 00 20 26 00 00 00 00 a9 78 00 Q;d.Q;. &.....x. +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 57 00 ..............W. +0x00000040: 69 00 6e 00 64 00 6f 00 77 00 73 00 20 00 50 00 i.n.d.o.w.s. .P. +0x00000050: 43 00 20 00 54 00 6f 00 6f 00 6c 00 73 00 00 00 C. .T.o.o.l.s... +0x00000060: 18 00 00 00 .... + +2009-10-17 20:03:08 | 2009-10-17 04:00:00 | 2009-10-17 20:03:08 | |Desktop\My Computer\G:\Windows PC Tools + +0x00000000: 52 00 31 00 00 00 00 00 74 3b 8b a3 10 00 44 4f R.1.....t;....DO +0x00000010: 57 4e 4c 4f 41 44 00 00 3a 00 07 00 04 00 ef be WNLOAD..:....... +0x00000020: 74 3b 8b a3 74 3b 00 28 26 00 00 00 80 ab 78 00 t;..t;.(&.....x. +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 44 00 ..............D. +0x00000040: 6f 00 77 00 6e 00 6c 00 6f 00 61 00 64 00 00 00 o.w.n.l.o.a.d... +0x00000050: 18 00 00 00 .... + +2009-11-20 20:28:22 | 2009-11-20 05:00:00 | 2009-11-20 20:28:22 | |Desktop\My Computer\G:\Download + +0x00000000: 56 00 31 00 00 00 00 00 74 3b 92 a3 10 00 4e 45 V.1.....t;....NE +0x00000010: 57 46 4f 4c 7e 31 00 00 3e 00 07 00 04 00 ef be WFOL~1..>....... +0x00000020: 74 3b 92 a3 74 3b 00 28 26 00 00 00 60 60 c6 d7 t;..t;.(&...``.. +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 00 ..............N. +0x00000040: 65 00 77 00 20 00 46 00 6f 00 6c 00 64 00 65 00 e.w. .F.o.l.d.e. +0x00000050: 72 00 00 00 18 00 00 00 r....... + +2009-11-20 20:28:36 | 2009-11-20 05:00:00 | 2009-11-20 20:28:36 | |Desktop\My Computer\G:\Download\New Folder + +0x00000000: 4e 00 31 00 00 00 00 00 74 3b 92 a3 10 00 44 52 N.1.....t;....DR +0x00000010: 49 56 45 52 53 00 38 00 07 00 04 00 ef be 74 3b IVERS.8.......t; +0x00000020: 92 a3 74 3b 00 28 26 00 00 00 60 60 c6 d7 00 00 ..t;.(&...``.... +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 44 00 72 00 ............D.r. +0x00000040: 69 00 76 00 65 00 72 00 73 00 00 00 16 00 00 00 i.v.e.r.s....... + +2009-11-20 20:28:36 | 2009-11-20 05:00:00 | 2009-11-20 20:28:36 | |Desktop\My Computer\G:\Download\Drivers + +0x00000000: 56 00 31 00 00 00 00 00 74 3b 95 a3 10 00 4e 45 V.1.....t;....NE +0x00000010: 57 46 4f 4c 7e 31 00 00 3e 00 07 00 04 00 ef be WFOL~1..>....... +0x00000020: 74 3b 95 a3 74 3b 00 28 26 00 00 00 60 70 c6 d7 t;..t;.(&...`p.. +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 00 ..............N. +0x00000040: 65 00 77 00 20 00 46 00 6f 00 6c 00 64 00 65 00 e.w. .F.o.l.d.e. +0x00000050: 72 00 00 00 18 00 00 00 r....... + +2009-11-20 20:28:42 | 2009-11-20 05:00:00 | 2009-11-20 20:28:42 | |Desktop\My Computer\G:\Download\Drivers\New Folder + +0x00000000: 48 00 31 00 00 00 00 00 74 3b 95 a3 10 00 47 58 H.1.....t;....GX +0x00000010: 36 32 30 00 34 00 07 00 04 00 ef be 74 3b 95 a3 620.4.......t;.. +0x00000020: 74 3b 00 28 26 00 00 00 80 70 c6 d7 00 00 00 00 t;.(&....p...... +0x00000030: 00 00 00 00 00 00 00 00 00 00 47 00 58 00 36 00 ..........G.X.6. +0x00000040: 32 00 30 00 00 00 14 00 00 00 2.0....... + +2009-11-20 20:28:42 | 2009-11-20 05:00:00 | 2009-11-20 20:28:42 | |Desktop\My Computer\G:\Download\Drivers\GX620 + +0x00000000: 56 00 31 00 00 00 00 00 74 3b 9b a3 10 00 4e 45 V.1.....t;....NE +0x00000010: 57 46 4f 4c 7e 31 00 00 3e 00 07 00 04 00 ef be WFOL~1..>....... +0x00000020: 74 3b 9b a3 74 3b 00 28 26 00 00 00 60 80 c6 d7 t;..t;.(&...`... +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 00 ..............N. +0x00000040: 65 00 77 00 20 00 46 00 6f 00 6c 00 64 00 65 00 e.w. .F.o.l.d.e. +0x00000050: 72 00 00 00 18 00 00 00 r....... + +2009-11-20 20:28:54 | 2009-11-20 05:00:00 | 2009-11-20 20:28:54 | |Desktop\My Computer\G:\Download\Drivers\GX620\New Folder + +0x00000000: 42 00 31 00 00 00 00 00 74 3b 9b a3 10 00 4e 49 B.1.....t;....NI +0x00000010: 43 00 30 00 07 00 04 00 ef be 74 3b 9b a3 74 3b C.0.......t;..t; +0x00000020: 00 28 26 00 00 00 80 80 c6 d7 00 00 00 00 00 00 .(&............. +0x00000030: 00 00 00 00 00 00 00 00 4e 00 49 00 43 00 00 00 ........N.I.C... +0x00000040: 12 00 00 00 .... + +2009-11-20 20:28:54 | 2009-11-20 05:00:00 | 2009-11-20 20:28:54 | |Desktop\My Computer\G:\Download\Drivers\GX620\NIC + +0x00000000: 48 00 31 00 00 00 00 00 74 3b a0 a3 10 00 41 55 H.1.....t;....AU +0x00000010: 44 49 4f 00 34 00 07 00 04 00 ef be 74 3b a0 a3 DIO.4.......t;.. +0x00000020: 74 3b 00 28 26 00 00 00 c0 80 c6 d7 00 00 00 00 t;.(&........... +0x00000030: 00 00 00 00 00 00 00 00 00 00 41 00 75 00 64 00 ..........A.u.d. +0x00000040: 69 00 6f 00 00 00 14 00 00 00 i.o....... + +2009-11-20 20:29:00 | 2009-11-20 05:00:00 | 2009-11-20 20:29:00 | |Desktop\My Computer\G:\Download\Drivers\GX620\Audio + +0x00000000: 48 00 31 00 00 00 00 00 74 3b a5 a3 10 00 56 49 H.1.....t;....VI +0x00000010: 44 45 4f 00 34 00 07 00 04 00 ef be 74 3b a5 a3 DEO.4.......t;.. +0x00000020: 74 3b 00 28 26 00 00 00 00 81 c6 d7 00 00 00 00 t;.(&........... +0x00000030: 00 00 00 00 00 00 00 00 00 00 56 00 69 00 64 00 ..........V.i.d. +0x00000040: 65 00 6f 00 00 00 14 00 00 00 e.o....... + +2009-11-20 20:29:10 | 2009-11-20 05:00:00 | 2009-11-20 20:29:10 | |Desktop\My Computer\G:\Download\Drivers\GX620\Video + +0x00000000: 56 00 31 00 00 00 00 00 54 3c 3c 2b 10 00 42 41 V.1.....T<<+..BA +0x00000010: 43 4b 55 50 7e 31 00 00 3e 00 07 00 04 00 ef be CKUP~1..>....... +0x00000020: 54 3c 3c 2b 68 3c 00 28 26 00 00 00 40 80 77 00 T<<+h<.(&...@.w. +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 42 00 ..............B. +0x00000040: 41 00 43 00 4b 00 55 00 50 00 20 00 52 00 45 00 A.C.K.U.P. .R.E. +0x00000050: 58 00 00 00 18 00 00 00 X....... + +2010-02-20 05:25:56 | 2010-03-08 05:00:00 | 2010-02-20 05:25:56 | |Desktop\My Computer\G:\BACKUP REX + +0x00000000: 7c 00 31 00 00 00 00 00 54 3c c3 ab 11 00 46 41 |.1.....T<....FA +0x00000010: 56 4f 52 49 7e 31 00 00 64 00 07 00 04 00 ef be VORI~1..d....... +0x00000020: 54 3c c3 ab 54 3c 00 28 26 00 00 00 e0 80 77 00 T<..T<.(&.....w. +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 3a 00 46 00 ............:.F. +0x00000040: 61 00 76 00 6f 00 72 00 69 00 74 00 65 00 73 00 a.v.o.r.i.t.e.s. +0x00000050: 00 00 40 00 73 00 68 00 65 00 6c 00 6c 00 33 00 ..@.s.h.e.l.l.3. +0x00000060: 32 00 2e 00 64 00 6c 00 6c 00 2c 00 2d 00 31 00 2...d.l.l.,.-.1. +0x00000070: 32 00 36 00 39 00 33 00 00 00 18 00 00 00 2.6.9.3....... + +2010-02-20 21:30:06 | 2010-02-20 05:00:00 | 2010-02-20 21:30:06 | |Desktop\My Computer\G:\Favorites + +0x00000000: 5a 00 31 00 00 00 00 00 97 3c 35 25 10 00 49 44 Z.1......<5%..ID +0x00000010: 4d 54 52 41 7e 31 00 00 42 00 07 00 04 00 ef be MTRA~1..B....... +0x00000020: 97 3c 35 25 97 3c 00 20 26 00 00 00 e0 84 77 00 .<5%.<. &.....w. +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 49 00 ..............I. +0x00000040: 44 00 4d 00 20 00 54 00 72 00 61 00 69 00 6e 00 D.M. .T.r.a.i.n. +0x00000050: 69 00 6e 00 67 00 00 00 18 00 00 00 i.n.g....... + +2010-04-23 04:41:42 | 2010-04-23 04:00:00 | 2010-04-23 04:41:42 | |Desktop\My Computer\G:\IDM Training + +0x00000000: 56 00 31 00 00 00 00 00 9e 3c 8c 74 10 00 4e 45 V.1......<.t..NE +0x00000010: 57 46 4f 4c 7e 31 00 00 3e 00 07 00 04 00 ef be WFOL~1..>....... +0x00000020: 9e 3c 8c 74 9e 3c 00 20 26 00 00 00 00 82 77 80 .<.t.<. &.....w. +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 00 ..............N. +0x00000040: 65 00 77 00 20 00 46 00 6f 00 6c 00 64 00 65 00 e.w. .F.o.l.d.e. +0x00000050: 72 00 00 00 18 00 00 00 r....... + +2010-04-30 14:36:24 | 2010-04-30 04:00:00 | 2010-04-30 14:36:24 | |Desktop\My Computer\G:\IDM Training\New Folder + +0x00000000: 42 00 31 00 00 00 00 00 9e 3c 8c 74 10 00 61 76 B.1......<.t..av +0x00000010: 69 00 30 00 07 00 04 00 ef be 9e 3c 8c 74 9e 3c i.0........<.t.< +0x00000020: 00 20 26 00 00 00 20 82 77 80 00 00 00 00 00 00 . &... .w....... +0x00000030: 00 00 00 00 00 00 00 00 61 00 76 00 69 00 00 00 ........a.v.i... +0x00000040: 12 00 00 00 .... + +2010-04-30 14:36:24 | 2010-04-30 04:00:00 | 2010-04-30 14:36:24 | |Desktop\My Computer\G:\IDM Training\avi + +0x00000000: 4c 00 31 00 00 00 00 00 9e 3c 80 74 10 00 54 48 L.1......<.t..TH +0x00000010: 4f 4d 41 53 00 00 36 00 07 00 04 00 ef be 9e 3c OMAS..6........< +0x00000020: 80 74 9e 3c 00 20 26 00 00 00 60 85 77 00 00 00 .t.<. &...`.w... +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 54 00 68 00 ............T.h. +0x00000040: 6f 00 6d 00 61 00 73 00 00 00 16 00 00 00 o.m.a.s....... + +2010-04-30 14:36:00 | 2010-04-30 04:00:00 | 2010-04-30 14:36:00 | |Desktop\My Computer\G:\Thomas + +0x00000000: 5e 00 31 00 00 00 00 00 93 3c 35 7a 10 00 42 41 ^.1......<5z..BA +0x00000010: 43 4b 52 45 7e 31 00 00 46 00 07 00 04 00 ef be CKRE~1..F....... +0x00000020: 93 3c 35 7a 93 3c 00 20 26 00 00 00 40 81 77 00 .<5z.<. &...@.w. +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 42 00 ..............B. +0x00000040: 61 00 63 00 6b 00 52 00 65 00 78 00 20 00 45 00 a.c.k.R.e.x. .E. +0x00000050: 78 00 70 00 65 00 72 00 74 00 00 00 18 00 00 00 x.p.e.r.t....... + +2010-04-19 15:17:42 | 2010-04-19 04:00:00 | 2010-04-19 15:17:42 | |Desktop\My Computer\G:\BackRex Expert + +0x00000000: 4c 00 31 00 00 00 00 00 27 3e 14 9e 10 00 41 50 L.1.....'>....AP +0x00000010: 4f 47 45 45 00 00 36 00 07 00 04 00 ef be 27 3e OGEE..6.......'> +0x00000020: 14 9e 27 3e 00 28 26 00 00 00 e0 d8 78 00 00 00 ..'>.(&.....x... +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 41 00 50 00 ............A.P. +0x00000040: 4f 00 47 00 45 00 45 00 00 00 16 00 00 00 O.G.E.E....... + +2011-01-07 19:48:40 | 2011-01-07 05:00:00 | 2011-01-07 19:48:40 | |Desktop\My Computer\G:\APOGEE + +0x00000000: 52 00 31 00 00 00 00 00 45 3e 48 15 10 00 56 4d R.1.....E>H...VM +0x00000010: 57 30 34 53 53 4c 00 00 3a 00 07 00 04 00 ef be W04SSL..:....... +0x00000020: 45 3e 48 15 44 3e 00 28 26 00 00 00 a0 db 78 00 E>H.D>.(&.....x. +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 56 00 ..............V. +0x00000040: 4d 00 57 00 30 00 34 00 53 00 53 00 4c 00 00 00 M.W.0.4.S.S.L... +0x00000050: 18 00 00 00 .... + +2011-02-05 02:42:16 | 2011-02-04 05:00:00 | 2011-02-05 02:42:16 | |Desktop\My Computer\G:\VMW04SSL + +0x00000000: 5c 00 31 00 00 00 00 00 63 3e 8b a1 10 00 41 56 \.1.....c>....AV +0x00000010: 41 59 41 50 7e 31 00 00 44 00 07 00 04 00 ef be AYAP~1..D....... +0x00000020: 63 3e 8b a1 63 3e 00 28 26 00 00 00 e0 dc 78 00 c>..c>.(&.....x. +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 41 00 ..............A. +0x00000040: 76 00 61 00 79 00 61 00 20 00 50 00 61 00 74 00 v.a.y.a. .P.a.t. +0x00000050: 63 00 68 00 65 00 73 00 00 00 18 00 00 00 c.h.e.s....... + +2011-03-03 20:12:22 | 2011-03-03 05:00:00 | 2011-03-03 20:12:22 | |Desktop\My Computer\G:\Avaya Patches + +0x00000000: 48 00 31 00 00 00 00 00 67 3e 7c a6 10 00 34 32 H.1.....g>|...42 +0x00000010: 30 50 43 00 34 00 07 00 04 00 ef be 67 3e 7c a6 0PC.4.......g>|. +0x00000020: 67 3e 00 28 26 00 00 00 60 dd 78 00 00 00 00 00 g>.(&...`.x..... +0x00000030: 00 00 00 00 00 00 00 00 00 00 34 00 32 00 30 00 ..........4.2.0. +0x00000040: 50 00 43 00 00 00 14 00 00 00 P.C....... + +2011-03-07 20:51:56 | 2011-03-07 05:00:00 | 2011-03-07 20:51:56 | |Desktop\My Computer\G:\420PC + +0x00000000: 7c 00 31 00 00 00 00 00 67 3e 68 a6 11 00 44 4f |.1.....g>h...DO +0x00000010: 43 55 4d 45 7e 31 00 00 64 00 07 00 04 00 ef be CUME~1..d....... +0x00000020: 67 3e 81 a6 67 3e 00 28 26 00 00 00 60 d0 78 e0 g>..g>.(&...`.x. +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 3a 00 44 00 ............:.D. +0x00000040: 6f 00 63 00 75 00 6d 00 65 00 6e 00 74 00 73 00 o.c.u.m.e.n.t.s. +0x00000050: 00 00 40 00 73 00 68 00 65 00 6c 00 6c 00 33 00 ..@.s.h.e.l.l.3. +0x00000060: 32 00 2e 00 64 00 6c 00 6c 00 2c 00 2d 00 32 00 2...d.l.l.,.-.2. +0x00000070: 31 00 37 00 37 00 30 00 00 00 18 00 00 00 1.7.7.0....... + +2011-03-07 20:51:16 | 2011-03-07 05:00:00 | 2011-03-07 20:52:02 | |Desktop\My Computer\G:\420PC\Documents + +0x00000000: 42 00 31 00 00 00 00 00 db 3e f9 aa 30 00 43 4d B.1......>..0.CM +0x00000010: 53 00 30 00 07 00 04 00 ef be db 3e f9 aa db 3e S.0........>...> +0x00000020: f9 aa 26 00 00 00 00 00 00 00 00 00 00 00 00 00 ..&............. +0x00000030: 00 00 00 00 00 00 00 00 43 00 4d 00 53 00 00 00 ........C.M.S... +0x00000040: 12 00 00 00 .... + +2011-06-27 21:23:50 | 2011-06-27 21:23:50 | 2011-06-27 21:23:50 | |Desktop\My Computer\G:\CMS + +0x00000000: 5a 00 31 00 00 00 00 00 ed 3e f1 80 10 00 4e 65 Z.1......>....Ne +0x00000010: 78 75 73 20 4d 65 74 65 72 00 40 00 07 00 04 00 xus Meter.@..... +0x00000020: ef be ed 3e f1 80 ed 3e f1 80 26 00 00 00 00 00 ...>...>..&..... +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ +0x00000040: 4e 00 65 00 78 00 75 00 73 00 20 00 4d 00 65 00 N.e.x.u.s. .M.e. +0x00000050: 74 00 65 00 72 00 00 00 1a 00 00 00 t.e.r....... + +2011-07-13 16:07:34 | 2011-07-13 16:07:34 | 2011-07-13 16:07:34 | |Desktop\My Computer\G:\Nexus Meter + +0x00000000: 64 00 32 00 b0 34 05 00 ed 3e 99 80 20 00 49 4e d.2..4...>.. .IN +0x00000010: 50 32 30 30 20 33 2e 58 2e 7a 69 70 00 00 46 00 P200 3.X.zip..F. +0x00000020: 07 00 04 00 ef be ed 3e f1 80 ed 3e f1 80 26 00 .......>...>..&. +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ +0x00000040: 00 00 00 00 49 00 4e 00 50 00 32 00 30 00 30 00 ....I.N.P.2.0.0. +0x00000050: 20 00 33 00 2e 00 58 00 2e 00 7a 00 69 00 70 00 .3...X...z.i.p. +0x00000060: 00 00 1e 00 00 00 ...... + +2011-07-13 16:04:50 | 2011-07-13 16:07:34 | 2011-07-13 16:07:34 | |Desktop\My Computer\G:\Nexus Meter\INP200 3.X.zip [341168] + +0x00000000: 5a 00 31 00 00 00 00 00 be 38 f1 91 11 00 4d 79 Z.1......8....My +0x00000010: 20 50 69 63 74 75 72 65 73 00 40 00 07 00 04 00 Pictures.@..... +0x00000020: ef be be 38 f0 91 ed 3e f4 80 26 00 00 00 00 00 ...8...>..&..... +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ +0x00000040: 4d 00 79 00 20 00 50 00 69 00 63 00 74 00 75 00 M.y. .P.i.c.t.u. +0x00000050: 72 00 65 00 73 00 00 00 1a 00 00 00 r.e.s....... + +2008-05-30 18:15:34 | 2011-07-13 16:07:40 | 2008-05-30 18:15:32 | |Desktop\My Computer\G:\My Pictures + +0x00000000: 6c 00 31 00 00 00 00 00 7a 3b 71 b9 10 00 4d 79 l.1.....z;q...My +0x00000010: 20 52 65 63 65 69 76 65 64 20 46 69 6c 65 73 00 Received Files. +0x00000020: 4c 00 07 00 04 00 ef be 7a 3b 71 b9 ed 3e f4 80 L.......z;q..>.. +0x00000030: 26 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 &............... +0x00000040: 00 00 00 00 00 00 4d 00 79 00 20 00 52 00 65 00 ......M.y. .R.e. +0x00000050: 63 00 65 00 69 00 76 00 65 00 64 00 20 00 46 00 c.e.i.v.e.d. .F. +0x00000060: 69 00 6c 00 65 00 73 00 00 00 20 00 00 00 i.l.e.s... ... + +2009-11-26 23:11:34 | 2011-07-13 16:07:40 | 2009-11-26 23:11:34 | |Desktop\My Computer\G:\My Received Files + +0x00000000: 4e 00 31 00 00 00 00 00 c8 3e b2 88 10 00 57 49 N.1......>....WI +0x00000010: 4e 44 4f 57 53 00 38 00 07 00 04 00 ef be 92 3e NDOWS.8........> +0x00000020: 8c 95 e8 3e 50 80 26 00 00 00 00 00 00 00 00 00 ...>P.&......... +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 57 00 49 00 ............W.I. +0x00000040: 4e 00 44 00 4f 00 57 00 53 00 00 00 16 00 00 00 N.D.O.W.S....... + +2011-06-08 17:05:36 | 2011-07-08 16:02:32 | 2011-04-18 18:44:24 | |Desktop\My Computer\G:\WINDOWS + +0x00000000: 4c 00 31 00 00 00 00 00 92 3e 8c 95 10 00 73 79 L.1......>....sy +0x00000010: 73 74 65 6d 00 00 36 00 07 00 04 00 ef be 92 3e stem..6........> +0x00000020: 8c 95 e8 3e 4f 80 26 00 00 00 00 00 00 00 00 00 ...>O.&......... +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 73 00 79 00 ............s.y. +0x00000040: 73 00 74 00 65 00 6d 00 00 00 16 00 00 00 s.t.e.m....... + +2011-04-18 18:44:24 | 2011-07-08 16:02:30 | 2011-04-18 18:44:24 | |Desktop\My Computer\G:\WINDOWS\system + +0x00000000: 54 00 31 00 00 00 00 00 db 32 0d 5d 10 00 57 69 T.1......2.]..Wi +0x00000010: 6e 53 65 72 76 48 57 00 3c 00 07 00 04 00 ef be nServHW.<....... +0x00000020: db 32 0c 5d ed 3e 0f 81 26 00 00 00 00 00 00 00 .2.].>..&....... +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 57 00 ..............W. +0x00000040: 69 00 6e 00 53 00 65 00 72 00 76 00 48 00 57 00 i.n.S.e.r.v.H.W. +0x00000050: 00 00 18 00 00 00 ...... + +2005-06-27 11:40:26 | 2011-07-13 16:08:30 | 2005-06-27 11:40:24 | |Desktop\My Computer\G:\WinServHW + +0x00000000: 48 00 31 00 00 00 00 00 db 32 0d 5d 10 00 57 69 H.1......2.]..Wi +0x00000010: 6e 48 57 00 34 00 07 00 04 00 ef be db 32 0c 5d nHW.4........2.] +0x00000020: ed 3e 19 81 26 00 00 00 00 00 00 00 00 00 00 00 .>..&........... +0x00000030: 00 00 00 00 00 00 00 00 00 00 57 00 69 00 6e 00 ..........W.i.n. +0x00000040: 48 00 57 00 00 00 14 00 00 00 H.W....... + +2005-06-27 11:40:26 | 2011-07-13 16:08:50 | 2005-06-27 11:40:24 | |Desktop\My Computer\G:\WinServHW\WinHW + +0x00000000: 64 00 31 00 00 00 00 00 db 32 0c 5d 10 00 53 65 d.1......2.]..Se +0x00000010: 72 76 65 72 20 55 70 67 72 61 64 65 00 00 46 00 rver Upgrade..F. +0x00000020: 07 00 04 00 ef be db 32 0c 5d ed 3e 0f 81 26 00 .......2.].>..&. +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ +0x00000040: 00 00 00 00 53 00 65 00 72 00 76 00 65 00 72 00 ....S.e.r.v.e.r. +0x00000050: 20 00 55 00 70 00 67 00 72 00 61 00 64 00 65 00 .U.p.g.r.a.d.e. +0x00000060: 00 00 1e 00 00 00 ...... + +2005-06-27 11:40:24 | 2011-07-13 16:08:30 | 2005-06-27 11:40:24 | |Desktop\My Computer\G:\Server Upgrade + +0x00000000: 4e 00 31 00 00 00 00 00 01 3f 70 ae 30 00 4d 79 N.1......?p.0.My +0x00000010: 53 51 4c 30 31 00 38 00 07 00 04 00 ef be 01 3f SQL01.8........? +0x00000020: 70 ae 01 3f 70 ae 26 00 00 00 00 00 00 00 00 00 p..?p.&......... +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 4d 00 79 00 ............M.y. +0x00000040: 53 00 51 00 4c 00 30 00 31 00 00 00 16 00 00 00 S.Q.L.0.1....... + +2011-08-01 21:51:32 | 2011-08-01 21:51:32 | 2011-08-01 21:51:32 | |Desktop\My Computer\G:\MySQL01 + | | | |Desktop\My Computer\ + +0x00000000: 52 00 31 00 00 00 00 00 95 3a c2 76 10 00 64 6f R.1......:.v..do +0x00000010: 77 6e 6c 6f 61 64 00 00 3a 00 07 00 04 00 ef be wnload..:....... +0x00000020: ed 36 c9 84 96 3a 38 ab 26 00 00 00 00 00 00 00 .6...:8.&....... +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 64 00 ..............d. +0x00000040: 6f 00 77 00 6e 00 6c 00 6f 00 61 00 64 00 00 00 o.w.n.l.o.a.d... +0x00000050: 18 00 00 00 .... + +2009-04-21 14:54:04 | 2009-04-22 21:25:48 | 2007-07-13 16:38:18 | |Desktop\My Computer\download + +0x00000000: 56 00 31 00 00 00 00 00 96 3a 03 a3 10 00 44 41 V.1......:....DA +0x00000010: 54 41 54 45 7e 31 00 00 3e 00 07 00 04 00 ef be TATE~1..>....... +0x00000020: 57 3a b1 9a 96 3a 3a ab 26 00 00 00 00 00 00 00 W:...::.&....... +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 44 00 ..............D. +0x00000040: 61 00 74 00 61 00 74 00 65 00 6c 00 77 00 65 00 a.t.a.t.e.l.w.e. +0x00000050: 62 00 00 00 18 00 00 00 b....... + +2009-04-22 20:24:06 | 2009-04-22 21:25:52 | 2009-02-23 19:21:34 | |Desktop\My Computer\download\Datatelweb + | | | |Desktop\My Computer\Apple iPhone + | | | |Desktop\My Computer\Apple iPhone\Internal Storage + | | | |Desktop\My Computer\Apple iPhone\Internal Storage\DCIM + | | | |Desktop\My Computer\Apple iPhone\Internal Storage\DCIM\100APPLE + | | | |Desktop\My Computer\Apple iPhone\Internal Storage + | | | |Desktop\My Computer\Apple iPhone\Internal Storage\DCIM + | | | |Desktop\My Computer\Apple iPhone\Internal Storage\DCIM\100APPLE + | | | |Desktop\My Computer\Apple iPhone\Internal Storage + | | | |Desktop\My Computer\Apple iPhone\Internal Storage\DCIM + | | | |Desktop\My Computer\Apple iPhone\Internal Storage\DCIM\100APPLE + | | | |Desktop\My Computer\E:\ + +0x00000000: a2 00 31 00 00 00 00 00 fd 36 c4 05 10 00 41 43 ..1......6....AC +0x00000010: 52 4f 4e 49 7e 35 2e 33 37 31 00 00 86 00 07 00 RONI~5.371...... +0x00000020: 04 00 ef be fd 36 c4 05 00 00 00 00 26 00 00 00 .....6......&... +0x00000030: aa 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 ................ +0x00000040: 00 00 41 00 63 00 72 00 6f 00 6e 00 69 00 73 00 ..A.c.r.o.n.i.s. +0x00000050: 5f 00 54 00 72 00 75 00 65 00 5f 00 49 00 6d 00 _.T.r.u.e._.I.m. +0x00000060: 61 00 67 00 65 00 5f 00 45 00 6e 00 74 00 65 00 a.g.e._.E.n.t.e. +0x00000070: 72 00 70 00 72 00 69 00 73 00 65 00 5f 00 53 00 r.p.r.i.s.e._.S. +0x00000080: 65 00 72 00 76 00 65 00 72 00 5f 00 76 00 39 00 e.r.v.e.r._.v.9. +0x00000090: 2e 00 31 00 2e 00 33 00 37 00 31 00 38 00 00 00 ..1...3.7.1.8... +0x000000a0: 1c 00 00 00 .... + +2007-07-29 00:46:08 | | 2007-07-29 00:46:08 | |Desktop\My Computer\E:\Acronis_True_Image_Enterprise_Server_v9.1.3718 + +0x00000000: 8a 00 31 00 00 00 00 00 fd 36 91 5a 10 00 41 43 ..1......6.Z..AC +0x00000010: 52 4f 4e 49 7e 32 2e 33 39 32 00 00 6e 00 07 00 RONI~2.392..n... +0x00000020: 04 00 ef be fd 36 91 5a 00 00 00 00 26 00 00 00 .....6.Z....&... +0x00000030: 44 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 D............... +0x00000040: 00 00 41 00 63 00 72 00 6f 00 6e 00 69 00 73 00 ..A.c.r.o.n.i.s. +0x00000050: 20 00 54 00 72 00 75 00 65 00 20 00 49 00 6d 00 .T.r.u.e. .I.m. +0x00000060: 61 00 67 00 65 00 20 00 53 00 65 00 72 00 76 00 a.g.e. .S.e.r.v. +0x00000070: 65 00 72 00 20 00 39 00 2e 00 31 00 2e 00 33 00 e.r. .9...1...3. +0x00000080: 39 00 32 00 30 00 00 00 1c 00 00 00 9.2.0....... + +2007-07-29 11:20:34 | | 2007-07-29 11:20:34 | |Desktop\My Computer\E:\Acronis True Image Server 9.1.3920 + +0x00000000: 46 00 31 00 00 00 00 00 82 3b 45 8f 10 00 44 6f F.1......;E...Do +0x00000010: 63 73 00 00 32 00 07 00 04 00 ef be 82 3b 45 8f cs..2........;E. +0x00000020: 00 00 00 00 26 00 00 00 bc 00 00 80 00 00 00 00 ....&........... +0x00000030: 00 00 00 00 00 00 00 00 00 00 44 00 6f 00 63 00 ..........D.o.c. +0x00000040: 73 00 00 00 14 00 00 00 s....... + +2009-12-02 17:58:10 | | 2009-12-02 17:58:10 | |Desktop\My Computer\E:\Docs + | | | |Desktop\My Computer\ + +0x00000000: 6e 00 31 00 00 00 00 00 5b 3b 22 75 10 00 44 4f n.1.....[;"u..DO +0x00000010: 43 55 4d 45 7e 31 00 00 56 00 07 00 04 00 ef be CUME~1..V....... +0x00000020: c1 3a 01 75 43 3c a9 be 26 00 00 00 00 00 00 00 .:.uC<..&....... +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 44 00 ..............D. +0x00000040: 6f 00 63 00 75 00 6d 00 65 00 6e 00 74 00 73 00 o.c.u.m.e.n.t.s. +0x00000050: 20 00 61 00 6e 00 64 00 20 00 53 00 65 00 74 00 .a.n.d. .S.e.t. +0x00000060: 74 00 69 00 6e 00 67 00 73 00 00 00 18 00 00 00 t.i.n.g.s....... + +2009-10-27 14:41:04 | 2010-02-03 23:53:18 | 2009-06-01 14:40:02 | |Desktop\My Computer\Documents and Settings + +0x00000000: 5c 00 31 00 00 00 00 00 3b 3c 30 a1 10 00 41 44 \.1.....;<0...AD +0x00000010: 4d 49 4e 49 7e 31 00 00 44 00 07 00 04 00 ef be MINI~1..D....... +0x00000020: 5b 3b 22 75 43 3c 90 b9 26 00 00 00 00 00 00 00 [;"uC<..&....... +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 61 00 ..............a. +0x00000040: 64 00 6d 00 69 00 6e 00 69 00 73 00 74 00 72 00 d.m.i.n.i.s.t.r. +0x00000050: 61 00 74 00 6f 00 72 00 00 00 18 00 00 00 a.t.o.r....... + +2010-01-27 20:09:32 | 2010-02-03 23:12:32 | 2009-10-27 14:41:04 | |Desktop\My Computer\Documents and Settings\administrator + +0x00000000: 4e 00 31 00 00 00 00 00 43 3c 56 a6 10 00 44 65 N.1.....C....IN +0x00000010: 53 50 49 52 7e 31 00 00 44 00 07 00 04 00 ef be SPIR~1..D....... +0x00000020: d6 3e 14 97 d6 3e 00 20 26 00 00 00 a0 de 78 00 .>...>. &.....x. +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 49 00 ..............I. +0x00000040: 6e 00 73 00 70 00 69 00 72 00 6f 00 6e 00 20 00 n.s.p.i.r.o.n. . +0x00000050: 31 00 37 00 32 00 30 00 00 00 18 00 00 00 1.7.2.0....... + +2011-06-22 18:54:46 | 2011-06-22 04:00:00 | 2011-06-22 18:56:40 | |Desktop\My Computer\I:\Inspiron 1720 + +0x00000000: 78 00 31 00 00 00 00 00 e6 3e 49 94 30 00 73 6f x.1......>I.0.so +0x00000010: 66 74 77 61 72 65 20 64 69 73 74 72 69 62 75 74 ftware distribut +0x00000020: 69 6f 6e 00 54 00 07 00 04 00 ef be 32 37 f2 76 ion.T.......27.v +0x00000030: e7 3e 9d a1 26 00 00 00 00 00 00 00 00 00 00 00 .>..&........... +0x00000040: 00 00 00 00 00 00 00 00 00 00 73 00 6f 00 66 00 ..........s.o.f. +0x00000050: 74 00 77 00 61 00 72 00 65 00 20 00 64 00 69 00 t.w.a.r.e. .d.i. +0x00000060: 73 00 74 00 72 00 69 00 62 00 75 00 74 00 69 00 s.t.r.i.b.u.t.i. +0x00000070: 6f 00 6e 00 00 00 24 00 00 00 o.n...$... + +2011-07-06 18:34:18 | 2011-07-07 20:12:58 | 2007-09-18 14:55:36 | |Desktop\My Computer\I:\software distribution + +0x00000000: 54 00 31 00 00 00 00 00 e8 3e 67 81 30 00 43 6f T.1......>g.0.Co +0x00000010: 6d 6d 56 61 75 6c 74 00 3c 00 07 00 04 00 ef be mmVault.<....... +0x00000020: e8 3e 67 81 e8 3e 67 81 26 00 00 00 00 00 00 00 .>g..>g.&....... +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 43 00 ..............C. +0x00000040: 6f 00 6d 00 6d 00 56 00 61 00 75 00 6c 00 74 00 o.m.m.V.a.u.l.t. +0x00000050: 00 00 18 00 00 00 ...... + +2011-07-08 16:11:14 | 2011-07-08 16:11:14 | 2011-07-08 16:11:14 | |Desktop\My Computer\I:\software distribution\CommVault + +0x00000000: 4e 00 31 00 00 00 00 00 ed 3e fb 94 30 00 4c 41 N.1......>..0.LA +0x00000010: 4e 44 65 73 6b 00 38 00 07 00 04 00 ef be 12 39 NDesk.8........9 +0x00000020: b6 6d 01 3f d9 71 26 00 00 00 00 00 00 00 00 00 .m.?.q&......... +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 4c 00 41 00 ............L.A. +0x00000040: 4e 00 44 00 65 00 73 00 6b 00 00 00 16 00 00 00 N.D.e.s.k....... + +2011-07-13 18:39:54 | 2011-08-01 14:14:50 | 2008-08-18 13:45:44 | |Desktop\My Computer\I:\LANDesk + +0x00000000: 6c 00 31 00 00 00 00 00 82 3d 89 86 10 00 4f 72 l.1......=....Or +0x00000010: 61 63 6c 65 20 43 6c 69 65 6e 74 20 31 31 67 00 acle Client 11g. +0x00000020: 4c 00 07 00 04 00 ef be 70 3c 75 98 19 3f af 99 L.......p....PR +0x00000010: 4f 47 52 41 7e 31 00 00 44 00 07 00 04 00 ef be OGRA~1..D....... +0x00000020: ad 3c 22 82 c7 3e e8 68 26 00 00 00 00 00 00 00 .<"..>.h&....... +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 00 ..............P. +0x00000040: 72 00 6f 00 67 00 72 00 61 00 6d 00 20 00 46 00 r.o.g.r.a.m. .F. +0x00000050: 69 00 6c 00 65 00 73 00 00 00 18 00 00 00 i.l.e.s....... + +2011-06-06 02:21:54 | 2011-06-07 13:07:16 | 2010-05-13 16:17:04 | |Desktop\My Computer\Program Files + +0x00000000: 48 00 31 00 00 00 00 00 d2 3c 83 18 10 00 4c 6f H.1......<....Lo +0x00000010: 74 75 73 00 34 00 07 00 04 00 ef be d2 3c 83 18 tus.4........<.. +0x00000020: c7 3e 33 69 26 00 00 00 00 00 00 00 00 00 00 00 .>3i&........... +0x00000030: 00 00 00 00 00 00 00 00 00 00 4c 00 6f 00 74 00 ..........L.o.t. +0x00000040: 75 00 73 00 00 00 14 00 00 00 u.s....... + +2010-06-18 03:04:06 | 2011-06-07 13:09:38 | 2010-06-18 03:04:06 | |Desktop\My Computer\Program Files\Lotus + +0x00000000: 48 00 31 00 00 00 00 00 34 3d d1 95 10 00 4e 6f H.1.....4=....No +0x00000010: 74 65 73 00 34 00 07 00 04 00 ef be d2 3c 83 18 tes.4........<.. +0x00000020: c7 3e 33 69 26 00 00 00 00 00 00 00 00 00 00 00 .>3i&........... +0x00000030: 00 00 00 00 00 00 00 00 00 00 4e 00 6f 00 74 00 ..........N.o.t. +0x00000040: 65 00 73 00 00 00 14 00 00 00 e.s....... + +2010-09-20 18:46:34 | 2011-06-07 13:09:38 | 2010-06-18 03:04:06 | |Desktop\My Computer\Program Files\Lotus\Notes + +0x00000000: 46 00 31 00 00 00 00 00 c7 3e 08 6c 10 00 44 61 F.1......>.l..Da +0x00000010: 74 61 00 00 32 00 07 00 04 00 ef be d2 3c 83 18 ta..2........<.. +0x00000020: c7 3e 08 6c 26 00 00 00 00 00 00 00 00 00 00 00 .>.l&........... +0x00000030: 00 00 00 00 00 00 00 00 00 00 44 00 61 00 74 00 ..........D.a.t. +0x00000040: 61 00 00 00 14 00 00 00 a....... + +2011-06-07 13:32:16 | 2011-06-07 13:32:16 | 2010-06-18 03:04:06 | |Desktop\My Computer\Program Files\Lotus\Notes\Data + | | | |Desktop\My Computer\Y:\ + +0x00000000: 4c 00 31 00 00 00 00 00 19 3f 00 a8 10 00 56 4d L.1......?....VM +0x00000010: 57 61 72 65 00 00 36 00 07 00 04 00 ef be 19 3f Ware..6........? +0x00000020: 72 a7 4d 3f c3 99 26 00 00 00 00 00 00 00 00 00 r.M?..&......... +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 56 00 4d 00 ............V.M. +0x00000040: 57 00 61 00 72 00 65 00 00 00 16 00 00 00 W.a.r.e....... + +2011-08-25 21:00:00 | 2011-10-13 19:14:06 | 2011-08-25 20:59:36 | |Desktop\My Computer\Y:\VMWare + +0x00000000: 54 00 31 00 00 00 00 00 44 3f a8 15 10 00 44 41 T.1.....D?....DA +0x00000010: 54 41 53 54 7e 31 00 00 3c 00 07 00 04 00 ef be TAST~1..<....... +0x00000020: 3e 3f 91 2b 4d 3f c3 99 26 00 00 00 00 00 00 00 >?.+M?..&....... +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 44 00 ..............D. +0x00000040: 61 00 74 00 61 00 53 00 74 00 61 00 67 00 65 00 a.t.a.S.t.a.g.e. +0x00000050: 00 00 18 00 00 00 ...... + +2011-10-04 02:45:16 | 2011-10-13 19:14:06 | 2011-09-30 05:28:34 | |Desktop\My Computer\Y:\DataStage + +0x00000000: 72 00 31 00 00 00 00 00 55 3f a3 a4 10 00 43 41 r.1.....U?....CA +0x00000010: 50 49 54 41 7e 31 00 00 5a 00 07 00 04 00 ef be PITA~1..Z....... +0x00000020: 55 3f a3 a4 55 3f a3 a4 26 00 00 00 9d 4e 00 00 U?..U?..&....N.. +0x00000030: 00 00 6d 00 00 00 00 00 00 00 00 00 00 00 43 00 ..m...........C. +0x00000040: 61 00 70 00 69 00 74 00 61 00 6c 00 20 00 50 00 a.p.i.t.a.l. .P. +0x00000050: 6c 00 61 00 6e 00 6e 00 69 00 6e 00 67 00 20 00 l.a.n.n.i.n.g. . +0x00000060: 50 00 72 00 6f 00 6a 00 65 00 63 00 74 00 00 00 P.r.o.j.e.c.t... +0x00000070: 18 00 00 00 .... + +2011-10-21 20:37:06 | 2011-10-21 20:37:06 | 2011-10-21 20:37:06 | |Desktop\My Computer\Y:\Capital Planning Project + | | | |Desktop\Explorer + | | | |Desktop\Explorer\URI + | | | |Desktop\Explorer\URI + | | | |Desktop\My Network Places + | | | |Desktop\My Network Places\147.9.85.24 + | | | |Desktop\My Network Places\147.9.85.24\\\147.9.85.24\download + +0x00000000: 54 00 31 00 00 00 00 00 1a 39 f0 a2 10 00 49 4c T.1......9....IL +0x00000010: 4f 4d 45 44 7e 31 00 00 3c 00 07 00 04 00 ef be OMED~1..<....... +0x00000020: d6 36 93 8c 1a 39 f0 a2 26 00 00 00 00 00 00 00 .6...9..&....... +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 69 00 ..............i. +0x00000040: 4c 00 4f 00 20 00 4d 00 65 00 64 00 69 00 61 00 L.O. .M.e.d.i.a. +0x00000050: 00 00 18 00 00 00 ...... + +2008-08-26 20:23:32 | 2008-08-26 20:23:32 | 2007-06-22 17:36:38 | |Desktop\My Network Places\147.9.85.24\\\147.9.85.24\download\iLO Media + | | | |Desktop\My Network Places\147.9.85.24\\\147.9.85.24\vmware + | | | |Desktop\My Network Places\147.9.85.24\\\147.9.85.24\c$ + | | | |Desktop\My Network Places\eoptnguyen + | | | |Desktop\My Network Places\eoptnguyen\\\eoptnguyen\c$ + | | | |Desktop\My Network Places\147.9.85.68 + | | | |Desktop\My Network Places\147.9.85.68\\\147.9.85.68\c$ + | | | |Desktop\My Network Places\147.9.85.68\\\147.9.85.68\nguyen + +0x00000000: 5a 00 31 00 00 00 00 00 5d 39 2b 78 11 00 4d 59 Z.1.....]9+x..MY +0x00000010: 44 4f 43 55 7e 31 00 00 42 00 07 00 04 00 ef be DOCU~1..B....... +0x00000020: 17 31 64 7c 5d 39 10 98 26 00 00 00 00 00 00 00 .1d|]9..&....... +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4d 00 ..............M. +0x00000040: 79 00 20 00 44 00 6f 00 63 00 75 00 6d 00 65 00 y. .D.o.c.u.m.e. +0x00000050: 6e 00 74 00 73 00 00 00 18 00 00 00 n.t.s....... + +2008-10-29 15:01:22 | 2008-10-29 19:00:32 | 2004-08-23 15:35:08 | |Desktop\My Network Places\147.9.85.68\\\147.9.85.68\nguyen\My Documents + | | | |Desktop\My Network Places\147.9.85.68\\\147.9.85.68\AUwork + | | | |Desktop\My Network Places\147.9.85.68\\\147.9.85.68\SharedDocs + +0x00000000: 54 00 31 00 00 00 00 00 71 38 08 8a 10 00 41 44 T.1.....q8....AD +0x00000010: 4f 42 45 50 7e 31 00 00 3c 00 07 00 04 00 ef be OBEP~1..<....... +0x00000020: 8d 32 92 86 59 39 22 04 26 00 00 00 00 00 00 00 .2..Y9".&....... +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 41 00 ..............A. +0x00000040: 64 00 6f 00 62 00 65 00 20 00 50 00 44 00 46 00 d.o.b.e. .P.D.F. +0x00000050: 00 00 18 00 00 00 ...... + +2008-03-17 17:16:16 | 2008-10-25 00:33:04 | 2005-04-13 16:52:36 | |Desktop\My Network Places\147.9.85.68\\\147.9.85.68\SharedDocs\Adobe PDF + +0x00000000: 4c 00 31 00 00 00 00 00 d1 34 25 79 10 00 45 78 L.1......4%y..Ex +0x00000010: 74 72 61 73 00 00 36 00 07 00 04 00 ef be 8d 32 tras..6........2 +0x00000020: 93 86 5d 39 92 9d 26 00 00 00 00 00 00 00 00 00 ..]9..&......... +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 45 00 78 00 ............E.x. +0x00000040: 74 00 72 00 61 00 73 00 00 00 16 00 00 00 t.r.a.s....... + +2006-06-17 15:09:10 | 2008-10-29 19:44:36 | 2005-04-13 16:52:38 | |Desktop\My Network Places\147.9.85.68\\\147.9.85.68\SharedDocs\Adobe PDF\Extras + +0x00000000: 52 00 31 00 00 00 00 00 d1 34 d2 79 10 00 53 65 R.1......4.y..Se +0x00000010: 74 74 69 6e 67 73 00 00 3a 00 07 00 04 00 ef be ttings..:....... +0x00000020: 8d 32 93 86 5d 39 92 9d 26 00 00 00 00 00 00 00 .2..]9..&....... +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 53 00 ..............S. +0x00000040: 65 00 74 00 74 00 69 00 6e 00 67 00 73 00 00 00 e.t.t.i.n.g.s... +0x00000050: 18 00 00 00 .... + +2006-06-17 15:14:36 | 2008-10-29 19:44:36 | 2005-04-13 16:52:38 | |Desktop\My Network Places\147.9.85.68\\\147.9.85.68\SharedDocs\Adobe PDF\Settings + +0x00000000: 7a 00 31 00 00 00 00 00 46 33 14 85 11 00 4d 59 z.1.....F3....MY +0x00000010: 4d 55 53 49 7e 31 00 00 62 00 07 00 04 00 ef be MUSI~1..b....... +0x00000020: 17 31 6d 7b 5d 39 8f 9d 26 00 00 00 00 00 00 00 .1m{]9..&....... +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 38 00 4d 00 ............8.M. +0x00000040: 79 00 20 00 4d 00 75 00 73 00 69 00 63 00 00 00 y. .M.u.s.i.c... +0x00000050: 40 00 73 00 68 00 65 00 6c 00 6c 00 33 00 32 00 @.s.h.e.l.l.3.2. +0x00000060: 2e 00 64 00 6c 00 6c 00 2c 00 2d 00 32 00 38 00 ..d.l.l.,.-.2.8. +0x00000070: 39 00 39 00 35 00 00 00 18 00 00 00 9.9.5....... + +2005-10-06 16:40:40 | 2008-10-29 19:44:30 | 2004-08-23 15:27:26 | |Desktop\My Network Places\147.9.85.68\\\147.9.85.68\SharedDocs\My Music + +0x00000000: 80 00 31 00 00 00 00 00 17 31 84 7b 11 00 4d 59 ..1......1.{..MY +0x00000010: 50 49 43 54 7e 31 00 00 68 00 07 00 04 00 ef be PICT~1..h....... +0x00000020: 17 31 6d 7b 5d 39 8f 9d 26 00 00 00 00 00 00 00 .1m{]9..&....... +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 3e 00 4d 00 ............>.M. +0x00000040: 79 00 20 00 50 00 69 00 63 00 74 00 75 00 72 00 y. .P.i.c.t.u.r. +0x00000050: 65 00 73 00 00 00 40 00 73 00 68 00 65 00 6c 00 e.s...@.s.h.e.l. +0x00000060: 6c 00 33 00 32 00 2e 00 64 00 6c 00 6c 00 2c 00 l.3.2...d.l.l.,. +0x00000070: 2d 00 32 00 38 00 39 00 39 00 37 00 00 00 18 00 -.2.8.9.9.7..... +0x00000080: 00 00 .. + +2004-08-23 15:28:08 | 2008-10-29 19:44:30 | 2004-08-23 15:27:26 | |Desktop\My Network Places\147.9.85.68\\\147.9.85.68\SharedDocs\My Pictures + +0x00000000: 60 00 31 00 00 00 00 00 3b 31 19 9d 11 00 53 41 `.1.....;1....SA +0x00000010: 4d 50 4c 45 7e 31 00 00 48 00 07 00 04 00 ef be MPLE~1..H....... +0x00000020: 17 31 84 7b 5d 39 99 9d 26 00 00 00 00 00 00 00 .1.{]9..&....... +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 53 00 ..............S. +0x00000040: 61 00 6d 00 70 00 6c 00 65 00 20 00 50 00 69 00 a.m.p.l.e. .P.i. +0x00000050: 63 00 74 00 75 00 72 00 65 00 73 00 00 00 18 00 c.t.u.r.e.s..... +0x00000060: 00 00 .. + +2004-09-27 19:40:50 | 2008-10-29 19:44:50 | 2004-08-23 15:28:08 | |Desktop\My Network Places\147.9.85.68\\\147.9.85.68\SharedDocs\My Pictures\Sample Pictures + +0x00000000: 7c 00 31 00 00 00 00 00 17 31 32 7b 11 00 4d 59 |.1......12{..MY +0x00000010: 56 49 44 45 7e 31 00 00 64 00 07 00 04 00 ef be VIDE~1..d....... +0x00000020: 17 31 32 7b 5d 39 8f 9d 26 00 00 00 00 00 00 00 .12{]9..&....... +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 3a 00 4d 00 ............:.M. +0x00000040: 79 00 20 00 56 00 69 00 64 00 65 00 6f 00 73 00 y. .V.i.d.e.o.s. +0x00000050: 00 00 40 00 73 00 68 00 65 00 6c 00 6c 00 33 00 ..@.s.h.e.l.l.3. +0x00000060: 32 00 2e 00 64 00 6c 00 6c 00 2c 00 2d 00 32 00 2...d.l.l.,.-.2. +0x00000070: 38 00 39 00 39 00 36 00 00 00 18 00 00 00 8.9.9.6....... + +2004-08-23 15:25:36 | 2008-10-29 19:44:30 | 2004-08-23 15:25:36 | |Desktop\My Network Places\147.9.85.68\\\147.9.85.68\SharedDocs\My Videos + | | | |Desktop\My Network Places\147.9.1.33 + | | | |Desktop\My Network Places\TJNPC + | | | |Desktop\My Network Places\TJNPC\\\tjnpc\nguyen + +0x00000000: 4c 00 31 00 00 00 00 00 72 3b 4d 9b 10 00 6e 67 L.1.....r;M...ng +0x00000010: 75 79 65 6e 00 00 36 00 07 00 04 00 ef be 2c 39 uyen..6.......,9 +0x00000020: 26 8c 72 3b 4d 9b 26 00 00 00 00 00 00 00 00 00 &.r;M.&......... +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 6e 00 67 00 ............n.g. +0x00000040: 75 00 79 00 65 00 6e 00 00 00 16 00 00 00 u.y.e.n....... + +2009-11-18 19:26:26 | 2009-11-18 19:26:26 | 2008-09-12 17:33:12 | |Desktop\My Network Places\TJNPC\\\tjnpc\nguyen\nguyen + | | | |Desktop\My Network Places\as10gtest + | | | |Desktop\My Network Places\as10gtest\\\as10gtest\as10gtest-logs + | | | |Desktop\My Network Places\147.9.1.83 + | | | |Desktop\My Network Places\win35 + | | | |Desktop\My Network Places\win35\\\win35\d$ + | | | |Desktop\My Network Places\mgmt01.american.edu + | | | |Desktop\My Network Places\mgmt01.american.edu\\\mgmt01.american.edu\logs + | | | |Desktop\My Network Places\mgmt01.american.edu\\\mgmt01.american.edu\c$ + +0x00000000: 4e 00 31 00 00 00 00 00 2c 3b e5 0c 10 00 57 69 N.1.....,;....Wi +0x00000010: 6e 64 6f 77 73 00 38 00 07 00 04 00 ef be 33 38 ndows.8.......38 +0x00000020: 6b 51 2c 3b e5 0c 26 00 00 00 00 00 00 00 00 00 kQ,;..&......... +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 57 00 69 00 ............W.i. +0x00000040: 6e 00 64 00 6f 00 77 00 73 00 00 00 16 00 00 00 n.d.o.w.s....... + +2009-09-12 01:39:10 | 2009-09-12 01:39:10 | 2008-01-19 10:11:22 | |Desktop\My Network Places\mgmt01.american.edu\\\mgmt01.american.edu\c$\Windows + +0x00000000: 90 00 31 00 00 00 00 00 ff 3a 6d a7 11 00 50 52 ..1......:m...PR +0x00000010: 4f 47 52 41 7e 32 00 00 78 00 07 00 04 00 ef be OGRA~2..x....... +0x00000020: 33 38 6b 51 ff 3a 6c a7 26 00 00 00 00 00 00 00 38kQ.:l.&....... +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 4e 00 50 00 ............N.P. +0x00000040: 72 00 6f 00 67 00 72 00 61 00 6d 00 20 00 46 00 r.o.g.r.a.m. .F. +0x00000050: 69 00 6c 00 65 00 73 00 20 00 28 00 78 00 38 00 i.l.e.s. .(.x.8. +0x00000060: 36 00 29 00 00 00 40 00 73 00 68 00 65 00 6c 00 6.)...@.s.h.e.l. +0x00000070: 6c 00 33 00 32 00 2e 00 64 00 6c 00 6c 00 2c 00 l.3.2...d.l.l.,. +0x00000080: 2d 00 32 00 31 00 38 00 31 00 37 00 00 00 18 00 -.2.1.8.1.7..... +0x00000090: 00 00 .. + +2009-07-31 20:59:26 | 2009-07-31 20:59:24 | 2008-01-19 10:11:22 | |Desktop\My Network Places\mgmt01.american.edu\\\mgmt01.american.edu\c$\Program Files (x86) + +0x00000000: 6c 00 31 00 00 00 00 00 6e 3a f6 04 10 00 57 49 l.1.....n:....WI +0x00000010: 4e 44 4f 57 7e 33 00 00 54 00 07 00 04 00 ef be NDOW~3..T....... +0x00000020: 6e 3a f6 04 6e 3a f6 04 26 00 00 00 00 00 00 00 n:..n:..&....... +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 57 00 ..............W. +0x00000040: 69 00 6e 00 64 00 6f 00 77 00 73 00 20 00 52 00 i.n.d.o.w.s. .R. +0x00000050: 65 00 73 00 6f 00 75 00 72 00 63 00 65 00 20 00 e.s.o.u.r.c.e. . +0x00000060: 4b 00 69 00 74 00 73 00 00 00 18 00 00 00 K.i.t.s....... + +2009-03-14 00:39:44 | 2009-03-14 00:39:44 | 2009-03-14 00:39:44 | |Desktop\My Network Places\mgmt01.american.edu\\\mgmt01.american.edu\c$\Program Files (x86)\Windows Resource Kits + +0x00000000: 48 00 31 00 00 00 00 00 6e 3a f7 04 10 00 54 6f H.1.....n:....To +0x00000010: 6f 6c 73 00 34 00 07 00 04 00 ef be 6e 3a f6 04 ols.4.......n:.. +0x00000020: 6e 3a f7 04 26 00 00 00 00 00 00 00 00 00 00 00 n:..&........... +0x00000030: 00 00 00 00 00 00 00 00 00 00 54 00 6f 00 6f 00 ..........T.o.o. +0x00000040: 6c 00 73 00 00 00 14 00 00 00 l.s....... + +2009-03-14 00:39:46 | 2009-03-14 00:39:46 | 2009-03-14 00:39:44 | |Desktop\My Network Places\mgmt01.american.edu\\\mgmt01.american.edu\c$\Program Files (x86)\Windows Resource Kits\Tools + | | | |Desktop\My Network Places\win104 + | | | |Desktop\My Network Places\win104\\\win104\c$ + +0x00000000: 4e 00 31 00 00 00 00 00 71 39 c8 7c 10 00 49 6e N.1.....q9.|..In +0x00000010: 65 74 70 75 62 00 38 00 07 00 04 00 ef be 71 39 etpub.8.......q9 +0x00000020: 70 7a 5a 3b 8e 98 26 00 00 00 5f 12 00 00 00 00 pzZ;..&..._..... +0x00000030: 0f 00 00 00 00 00 00 00 00 00 00 00 49 00 6e 00 ............I.n. +0x00000040: 65 00 74 00 70 00 75 00 62 00 00 00 16 00 00 00 e.t.p.u.b....... + +2008-11-17 15:38:16 | 2009-10-26 19:04:28 | 2008-11-17 15:19:32 | |Desktop\My Network Places\win104\\\win104\c$\Inetpub + +0x00000000: 4e 00 31 00 00 00 00 00 71 39 d5 7c 10 00 4e 6f N.1.....q9.|..No +0x00000010: 76 75 73 48 52 00 38 00 07 00 04 00 ef be 71 39 vusHR.8.......q9 +0x00000020: c6 7c 5a 3b f7 9a 26 00 00 00 46 40 00 00 00 00 .|Z;..&...F@.... +0x00000030: 0c 00 00 00 00 00 00 00 00 00 00 00 4e 00 6f 00 ............N.o. +0x00000040: 76 00 75 00 73 00 48 00 52 00 00 00 16 00 00 00 v.u.s.H.R....... + +2008-11-17 15:38:42 | 2009-10-26 19:23:46 | 2008-11-17 15:38:12 | |Desktop\My Network Places\win104\\\win104\c$\Inetpub\NovusHR + | | | |Desktop\My Network Places\Win107 + | | | |Desktop\My Network Places\Win107\\\Win107\c$ + +0x00000000: 52 00 31 00 00 00 00 00 41 3b d1 7a 10 00 64 6f R.1.....A;.z..do +0x00000010: 77 6e 6c 6f 61 64 00 00 3a 00 07 00 04 00 ef be wnload..:....... +0x00000020: 41 38 14 b9 58 3b 0f 08 26 00 00 00 00 00 00 00 A8..X;..&....... +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 64 00 ..............d. +0x00000040: 6f 00 77 00 6e 00 6c 00 6f 00 61 00 64 00 00 00 o.w.n.l.o.a.d... +0x00000050: 18 00 00 00 .... + +2009-10-01 15:22:34 | 2009-10-24 01:00:30 | 2008-02-01 23:08:40 | |Desktop\My Network Places\Win107\\\Win107\c$\download + +0x00000000: 46 00 31 00 00 00 00 00 73 3a 8b 19 10 00 53 46 F.1.....s:....SF +0x00000010: 54 50 00 00 32 00 07 00 04 00 ef be c8 38 86 a2 TP..2........8.. +0x00000020: 58 3b 47 08 26 00 00 00 00 00 00 00 00 00 00 00 X;G.&........... +0x00000030: 00 00 00 00 00 00 00 00 00 00 53 00 46 00 54 00 ..........S.F.T. +0x00000040: 50 00 00 00 14 00 00 00 P....... + +2009-03-19 03:12:22 | 2009-10-24 01:02:14 | 2008-06-08 20:20:12 | |Desktop\My Network Places\Win107\\\Win107\c$\download\SFTP + +0x00000000: 42 00 31 00 00 00 00 00 04 3f 96 9c 10 00 48 46 B.1......?....HF +0x00000010: 34 00 30 00 07 00 04 00 ef be 04 3f 96 9c 04 3f 4.0........?...? +0x00000020: 22 a7 26 00 00 00 00 00 00 00 00 00 00 00 00 00 ".&............. +0x00000030: 00 00 00 00 00 00 00 00 48 00 46 00 34 00 00 00 ........H.F.4... +0x00000040: 12 00 00 00 .... + +2011-08-04 19:36:44 | 2011-08-04 20:57:04 | 2011-08-04 19:36:44 | |Desktop\My Network Places\Win107\\\Win107\c$\download\HF4 + | | | |Desktop\My Network Places\prt01 + | | | |Desktop\My Network Places\win25 + | | | |Desktop\My Network Places\win25\\\win25\uploads + | | | |Desktop\My Network Places\win25\\\win25\c$ + +0x00000000: 6e 00 31 00 00 00 00 00 6c 3c 0b b1 10 00 44 4f n.1.....l<....DO +0x00000010: 43 55 4d 45 7e 31 00 00 56 00 07 00 04 00 ef be CUME~1..V....... +0x00000020: 33 34 e0 69 ee 3c ab 8e 26 00 00 00 74 00 00 00 34.i.<..&...t... +0x00000030: 00 00 01 00 00 00 00 00 00 00 00 00 00 00 44 00 ..............D. +0x00000040: 6f 00 63 00 75 00 6d 00 65 00 6e 00 74 00 73 00 o.c.u.m.e.n.t.s. +0x00000050: 20 00 61 00 6e 00 64 00 20 00 53 00 65 00 74 00 .a.n.d. .S.e.t. +0x00000060: 74 00 69 00 6e 00 67 00 73 00 00 00 18 00 00 00 t.i.n.g.s....... + +2010-03-12 22:08:22 | 2010-07-14 17:53:22 | 2006-01-19 13:15:00 | |Desktop\My Network Places\win25\\\win25\c$\Documents and Settings + +0x00000000: 4c 00 31 00 00 00 00 00 e7 3c 41 99 10 00 6e 67 L.1............. +0x00000020: 2b 3b 4c 8b 66 3b 41 b3 26 00 00 00 00 00 00 00 +;L.f;A.&....... +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 53 00 ..............S. +0x00000040: 74 00 61 00 74 00 61 00 31 00 31 00 20 00 49 00 t.a.t.a.1.1. .I. +0x00000050: 43 00 00 00 18 00 00 00 C....... + +2010-09-16 17:05:52 | 2009-11-06 22:26:02 | 2009-09-11 17:26:24 | |Desktop\My Network Places\nw07\\\nw07\APPS\Stata11 IC + +0x00000000: 4c 00 31 00 00 00 00 00 f7 3a 16 94 30 00 4d 4f L.1......:..0.MO +0x00000010: 53 41 49 43 00 00 36 00 07 00 04 00 ef be bc 3a SAIC..6........: +0x00000020: 28 6e 66 3b 2b b1 26 00 00 00 00 00 00 00 00 00 (nf;+.&......... +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 4d 00 6f 00 ............M.o. +0x00000040: 73 00 61 00 69 00 63 00 00 00 16 00 00 00 s.a.i.c....... + +2009-07-23 18:32:44 | 2009-11-06 22:09:22 | 2009-05-28 13:49:16 | |Desktop\My Network Places\nw07\\\nw07\APPS\Mosaic + +0x00000000: 4e 00 31 00 00 00 00 00 70 3d 33 a9 30 00 4c 49 N.1.....p=3.0.LI +0x00000010: 42 52 41 52 59 00 38 00 07 00 04 00 ef be 48 3d BRARY.8.......H= +0x00000020: 19 7d 48 3d 19 7d 26 00 00 00 00 00 00 00 00 00 .}H=.}&......... +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 4c 00 69 00 ............L.i. +0x00000040: 62 00 72 00 61 00 72 00 79 00 00 00 16 00 00 00 b.r.a.r.y....... + +2010-11-16 21:09:38 | 2010-10-08 15:40:50 | 2010-10-08 15:40:50 | |Desktop\My Network Places\nw07\\\nw07\APPS\Library + +0x00000000: 58 00 31 00 00 00 00 00 6c 3d 18 9b 30 00 50 48 X.1.....l=..0.PH +0x00000010: 41 52 4f 53 7e 31 2e 31 00 00 3e 00 07 00 04 00 AROS~1.1..>..... +0x00000020: ef be 27 3c 32 8b 00 00 00 00 26 00 00 00 00 00 ..'<2.....&..... +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ +0x00000040: 50 00 68 00 61 00 72 00 6f 00 73 00 20 00 38 00 P.h.a.r.o.s. .8. +0x00000050: 2e 00 31 00 00 00 1a 00 00 00 ..1....... + +2010-11-12 19:24:48 | | 2010-01-07 17:25:36 | |Desktop\My Network Places\nw07\\\nw07\APPS\Library\Pharos 8.1 + | | | |Desktop\My Network Places\nw07\\\nw07\Library eResource + | | | |Desktop\My Network Places\nw07\\\nw07\WPC + | | | |Desktop\My Network Places\win22 + | | | |Desktop\My Network Places\win22\\\win22\c$ + +0x00000000: 5c 00 31 00 00 00 00 00 12 3d b9 a8 11 00 50 52 \.1......=....PR +0x00000010: 4f 47 52 41 7e 31 00 00 44 00 07 00 04 00 ef be OGRA~1..D....... +0x00000020: 96 37 ba 63 36 3d 84 9c 26 00 00 00 00 00 00 00 .7.c6=..&....... +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 00 ..............P. +0x00000040: 72 00 6f 00 67 00 72 00 61 00 6d 00 20 00 46 00 r.o.g.r.a.m. .F. +0x00000050: 69 00 6c 00 65 00 73 00 00 00 18 00 00 00 i.l.e.s....... + +2010-08-18 21:05:50 | 2010-09-22 19:36:08 | 2007-12-22 12:29:52 | |Desktop\My Network Places\win22\\\win22\c$\Program Files + +0x00000000: 4c 00 31 00 00 00 00 00 2e 3c 94 a0 10 00 50 68 L.1......<....Ph +0x00000010: 61 72 6f 73 00 00 36 00 07 00 04 00 ef be 97 37 aros..6........7 +0x00000020: ca a4 36 3d d2 9b 26 00 00 00 00 00 00 00 00 00 ..6=..&......... +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 50 00 68 00 ............P.h. +0x00000040: 61 00 72 00 6f 00 73 00 00 00 16 00 00 00 a.r.o.s....... + +2010-01-14 20:04:40 | 2010-09-22 19:30:36 | 2007-12-23 20:38:20 | |Desktop\My Network Places\win22\\\win22\c$\Program Files\Pharos + +0x00000000: 52 00 31 00 00 00 00 00 36 3d c9 a2 10 00 70 61 R.1.....6=....pa +0x00000010: 63 6b 61 67 65 73 00 00 3a 00 07 00 04 00 ef be ckages..:....... +0x00000020: 9b 37 3a 80 36 3d c9 a2 26 00 00 00 00 00 00 00 .7:.6=..&....... +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 00 ..............p. +0x00000040: 61 00 63 00 6b 00 61 00 67 00 65 00 73 00 00 00 a.c.k.a.g.e.s... +0x00000050: 18 00 00 00 .... + +2010-09-22 20:22:18 | 2010-09-22 20:22:18 | 2007-12-27 16:01:52 | |Desktop\My Network Places\win22\\\win22\c$\Program Files\Pharos\packages + | | | |Desktop\My Network Places\win22\\\win22\d$ + +0x00000000: 52 00 31 00 00 00 00 00 61 3d 52 7f 10 00 44 6f R.1.....a=R...Do +0x00000010: 77 6e 6c 6f 61 64 00 00 3a 00 07 00 04 00 ef be wnload..:....... +0x00000020: 8d 37 ad ba 6c 3d 52 56 26 00 00 00 2f 00 00 00 .7..l=RV&.../... +0x00000030: 00 00 01 00 00 00 00 00 00 00 00 00 00 00 44 00 ..............D. +0x00000040: 6f 00 77 00 6e 00 6c 00 6f 00 61 00 64 00 00 00 o.w.n.l.o.a.d... +0x00000050: 18 00 00 00 .... + +2010-11-01 15:58:36 | 2010-11-12 10:50:36 | 2007-12-13 23:21:26 | |Desktop\My Network Places\win22\\\win22\d$\Download + +0x00000000: 58 00 31 00 00 00 00 00 28 3c ee 06 10 00 50 48 X.1.....(<....PH +0x00000010: 41 52 4f 53 7e 31 2e 31 00 00 3e 00 07 00 04 00 AROS~1.1..>..... +0x00000020: ef be 25 3c 38 99 6c 3d 78 56 26 00 00 00 00 00 ..%<8.l=xV&..... +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ +0x00000040: 50 00 68 00 61 00 72 00 6f 00 73 00 20 00 38 00 P.h.a.r.o.s. .8. +0x00000050: 2e 00 31 00 00 00 1a 00 00 00 ..1....... + +2010-01-08 00:55:28 | 2010-11-12 10:51:48 | 2010-01-05 19:09:48 | |Desktop\My Network Places\win22\\\win22\d$\Download\Pharos 8.1 + +0x00000000: 7e 00 31 00 00 00 00 00 78 3d fa a2 10 00 50 48 ~.1.....x=....PH +0x00000010: 41 52 4f 53 7e 31 2e 31 50 41 50 00 62 00 07 00 AROS~1.1PAP.b... +0x00000020: 04 00 ef be 5f 3d 11 20 7d 3d 40 a3 26 00 00 00 ...._=. }=@.&... +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ +0x00000040: 00 00 50 00 68 00 61 00 72 00 6f 00 73 00 20 00 ..P.h.a.r.o.s. . +0x00000050: 38 00 2e 00 31 00 20 00 50 00 61 00 74 00 63 00 8...1. .P.a.t.c. +0x00000060: 68 00 65 00 73 00 20 00 33 00 31 00 4f 00 63 00 h.e.s. .3.1.O.c. +0x00000070: 74 00 32 00 30 00 31 00 30 00 00 00 1c 00 00 00 t.2.0.1.0....... + +2010-11-24 20:23:52 | 2010-11-29 20:26:00 | 2010-10-31 04:00:34 | |Desktop\My Network Places\win22\\\win22\d$\Download\Pharos 8.1\Pharos 8.1 Patches 31Oct2010 + +0x00000000: 5e 00 32 00 58 87 09 00 7d 3d 2f a3 20 00 70 63 ^.2.X...}=/. .pc +0x00000010: 6f 75 6e 74 65 72 2e 7a 69 70 00 00 42 00 07 00 ounter.zip..B... +0x00000020: 04 00 ef be 7d 3d 45 a3 7d 3d 45 a3 26 00 00 00 ....}=E.}=E.&... +0x00000030: 4c 21 00 00 00 00 16 00 00 00 00 00 00 00 00 00 L!.............. +0x00000040: 00 00 70 00 63 00 6f 00 75 00 6e 00 74 00 65 00 ..p.c.o.u.n.t.e. +0x00000050: 72 00 2e 00 7a 00 69 00 70 00 00 00 1c 00 00 00 r...z.i.p....... + +2010-11-29 20:25:30 | 2010-11-29 20:26:10 | 2010-11-29 20:26:10 | |Desktop\My Network Places\win22\\\win22\d$\Download\Pharos 8.1\Pharos 8.1 Patches 31Oct2010\pcounter.zip [624472] + | | | |Desktop\My Network Places\win22\\\win22\d$\Download\Pharos 8.1\Pharos 8.1 Patches 31Oct2010\pcounter.zip\Page_Counter + +0x00000000: 5a 00 31 00 00 00 00 00 7d 3d 70 a3 10 00 50 41 Z.1.....}=p...PA +0x00000010: 47 45 5f 43 7e 31 00 00 42 00 07 00 04 00 ef be GE_C~1..B....... +0x00000020: 7d 3d 70 a3 7d 3d 70 a3 26 00 00 00 00 00 00 00 }=p.}=p.&....... +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 00 ..............P. +0x00000040: 61 00 67 00 65 00 5f 00 43 00 6f 00 75 00 6e 00 a.g.e._.C.o.u.n. +0x00000050: 74 00 65 00 72 00 00 00 18 00 00 00 t.e.r....... + +2010-11-29 20:27:32 | 2010-11-29 20:27:32 | 2010-11-29 20:27:32 | |Desktop\My Network Places\win22\\\win22\d$\Download\Pharos 8.1\Pharos 8.1 Patches 31Oct2010\Page_Counter + | | | |Desktop\My Network Places\win100 + | | | |Desktop\My Network Places\win100\\\win100\c$ + +0x00000000: 52 00 31 00 00 00 00 00 5a 3d 0f 92 10 00 64 6f R.1.....Z=....do +0x00000010: 77 6e 6c 6f 61 64 00 00 3a 00 07 00 04 00 ef be wnload..:....... +0x00000020: ed 36 c9 84 5a 3d b9 9d 26 00 00 00 00 00 00 00 .6..Z=..&....... +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 64 00 ..............d. +0x00000040: 6f 00 77 00 6e 00 6c 00 6f 00 61 00 64 00 00 00 o.w.n.l.o.a.d... +0x00000050: 18 00 00 00 .... + +2010-10-26 18:16:30 | 2010-10-26 19:45:50 | 2007-07-13 16:38:18 | |Desktop\My Network Places\win100\\\win100\c$\download + +0x00000000: 56 00 31 00 00 00 00 00 5a 3d dd 91 10 00 49 53 V.1.....Z=....IS +0x00000010: 4f 49 4d 41 7e 31 00 00 3e 00 07 00 04 00 ef be OIMA~1..>....... +0x00000020: 5a 3d 51 90 5a 3d ba 9d 26 00 00 00 00 00 00 00 Z=Q.Z=..&....... +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 49 00 ..............I. +0x00000040: 53 00 4f 00 20 00 49 00 6d 00 61 00 67 00 65 00 S.O. .I.m.a.g.e. +0x00000050: 73 00 00 00 18 00 00 00 s....... + +2010-10-26 18:14:58 | 2010-10-26 19:45:52 | 2010-10-26 18:02:34 | |Desktop\My Network Places\win100\\\win100\c$\download\ISO Images + +0x00000000: 5a 00 31 00 00 00 00 00 45 3f dc 1d 10 00 57 49 Z.1.....E?....WI +0x00000010: 4e 44 4f 57 7e 31 00 00 42 00 07 00 04 00 ef be NDOW~1..B....... +0x00000020: ee 36 04 bf 4c 3f 3c 7a 26 00 00 00 00 00 00 00 .6..L?....... +0x00000020: d6 3c 46 8c 54 3f b2 80 26 00 00 00 00 00 00 00 .?.+T?..&....... +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 44 00 ..............D. +0x00000040: 61 00 74 00 61 00 53 00 74 00 61 00 67 00 65 00 a.t.a.S.t.a.g.e. +0x00000050: 00 00 18 00 00 00 ...... + +2011-10-19 04:49:42 | 2011-10-20 16:05:36 | 2011-09-30 05:28:34 | |Desktop\My Network Places\win100\\\win100\c$\download\DataStage + +0x00000000: 4c 00 31 00 00 00 00 00 54 3f 93 95 10 00 56 4d L.1.....T?....VM +0x00000010: 57 61 72 65 00 00 36 00 07 00 04 00 ef be 19 3f Ware..6........? +0x00000020: 72 a7 54 3f dc 9d 26 00 00 00 00 00 00 00 00 00 r.T?..&......... +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 56 00 4d 00 ............V.M. +0x00000040: 57 00 61 00 72 00 65 00 00 00 16 00 00 00 W.a.r.e....... + +2011-10-20 18:44:38 | 2011-10-20 19:46:56 | 2011-08-25 20:59:36 | |Desktop\My Network Places\win100\\\win100\c$\download\VMWare + | | | |Desktop\My Network Places\win50 + | | | |Desktop\My Network Places\win50\\\win50\CMSdata + +0x00000000: 40 00 31 00 00 00 00 00 5a 3d 52 95 10 00 61 75 @.1.....Z=R...au +0x00000010: 00 00 2e 00 07 00 04 00 ef be f0 38 16 7d 61 3d ...........8.}a= +0x00000020: 77 75 26 00 00 00 1f 00 00 00 00 00 10 00 00 00 wu&............. +0x00000030: 00 00 00 00 00 00 00 00 61 00 75 00 00 00 12 00 ........a.u..... +0x00000040: 00 00 .. + +2010-10-26 18:42:36 | 2010-11-01 14:43:46 | 2008-07-16 15:40:44 | |Desktop\My Network Places\win50\\\win50\CMSdata\au + +0x00000000: 48 00 31 00 00 00 00 00 5b 3d 39 88 10 00 6b 6f H.1.....[=9...ko +0x00000010: 67 6f 64 00 34 00 07 00 04 00 ef be 55 39 f9 6e god.4.......U9.n +0x00000020: 61 3d 1d 76 26 00 00 00 d0 02 00 00 00 00 01 00 a=.v&........... +0x00000030: 00 00 00 00 00 00 00 00 00 00 6b 00 6f 00 67 00 ..........k.o.g. +0x00000040: 6f 00 64 00 00 00 14 00 00 00 o.d....... + +2010-10-27 17:01:50 | 2010-11-01 14:48:58 | 2008-10-21 13:55:50 | |Desktop\My Network Places\win50\\\win50\CMSdata\au\kogod + +0x00000000: 52 00 31 00 00 00 00 00 2d 3d 0d 6f 10 00 70 72 R.1.....-=.o..pr +0x00000010: 6f 67 72 61 6d 73 00 00 3a 00 07 00 04 00 ef be ograms..:....... +0x00000020: 55 39 61 9e 61 3d 7a 6a 26 00 00 00 00 00 00 00 U9a.a=zj&....... +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 00 ..............p. +0x00000040: 72 00 6f 00 67 00 72 00 61 00 6d 00 73 00 00 00 r.o.g.r.a.m.s... +0x00000050: 18 00 00 00 .... + +2010-09-13 13:56:26 | 2010-11-01 13:19:52 | 2008-10-21 19:51:02 | |Desktop\My Network Places\win50\\\win50\CMSdata\au\kogod\programs + +0x00000000: 60 00 31 00 00 00 00 00 4c 3d d8 86 10 00 4d 42 `.1.....L=....MB +0x00000010: 41 43 41 52 7e 31 00 00 48 00 07 00 04 00 ef be ACAR~1..H....... +0x00000020: 5b 3a f8 71 61 3d ee 7a 26 00 00 00 00 00 00 00 [:.qa=.z&....... +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6d 00 ..............m. +0x00000040: 62 00 61 00 63 00 61 00 72 00 65 00 65 00 72 00 b.a.c.a.r.e.e.r. +0x00000050: 74 00 72 00 61 00 63 00 6b 00 73 00 00 00 18 00 t.r.a.c.k.s..... +0x00000060: 00 00 .. + +2010-10-12 16:54:48 | 2010-11-01 15:23:28 | 2009-02-27 14:15:48 | |Desktop\My Network Places\win50\\\win50\CMSdata\au\kogod\programs\mbacareertracks + | | | |Desktop\My Network Places\win17 + | | | |Desktop\My Network Places\win17\\\win17\c$ + +0x00000000: 5c 00 31 00 00 00 00 00 41 3d 62 10 11 00 50 52 \.1.....A=b...PR +0x00000010: 4f 47 52 41 7e 31 00 00 44 00 07 00 04 00 ef be OGRA~1..D....... +0x00000020: 0a 31 86 79 61 3d ba 85 26 00 00 00 c6 0e 00 00 .1.ya=..&....... +0x00000030: 00 00 01 00 00 00 00 00 00 00 00 00 00 00 50 00 ..............P. +0x00000040: 72 00 6f 00 67 00 72 00 61 00 6d 00 20 00 46 00 r.o.g.r.a.m. .F. +0x00000050: 69 00 6c 00 65 00 73 00 00 00 18 00 00 00 i.l.e.s....... + +2010-10-01 02:03:04 | 2010-11-01 16:45:52 | 2004-08-10 15:12:12 | |Desktop\My Network Places\win17\\\win17\c$\Program Files + +0x00000000: 4e 00 31 00 00 00 00 00 3e 3b bd 84 10 00 77 76 N.1.....>;....wv +0x00000010: 33 74 6f 73 61 00 38 00 07 00 04 00 ef be 0c 3b 3tosa.8........; +0x00000020: 4f a7 61 3d a5 84 26 00 00 00 ac 9a 00 00 00 00 O.a=..&......... +0x00000030: 23 a3 00 00 00 00 00 00 00 00 00 00 77 00 76 00 #...........w.v. +0x00000040: 33 00 74 00 6f 00 73 00 61 00 00 00 16 00 00 00 3.t.o.s.a....... + +2009-09-30 16:37:58 | 2010-11-01 16:37:10 | 2009-08-12 20:58:30 | |Desktop\My Network Places\win17\\\win17\c$\Program Files\wv3tosa + +0x00000000: 48 00 31 00 00 00 00 00 61 3d e5 85 10 00 75 73 H.1.....a=....us +0x00000010: 65 72 73 00 34 00 07 00 04 00 ef be 0c 3b 23 a8 ers.4........;#. +0x00000020: 61 3d e5 85 26 00 00 00 95 ab 00 00 00 00 02 00 a=..&........... +0x00000030: 00 00 00 00 00 00 00 00 00 00 75 00 73 00 65 00 ..........u.s.e. +0x00000040: 72 00 73 00 00 00 14 00 00 00 r.s....... + +2010-11-01 16:47:10 | 2010-11-01 16:47:10 | 2009-08-12 21:01:06 | |Desktop\My Network Places\win17\\\win17\c$\Program Files\wv3tosa\users + | | | |Desktop\My Network Places\prt03 + | | | |Desktop\My Network Places\timeclock + | | | |Desktop\My Network Places\timeclock\\\timeclock\c$ + +0x00000000: 52 00 31 00 00 00 00 00 91 3d 0a 9a 10 00 44 6f R.1......=....Do +0x00000010: 77 6e 6c 6f 61 64 00 00 3a 00 07 00 04 00 ef be wnload..:....... +0x00000020: 91 3d f8 99 91 3d 0a 9a 26 00 00 00 00 00 00 00 .=...=..&....... +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 44 00 ..............D. +0x00000040: 6f 00 77 00 6e 00 6c 00 6f 00 61 00 64 00 00 00 o.w.n.l.o.a.d... +0x00000050: 18 00 00 00 .... + +2010-12-17 19:16:20 | 2010-12-17 19:16:20 | 2010-12-17 19:15:48 | |Desktop\My Network Places\timeclock\\\timeclock\c$\Download + +0x00000000: 56 00 31 00 00 00 00 00 91 3d 3b 9a 10 00 54 49 V.1......=;...TI +0x00000010: 4d 45 43 4c 7e 31 00 00 3e 00 07 00 04 00 ef be MECL~1..>....... +0x00000020: 91 3d 06 9a 91 3d 3b 9a 26 00 00 00 00 00 00 00 .=...=;.&....... +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 54 00 ..............T. +0x00000040: 69 00 6d 00 65 00 43 00 6c 00 6f 00 63 00 6b 00 i.m.e.C.l.o.c.k. +0x00000050: 36 00 00 00 18 00 00 00 6....... + +2010-12-17 19:17:54 | 2010-12-17 19:17:54 | 2010-12-17 19:16:12 | |Desktop\My Network Places\timeclock\\\timeclock\c$\Download\TimeClock6 + +0x00000000: 5e 00 31 00 00 00 00 00 94 3d 84 84 10 00 53 51 ^.1......=....SQ +0x00000010: 4c 32 30 30 7e 31 00 00 46 00 07 00 04 00 ef be L200~1..F....... +0x00000020: 94 3d 84 84 94 3d 84 84 26 00 00 00 bf fa 00 00 .=...=..&....... +0x00000030: 00 00 f7 00 00 00 00 00 00 00 00 00 00 00 53 00 ..............S. +0x00000040: 51 00 4c 00 32 00 30 00 30 00 38 00 20 00 36 00 Q.L.2.0.0.8. .6. +0x00000050: 34 00 2d 00 62 00 69 00 74 00 00 00 18 00 00 00 4.-.b.i.t....... + +2010-12-20 16:36:08 | 2010-12-20 16:36:08 | 2010-12-20 16:36:08 | |Desktop\My Network Places\timeclock\\\timeclock\c$\Download\SQL2008 64-bit + | | | |Desktop\My Network Places\Nw08 + | | | |Desktop\My Network Places\Nw08\\\Nw08\CAS_DEAN + +0x00000000: 4c 00 31 00 00 00 00 00 92 3d cf 98 30 00 53 48 L.1......=..0.SH +0x00000010: 41 52 45 44 00 00 36 00 07 00 04 00 ef be 2c 2d ARED..6.......,- +0x00000020: e6 2c 25 3e 35 7f 26 00 00 00 00 00 00 00 00 00 .,%>5.&......... +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 53 00 48 00 ............S.H. +0x00000040: 41 00 52 00 45 00 44 00 00 00 16 00 00 00 A.R.E.D....... + +2010-12-18 19:06:30 | 2011-01-05 15:57:42 | 2002-09-12 05:39:12 | |Desktop\My Network Places\Nw08\\\Nw08\CAS_DEAN\SHARED + +0x00000000: 46 00 31 00 00 00 00 00 86 3d b6 ac 30 00 54 45 F.1......=..0.TE +0x00000010: 43 48 00 00 32 00 07 00 04 00 ef be 2c 2d e7 2c CH..2.......,-., +0x00000020: 25 3e 35 7f 26 00 00 00 00 00 00 00 00 00 00 00 %>5.&........... +0x00000030: 00 00 00 00 00 00 00 00 00 00 54 00 65 00 63 00 ..........T.e.c. +0x00000040: 68 00 00 00 14 00 00 00 h....... + +2010-12-06 21:37:44 | 2011-01-05 15:57:42 | 2002-09-12 05:39:14 | |Desktop\My Network Places\Nw08\\\Nw08\CAS_DEAN\SHARED\Tech + +0x00000000: 52 00 31 00 00 00 00 00 3b 3d 62 49 10 00 53 4f R.1.....;=bI..SO +0x00000010: 46 54 57 41 52 45 00 00 3a 00 07 00 04 00 ef be FTWARE..:....... +0x00000020: 2c 2d 21 2d 25 3e 35 7f 26 00 00 00 00 00 00 00 ,-!-%>5.&....... +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 73 00 ..............s. +0x00000040: 6f 00 66 00 74 00 77 00 61 00 72 00 65 00 00 00 o.f.t.w.a.r.e... +0x00000050: 18 00 00 00 .... + +2010-09-27 09:11:04 | 2011-01-05 15:57:42 | 2002-09-12 05:41:02 | |Desktop\My Network Places\Nw08\\\Nw08\CAS_DEAN\SHARED\Tech\software + +0x00000000: 68 00 31 00 00 00 00 00 24 3e 85 a3 10 00 4d 41 h.1.....$>....MA +0x00000010: 54 48 45 4d 7e 31 00 00 50 00 07 00 04 00 ef be THEM~1..P....... +0x00000020: 70 31 b6 6e 25 3e 36 7f 26 00 00 00 00 00 00 00 p1.n%>6.&....... +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4d 00 ..............M. +0x00000040: 61 00 74 00 68 00 65 00 6d 00 61 00 74 00 69 00 a.t.h.e.m.a.t.i. +0x00000050: 63 00 61 00 20 00 49 00 6e 00 73 00 74 00 61 00 c.a. .I.n.s.t.a. +0x00000060: 6c 00 6c 00 00 00 18 00 00 00 l.l....... + +2011-01-04 20:28:10 | 2011-01-05 15:57:44 | 2004-11-16 13:53:44 | |Desktop\My Network Places\Nw08\\\Nw08\CAS_DEAN\SHARED\Tech\software\Mathematica Install + +0x00000000: 5c 00 31 00 00 00 00 00 25 3e 05 80 30 00 4d 41 \.1.....%>..0.MA +0x00000010: 54 48 4c 4d 7e 31 2e 30 00 00 42 00 07 00 04 00 THLM~1.0..B..... +0x00000020: ef be 25 3e 05 80 25 3e 13 80 26 00 00 00 00 00 ..%>..%>..&..... +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ +0x00000040: 4d 00 61 00 74 00 68 00 4c 00 4d 00 5f 00 38 00 M.a.t.h.L.M._.8. +0x00000050: 2e 00 30 00 2e 00 30 00 00 00 1a 00 00 00 ..0...0....... + +2011-01-05 16:00:10 | 2011-01-05 16:00:38 | 2011-01-05 16:00:10 | |Desktop\My Network Places\Nw08\\\Nw08\CAS_DEAN\SHARED\Tech\software\Mathematica Install\MathLM_8.0.0 + +0x00000000: 58 00 31 00 00 00 00 00 25 3e 17 80 30 00 4d 41 X.1.....%>..0.MA +0x00000010: 54 48 45 4d 7e 31 00 00 40 00 07 00 04 00 ef be THEM~1..@....... +0x00000020: 25 3e 17 80 25 3e 25 80 26 00 00 00 00 00 00 00 %>..%>%.&....... +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4d 00 ..............M. +0x00000040: 61 00 74 00 68 00 65 00 6d 00 61 00 74 00 69 00 a.t.h.e.m.a.t.i. +0x00000050: 63 00 61 00 00 00 18 00 00 00 c.a....... + +2011-01-05 16:00:46 | 2011-01-05 16:01:10 | 2011-01-05 16:00:46 | |Desktop\My Network Places\Nw08\\\Nw08\CAS_DEAN\SHARED\Tech\software\Mathematica Install\Mathematica + +0x00000000: 4e 00 31 00 00 00 00 00 25 3e e6 81 10 00 57 49 N.1.....%>....WI +0x00000010: 4e 44 4f 57 53 00 38 00 07 00 04 00 ef be 25 3e NDOWS.8.......%> +0x00000020: 53 80 00 00 00 00 26 00 00 00 00 00 00 00 00 00 S.....&......... +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 57 00 69 00 ............W.i. +0x00000040: 6e 00 64 00 6f 00 77 00 73 00 00 00 16 00 00 00 n.d.o.w.s....... + +2011-01-05 16:15:12 | | 2011-01-05 16:02:38 | |Desktop\My Network Places\Nw08\\\Nw08\CAS_DEAN\SHARED\Tech\software\Mathematica Install\Mathematica\Windows + +0x00000000: 5c 00 31 00 00 00 00 00 24 3e 22 b2 30 00 4f 4c \.1.....$>".0.OL +0x00000010: 44 56 45 52 7e 31 00 00 44 00 07 00 04 00 ef be DVER~1..D....... +0x00000020: 24 3e 29 a2 25 3e 8a 85 26 00 00 00 00 00 00 00 $>).%>..&....... +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4f 00 ..............O. +0x00000040: 4c 00 44 00 20 00 56 00 65 00 72 00 73 00 69 00 L.D. .V.e.r.s.i. +0x00000050: 6f 00 6e 00 20 00 37 00 00 00 18 00 00 00 o.n. .7....... + +2011-01-04 22:17:04 | 2011-01-05 16:44:20 | 2011-01-04 20:17:18 | |Desktop\My Network Places\Nw08\\\Nw08\CAS_DEAN\SHARED\Tech\software\Mathematica Install\OLD Version 7 + | | | |Desktop\My Network Places\win18 + | | | |Desktop\My Network Places\win18\\\win18\d$ + +0x00000000: 52 00 31 00 00 00 00 00 77 3c 95 8c 10 00 64 6f R.1.....w<....do +0x00000010: 77 6e 6c 6f 61 64 00 00 3a 00 07 00 04 00 ef be wnload..:....... +0x00000020: ea 34 00 ac 24 3e 11 85 26 00 00 00 93 9a 00 00 .4..$>..&....... +0x00000030: 00 00 01 00 00 00 00 00 00 00 00 00 00 00 64 00 ..............d. +0x00000040: 6f 00 77 00 6e 00 6c 00 6f 00 61 00 64 00 00 00 o.w.n.l.o.a.d... +0x00000050: 18 00 00 00 .... + +2010-03-23 17:36:42 | 2011-01-04 16:40:34 | 2006-07-10 21:32:00 | |Desktop\My Network Places\win18\\\win18\d$\download + +0x00000000: 66 00 31 00 00 00 00 00 25 3e 06 85 10 00 4d 41 f.1.....%>....MA +0x00000010: 54 48 45 4d 7e 31 2e 30 00 00 4c 00 07 00 04 00 THEM~1.0..L..... +0x00000020: ef be 25 3e 06 85 25 3e 06 85 26 00 00 00 ce 3e ..%>..%>..&....> +0x00000030: 01 00 00 00 03 00 00 00 00 00 00 00 00 00 00 00 ................ +0x00000040: 4d 00 61 00 74 00 68 00 65 00 6d 00 61 00 74 00 M.a.t.h.e.m.a.t. +0x00000050: 69 00 63 00 61 00 20 00 38 00 2e 00 30 00 2e 00 i.c.a. .8...0... +0x00000060: 30 00 00 00 1a 00 00 00 0....... + +2011-01-05 16:40:12 | 2011-01-05 16:40:12 | 2011-01-05 16:40:12 | |Desktop\My Network Places\win18\\\win18\d$\download\Mathematica 8.0.0 + | | | |Desktop\My Network Places\au-dc03 + | | | |Desktop\My Network Places\au-dc03\\\au-dc03\NETLOGON + +0x00000000: 5a 00 31 00 00 00 00 00 a7 3c 23 7c 10 00 4c 4f Z.1......<#|..LO +0x00000010: 47 49 4e 53 7e 31 00 00 42 00 07 00 04 00 ef be GINS~1..B....... +0x00000020: a5 3c dc 8c a7 3c 23 7c 26 00 00 00 00 00 00 00 .<...<#|&....... +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4c 00 ..............L. +0x00000040: 6f 00 67 00 69 00 6e 00 53 00 63 00 72 00 69 00 o.g.i.n.S.c.r.i. +0x00000050: 70 00 74 00 73 00 00 00 18 00 00 00 p.t.s....... + +2010-05-07 15:33:06 | 2010-05-07 15:33:06 | 2010-05-05 17:38:56 | |Desktop\My Network Places\au-dc03\\\au-dc03\NETLOGON\LoginScripts + +0x00000000: 42 00 31 00 00 00 00 00 a7 3c 24 7c 10 00 4f 49 B.1......<$|..OI +0x00000010: 54 00 30 00 07 00 04 00 ef be a7 3c 21 7c a7 3c T.0............So +0x00000010: 66 74 77 61 72 65 00 00 3a 00 07 00 04 00 ef be ftware..:....... +0x00000020: c9 3e ac a0 ce 3e da 8d 26 00 00 00 44 5a 01 00 .>...>..&...DZ.. +0x00000030: 00 00 03 00 00 00 00 00 00 00 00 00 00 00 53 00 ..............S. +0x00000040: 6f 00 66 00 74 00 77 00 61 00 72 00 65 00 00 00 o.f.t.w.a.r.e... +0x00000050: 18 00 00 00 .... + +2011-06-14 17:46:52 | 2011-06-14 17:46:52 | 2011-06-09 20:05:24 | |Desktop\My Network Places\www03\\\www03\c$\Software + +0x00000000: 5c 00 31 00 00 00 00 00 d1 3e cb 1b 10 00 46 55 \.1......>....FU +0x00000010: 53 49 4f 4e 7e 31 00 00 44 00 07 00 04 00 ef be SION~1..D....... +0x00000020: d1 3e a7 1b d1 3e cb 1b 26 00 00 00 00 00 00 00 .>...>..&....... +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 46 00 ..............F. +0x00000040: 75 00 73 00 69 00 6f 00 6e 00 52 00 65 00 61 00 u.s.i.o.n.R.e.a. +0x00000050: 63 00 74 00 6f 00 72 00 00 00 18 00 00 00 c.t.o.r....... + +2011-06-17 03:30:22 | 2011-06-17 03:30:22 | 2011-06-17 03:29:14 | |Desktop\My Network Places\www03\\\www03\c$\Software\FusionReactor + +0x00000000: 70 00 31 00 00 00 00 00 cf 3e 3b ad 11 00 55 73 p.1......>;...Us +0x00000010: 65 72 73 00 5c 00 07 00 04 00 ef be ee 3a 85 1a ers.\........:.. +0x00000020: cf 3e 3b ad 26 00 00 00 f1 00 00 00 00 00 01 00 .>;.&........... +0x00000030: 00 00 00 00 00 00 00 00 32 00 55 00 73 00 65 00 ........2.U.s.e. +0x00000040: 72 00 73 00 00 00 40 00 73 00 68 00 65 00 6c 00 r.s...@.s.h.e.l. +0x00000050: 6c 00 33 00 32 00 2e 00 64 00 6c 00 6c 00 2c 00 l.3.2...d.l.l.,. +0x00000060: 2d 00 32 00 31 00 38 00 31 00 33 00 00 00 14 00 -.2.1.8.1.3..... +0x00000070: 00 00 .. + +2011-06-15 21:41:54 | 2011-06-15 21:41:54 | 2009-07-14 03:20:10 | |Desktop\My Network Places\www03\\\www03\c$\Users + +0x00000000: 4c 00 31 00 00 00 00 00 c9 3e 6e 9a 10 00 6e 67 L.1......>n...ng +0x00000010: 75 79 65 6e 00 00 36 00 07 00 04 00 ef be c9 3e uyen..6........> +0x00000020: 32 89 c9 3e 6e 9a 26 00 00 00 00 00 00 00 00 00 2..>n.&......... +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 6e 00 67 00 ............n.g. +0x00000040: 75 00 79 00 65 00 6e 00 00 00 16 00 00 00 u.y.e.n....... + +2011-06-09 19:19:28 | 2011-06-09 19:19:28 | 2011-06-09 17:09:36 | |Desktop\My Network Places\www03\\\www03\c$\Users\nguyen + +0x00000000: 76 00 31 00 00 10 00 00 c9 3e f1 91 11 00 44 65 v.1......>....De +0x00000010: 73 6b 74 6f 70 00 60 00 07 00 04 00 ef be c9 3e sktop.`........> +0x00000020: 33 89 c9 3e f1 91 26 00 00 00 00 00 00 00 00 00 3..>..&......... +0x00000030: 00 00 00 00 00 00 00 00 00 00 36 00 44 00 65 00 ..........6.D.e. +0x00000040: 73 00 6b 00 74 00 6f 00 70 00 00 00 40 00 73 00 s.k.t.o.p...@.s. +0x00000050: 68 00 65 00 6c 00 6c 00 33 00 32 00 2e 00 64 00 h.e.l.l.3.2...d. +0x00000060: 6c 00 6c 00 2c 00 2d 00 32 00 31 00 37 00 36 00 l.l.,.-.2.1.7.6. +0x00000070: 39 00 00 00 16 00 00 00 9....... + +2011-06-09 18:15:34 | 2011-06-09 18:15:34 | 2011-06-09 17:09:38 | |Desktop\My Network Places\www03\\\www03\c$\Users\nguyen\Desktop + +0x00000000: 46 00 31 00 00 00 00 00 c9 3e 13 93 10 00 6a 61 F.1......>....ja +0x00000010: 76 61 00 00 32 00 07 00 04 00 ef be c9 3e 4c 92 va..2........>L. +0x00000020: c9 3e 13 93 26 00 00 00 37 e3 00 00 00 00 08 00 .>..&...7....... +0x00000030: 00 00 00 00 00 00 00 00 00 00 6a 00 61 00 76 00 ..........j.a.v. +0x00000040: 61 00 00 00 14 00 00 00 a....... + +2011-06-09 18:24:38 | 2011-06-09 18:24:38 | 2011-06-09 18:18:24 | |Desktop\My Network Places\www03\\\www03\c$\java + +0x00000000: 42 00 31 00 00 00 00 00 c9 3e 00 93 10 00 6a 72 B.1......>....jr +0x00000010: 65 00 30 00 07 00 04 00 ef be c9 3e fb 92 c9 3e e.0........>...> +0x00000020: 00 93 26 00 00 00 65 e3 00 00 00 00 1d 00 00 00 ..&...e......... +0x00000030: 00 00 00 00 00 00 00 00 6a 00 72 00 65 00 00 00 ........j.r.e... +0x00000040: 12 00 00 00 .... + +2011-06-09 18:24:00 | 2011-06-09 18:24:00 | 2011-06-09 18:23:54 | |Desktop\My Network Places\www03\\\www03\c$\java\jre + +0x00000000: 42 00 31 00 00 00 00 00 c9 3e 04 93 10 00 6c 69 B.1......>....li +0x00000010: 62 00 30 00 07 00 04 00 ef be c9 3e fc 92 c9 3e b.0........>...> +0x00000020: 04 93 26 00 00 00 89 ff 00 00 00 00 06 00 00 00 ..&............. +0x00000030: 00 00 00 00 00 00 00 00 6c 00 69 00 62 00 00 00 ........l.i.b... +0x00000040: 12 00 00 00 .... + +2011-06-09 18:24:08 | 2011-06-09 18:24:08 | 2011-06-09 18:23:56 | |Desktop\My Network Places\www03\\\www03\c$\java\jre\lib + +0x00000000: 52 00 31 00 00 00 00 00 c9 3e fd 92 10 00 73 65 R.1......>....se +0x00000010: 63 75 72 69 74 79 00 00 3a 00 07 00 04 00 ef be curity..:....... +0x00000020: c9 3e fd 92 c9 3e fd 92 26 00 00 00 de ff 00 00 .>...>..&....... +0x00000030: 00 00 06 00 00 00 00 00 00 00 00 00 00 00 73 00 ..............s. +0x00000040: 65 00 63 00 75 00 72 00 69 00 74 00 79 00 00 00 e.c.u.r.i.t.y... +0x00000050: 18 00 00 00 .... + +2011-06-09 18:23:58 | 2011-06-09 18:23:58 | 2011-06-09 18:23:58 | |Desktop\My Network Places\www03\\\www03\c$\java\jre\lib\security + | | | |Desktop\My Network Places\auems + | | | |Desktop\My Network Places\auems\\\auems\d$ + +0x00000000: 52 00 31 00 00 00 00 00 59 3e b0 94 10 00 44 6f R.1.....Y>....Do +0x00000010: 77 6e 6c 6f 61 64 00 00 3a 00 07 00 04 00 ef be wnload..:....... +0x00000020: 64 3d b4 a9 59 3e b0 94 26 00 00 00 bc 21 00 00 d=..Y>..&....!.. +0x00000030: 00 00 01 00 00 00 00 00 00 00 00 00 00 00 44 00 ..............D. +0x00000040: 6f 00 77 00 6e 00 6c 00 6f 00 61 00 64 00 00 00 o.w.n.l.o.a.d... +0x00000050: 18 00 00 00 .... + +2011-02-25 18:37:32 | 2011-02-25 18:37:32 | 2010-11-04 21:13:40 | |Desktop\My Network Places\auems\\\auems\d$\Download + +0x00000000: 46 00 31 00 00 00 00 00 c2 3e 42 7b 10 00 43 52 F.1......>B{..CR +0x00000010: 44 4d 00 00 32 00 07 00 04 00 ef be c2 3e 32 7b DM..2........>2{ +0x00000020: c2 3e 42 7b 26 00 00 00 00 00 00 00 00 00 00 00 .>B{&........... +0x00000030: 00 00 00 00 00 00 00 00 00 00 43 00 52 00 44 00 ..........C.R.D. +0x00000040: 4d 00 00 00 14 00 00 00 M....... + +2011-06-02 15:26:04 | 2011-06-02 15:26:04 | 2011-06-02 15:25:36 | |Desktop\My Network Places\auems\\\auems\d$\CRDM + | | | |Desktop\My Network Places\auems\\\auems\CV + | | | |Desktop\My Network Places\www02 + | | | |Desktop\My Network Places\www02\\\www02\c$ + +0x00000000: 52 00 31 00 00 00 00 00 db 3e 6c 83 10 00 53 6f R.1......>l...So +0x00000010: 66 74 77 61 72 65 00 00 3a 00 07 00 04 00 ef be ftware..:....... +0x00000020: db 3e 5d 83 db 3e 6c 83 26 00 00 00 00 00 00 00 .>]..>l.&....... +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 53 00 ..............S. +0x00000040: 6f 00 66 00 74 00 77 00 61 00 72 00 65 00 00 00 o.f.t.w.a.r.e... +0x00000050: 18 00 00 00 .... + +2011-06-27 16:27:24 | 2011-06-27 16:27:24 | 2011-06-27 16:26:58 | |Desktop\My Network Places\www02\\\www02\c$\Software + +0x00000000: 5c 00 31 00 00 00 00 00 db 3e 6c 83 10 00 46 55 \.1......>l...FU +0x00000010: 53 49 4f 4e 7e 31 00 00 44 00 07 00 04 00 ef be SION~1..D....... +0x00000020: db 3e 6b 83 db 3e 6c 83 26 00 00 00 00 00 00 00 .>k..>l.&....... +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 46 00 ..............F. +0x00000040: 75 00 73 00 69 00 6f 00 6e 00 52 00 65 00 61 00 u.s.i.o.n.R.e.a. +0x00000050: 63 00 74 00 6f 00 72 00 00 00 18 00 00 00 c.t.o.r....... + +2011-06-27 16:27:24 | 2011-06-27 16:27:24 | 2011-06-27 16:27:22 | |Desktop\My Network Places\www02\\\www02\c$\Software\FusionReactor + | | | |Desktop\My Network Places\fmmeter01 + | | | |Desktop\My Network Places\fmmeter01\\\fmmeter01\EMS_Docs + | | | |Desktop\My Network Places\win25.american.edu + | | | |Desktop\My Network Places\win25.american.edu\\\win25.american.edu\c$ + +0x00000000: 52 00 31 00 00 00 00 00 18 3f ae 99 10 00 64 6f R.1......?....do +0x00000010: 77 6e 6c 6f 61 64 00 00 3a 00 07 00 04 00 ef be wnload..:....... +0x00000020: 33 34 e4 a1 19 3f fb 95 26 00 00 00 00 00 00 00 34...?..&....... +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 64 00 ..............d. +0x00000040: 6f 00 77 00 6e 00 6c 00 6f 00 61 00 64 00 00 00 o.w.n.l.o.a.d... +0x00000050: 18 00 00 00 .... + +2011-08-24 19:13:28 | 2011-08-25 18:47:54 | 2006-01-19 20:15:08 | |Desktop\My Network Places\win25.american.edu\\\win25.american.edu\c$\download + | | | |Desktop\My Network Places\datastage-prod8 + | | | |Desktop\My Network Places\datastage-prod8\\\datastage-prod8\c$ + +0x00000000: 52 00 31 00 00 00 00 00 19 3f e9 99 10 00 44 6f R.1......?....Do +0x00000010: 77 6e 6c 6f 61 64 00 00 3a 00 07 00 04 00 ef be wnload..:....... +0x00000020: 19 3f cf 98 19 3f e9 99 26 00 00 00 00 00 00 00 .?...?..&....... +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 44 00 ..............D. +0x00000040: 6f 00 77 00 6e 00 6c 00 6f 00 61 00 64 00 00 00 o.w.n.l.o.a.d... +0x00000050: 18 00 00 00 .... + +2011-08-25 19:15:18 | 2011-08-25 19:15:18 | 2011-08-25 19:06:30 | |Desktop\My Network Places\datastage-prod8\\\datastage-prod8\c$\Download + | | | |Desktop\My Network Places\win101 + | | | |Desktop\My Network Places\win101\\\win101\c$ + +0x00000000: 56 00 31 00 00 00 00 00 44 40 b8 a0 10 00 64 6f V.1.....D@....do +0x00000010: 77 6e 6c 6f 61 64 00 00 3e 00 08 00 04 00 ef be wnload..>....... +0x00000020: 3e 40 75 8b 44 40 b8 a0 2a 00 00 00 35 4f 00 00 >@u.D@..*...5O.. +0x00000030: 00 00 74 00 00 00 00 00 00 00 00 00 00 00 00 00 ..t............. +0x00000040: 00 00 64 00 6f 00 77 00 6e 00 6c 00 6f 00 61 00 ..d.o.w.n.l.o.a. +0x00000050: 64 00 00 00 18 00 00 00 d....... + +2012-02-04 20:05:48 | 2012-02-04 20:05:48 | 2012-01-30 17:27:42 | |Desktop\My Network Places\win101\\\win101\c$\download + +0x00000000: 5e 00 31 00 00 00 00 00 45 40 f9 80 10 00 57 49 ^.1.....E@....WI +0x00000010: 4e 44 4f 57 7e 31 00 00 46 00 08 00 04 00 ef be NDOW~1..F....... +0x00000020: 3e 40 cc 8d 45 40 f9 80 2a 00 00 00 d3 3b 01 00 >@..E@..*....;.. +0x00000030: 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ +0x00000040: 00 00 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 ..W.i.n.d.o.w.s. +0x00000050: 54 00 6f 00 6f 00 6c 00 73 00 00 00 18 00 00 00 T.o.o.l.s....... + +2012-02-05 16:07:50 | 2012-02-05 16:07:50 | 2012-01-30 17:46:24 | |Desktop\My Network Places\win101\\\win101\c$\download\WindowsTools + +0x00000000: 52 00 31 00 00 00 00 00 4c 40 08 bd 10 00 41 63 R.1.....L@....Ac +0x00000010: 72 6f 6e 69 73 00 3c 00 08 00 04 00 ef be 4c 40 ronis.<.......L@ +0x00000020: 49 bb 4c 40 08 bd 2a 00 00 00 24 37 00 00 00 00 I.L@..*...$7.... +0x00000030: 29 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 )............... +0x00000040: 41 00 63 00 72 00 6f 00 6e 00 69 00 73 00 00 00 A.c.r.o.n.i.s... +0x00000050: 16 00 00 00 .... + +2012-02-12 23:40:16 | 2012-02-12 23:40:16 | 2012-02-12 23:26:18 | |Desktop\My Network Places\win101\\\win101\c$\download\Acronis + | | | |Desktop\Users + | | | |Desktop\Users\Documents + +0x00000000: 60 00 31 00 00 00 00 00 87 3b 0d 8a 10 00 43 41 `.1......;....CA +0x00000010: 4d 54 41 53 7e 31 00 00 48 00 07 00 04 00 ef be MTAS~1..H....... +0x00000020: 87 3b 0d 8a 87 3b 0d 8a 26 00 00 00 05 9b 01 00 .;...;..&....... +0x00000030: 00 00 90 00 00 00 00 00 00 00 00 00 00 00 43 00 ..............C. +0x00000040: 61 00 6d 00 74 00 61 00 73 00 69 00 61 00 20 00 a.m.t.a.s.i.a. . +0x00000050: 53 00 74 00 75 00 64 00 69 00 6f 00 00 00 18 00 S.t.u.d.i.o..... +0x00000060: 00 00 .. + +2009-12-07 17:16:26 | 2009-12-07 17:16:26 | 2009-12-07 17:16:26 | |Desktop\Users\Documents\Camtasia Studio + +0x00000000: 7e 00 31 00 00 00 00 00 87 3b 0d 8a 10 00 43 55 ~.1......;....CU +0x00000010: 53 54 4f 4d 7e 31 2e 30 00 00 64 00 07 00 04 00 STOM~1.0..d..... +0x00000020: ef be 87 3b 0d 8a 87 3b 0d 8a 26 00 00 00 6e 9c ...;...;..&...n. +0x00000030: 01 00 00 00 24 00 00 00 00 00 00 00 00 00 00 00 ....$........... +0x00000040: 43 00 75 00 73 00 74 00 6f 00 6d 00 20 00 50 00 C.u.s.t.o.m. .P. +0x00000050: 72 00 6f 00 64 00 75 00 63 00 74 00 69 00 6f 00 r.o.d.u.c.t.i.o. +0x00000060: 6e 00 20 00 50 00 72 00 65 00 73 00 65 00 74 00 n. .P.r.e.s.e.t. +0x00000070: 73 00 20 00 36 00 2e 00 30 00 00 00 1a 00 00 00 s. .6...0....... + +2009-12-07 17:16:26 | 2009-12-07 17:16:26 | 2009-12-07 17:16:26 | |Desktop\Users\Documents\Camtasia Studio\Custom Production Presets 6.0 + +0x00000000: 68 00 31 00 00 00 00 00 5d 39 66 94 10 00 4d 59 h.1.....]9f...MY +0x00000010: 56 49 52 54 7e 31 00 00 50 00 07 00 04 00 ef be VIRT~1..P....... +0x00000020: 5d 39 66 94 5d 39 66 94 26 00 00 00 2f d1 00 00 ]9f.]9f.&.../... +0x00000030: 00 00 06 00 00 00 00 00 00 00 00 00 00 00 4d 00 ..............M. +0x00000040: 79 00 20 00 56 00 69 00 72 00 74 00 75 00 61 00 y. .V.i.r.t.u.a. +0x00000050: 6c 00 20 00 4d 00 61 00 63 00 68 00 69 00 6e 00 l. .M.a.c.h.i.n. +0x00000060: 65 00 73 00 00 00 18 00 00 00 e.s....... + +2008-10-29 18:35:12 | 2008-10-29 18:35:12 | 2008-10-29 18:35:12 | |Desktop\Users\Documents\My Virtual Machines + +0x00000000: 54 00 31 00 00 00 00 00 f0 3a 69 7b 14 00 4d 59 T.1......:i{..MY +0x00000010: 53 48 41 50 7e 31 00 00 3c 00 07 00 04 00 ef be SHAP~1..<....... +0x00000020: f0 3a 65 7b f0 3a 69 7b 26 00 00 00 07 fb 00 00 .:e{.:i{&....... +0x00000030: 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 4d 00 ..............M. +0x00000040: 79 00 20 00 53 00 68 00 61 00 70 00 65 00 73 00 y. .S.h.a.p.e.s. +0x00000050: 00 00 18 00 00 00 ...... + +2009-07-16 15:27:18 | 2009-07-16 15:27:18 | 2009-07-16 15:27:10 | |Desktop\Users\Documents\My Shapes + | | | |Desktop\Users\Downloads + | | | |Desktop\Users\Desktop + | | | |Desktop\Users\{1777f761-68ad-4d8a-87bd-30b759fa33dd} + +0x00000000: 4c 00 31 00 00 00 00 00 73 3b ee 86 10 00 50 68 L.1.....s;....Ph +0x00000010: 61 72 6f 73 00 00 36 00 07 00 04 00 ef be 73 3b aros..6.......s; +0x00000020: 8e 86 73 3b ee 86 26 00 00 00 bb 3c 01 00 00 00 ..s;..&....<.... +0x00000030: 1c 00 00 00 00 00 00 00 00 00 00 00 50 00 68 00 ............P.h. +0x00000040: 61 00 72 00 6f 00 73 00 00 00 16 00 00 00 a.r.o.s....... + +2009-11-19 16:55:28 | 2009-11-19 16:55:28 | 2009-11-19 16:52:28 | |Desktop\Users\{1777f761-68ad-4d8a-87bd-30b759fa33dd}\Pharos + +0x00000000: 66 00 31 00 00 00 00 00 73 3b ee 86 10 00 44 41 f.1.....s;....DA +0x00000010: 54 41 42 41 7e 31 00 00 4e 00 07 00 04 00 ef be TABA~1..N....... +0x00000020: 73 3b c0 86 73 3b ee 86 26 00 00 00 8f 62 00 00 s;..s;..&....b.. +0x00000030: 00 00 35 00 00 00 00 00 00 00 00 00 00 00 44 00 ..5...........D. +0x00000040: 61 00 74 00 61 00 62 00 61 00 73 00 65 00 20 00 a.t.a.b.a.s.e. . +0x00000050: 4d 00 69 00 67 00 72 00 61 00 74 00 69 00 6f 00 M.i.g.r.a.t.i.o. +0x00000060: 6e 00 00 00 18 00 00 00 n....... + +2009-11-19 16:55:28 | 2009-11-19 16:55:28 | 2009-11-19 16:54:00 | |Desktop\Users\{1777f761-68ad-4d8a-87bd-30b759fa33dd}\Pharos\Database Migration + +0x00000000: 5a 00 31 00 00 00 00 00 2c 39 35 8c 10 00 4d 53 Z.1.....,95...MS +0x00000010: 4e 57 45 42 7e 31 00 00 42 00 07 00 04 00 ef be NWEB~1..B....... +0x00000020: 2c 39 35 8c 2c 39 35 8c 26 00 00 00 17 73 00 00 ,95.,95.&....s.. +0x00000030: 00 00 06 00 00 00 00 00 00 00 00 00 00 00 4d 00 ..............M. +0x00000040: 53 00 4e 00 20 00 57 00 65 00 62 00 73 00 69 00 S.N. .W.e.b.s.i. +0x00000050: 74 00 65 00 73 00 00 00 18 00 00 00 t.e.s....... + +2008-09-12 17:33:42 | 2008-09-12 17:33:42 | 2008-09-12 17:33:42 | |Desktop\Users\{1777f761-68ad-4d8a-87bd-30b759fa33dd}\MSN Websites + +0x00000000: 5a 00 31 00 00 00 00 00 2c 39 35 8c 10 00 57 49 Z.1.....,95...WI +0x00000010: 4e 44 4f 57 7e 31 00 00 42 00 07 00 04 00 ef be NDOW~1..B....... +0x00000020: 2c 39 35 8c 2c 39 35 8c 26 00 00 00 64 73 00 00 ,95.,95.&...ds.. +0x00000030: 00 00 03 00 00 00 00 00 00 00 00 00 00 00 57 00 ..............W. +0x00000040: 69 00 6e 00 64 00 6f 00 77 00 73 00 20 00 4c 00 i.n.d.o.w.s. .L. +0x00000050: 69 00 76 00 65 00 00 00 18 00 00 00 i.v.e....... + +2008-09-12 17:33:42 | 2008-09-12 17:33:42 | 2008-09-12 17:33:42 | |Desktop\Users\{1777f761-68ad-4d8a-87bd-30b759fa33dd}\Windows Live + +0x00000000: 74 00 74 00 1a 00 43 46 53 46 14 00 31 00 00 00 t.t...CFSF..1... +0x00000010: 00 00 65 39 d5 88 10 00 57 65 62 45 78 00 00 00 ..e9....WebEx... +0x00000020: 74 1a 59 5e 96 df d3 48 8d 67 17 33 bc ee 28 ba t.Y^...H.g.3..(. +0x00000030: c5 cd fa df 9f 67 56 41 89 47 c5 c7 6b c0 b6 7f .....gVA.G..k... +0x00000040: 34 00 07 00 04 00 ef be 65 39 d5 88 65 39 d5 88 4.......e9..e9.. +0x00000050: 26 00 00 00 44 04 01 00 00 00 03 00 00 00 00 00 &...D........... +0x00000060: 00 00 00 00 00 00 57 00 65 00 62 00 45 00 78 00 ......W.e.b.E.x. +0x00000070: 00 00 40 00 00 00 ..@... + +2008-11-05 17:06:42 | 2008-11-05 17:06:42 | 2008-11-05 17:06:42 | |Desktop\Users\e9Ո& + +0x00000000: 7a 00 74 00 1c 00 43 46 53 46 16 00 31 00 00 00 z.t...CFSF..1... +0x00000010: 00 00 00 00 00 00 10 00 41 70 70 44 61 74 61 00 ........AppData. +0x00000020: 00 00 74 1a 59 5e 96 df d3 48 8d 67 17 33 bc ee ..t.Y^...H.g.3.. +0x00000030: 28 ba c5 cd fa df 9f 67 56 41 89 47 c5 c7 6b c0 (......gVA.G..k. +0x00000040: b6 7f 38 00 07 00 04 00 ef be 00 00 00 00 00 00 ..8............. +0x00000050: 00 00 26 00 00 00 00 00 00 00 00 00 00 00 00 00 ..&............. +0x00000060: 00 00 00 00 00 00 00 00 41 00 70 00 70 00 44 00 ........A.p.p.D. +0x00000070: 61 00 74 00 61 00 00 00 42 00 00 00 a.t.a...B... + + | | | |Desktop\Users\AppData + +0x00000000: 4e 00 31 00 00 00 00 00 00 00 00 00 10 00 52 6f N.1...........Ro +0x00000010: 61 6d 69 6e 67 00 38 00 07 00 04 00 ef be 00 00 aming.8......... +0x00000020: 00 00 00 00 00 00 26 00 00 00 00 00 00 00 00 00 ......&......... +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 52 00 6f 00 ............R.o. +0x00000040: 61 00 6d 00 69 00 6e 00 67 00 00 00 16 00 00 00 a.m.i.n.g....... + + | | | |Desktop\Users\AppData\Roaming + +0x00000000: 54 00 31 00 00 00 00 00 00 00 00 00 10 00 4d 69 T.1...........Mi +0x00000010: 63 72 6f 73 6f 66 74 00 3c 00 07 00 04 00 ef be crosoft.<....... +0x00000020: 00 00 00 00 00 00 00 00 26 00 00 00 00 00 00 00 ........&....... +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4d 00 ..............M. +0x00000040: 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 i.c.r.o.s.o.f.t. +0x00000050: 00 00 18 00 00 00 ...... + + | | | |Desktop\Users\AppData\Roaming\Microsoft + +0x00000000: 4e 00 31 00 00 00 00 00 00 00 00 00 10 00 57 69 N.1...........Wi +0x00000010: 6e 64 6f 77 73 00 38 00 07 00 04 00 ef be 00 00 ndows.8......... +0x00000020: 00 00 00 00 00 00 26 00 00 00 00 00 00 00 00 00 ......&......... +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 57 00 69 00 ............W.i. +0x00000040: 6e 00 64 00 6f 00 77 00 73 00 00 00 16 00 00 00 n.d.o.w.s....... + + | | | |Desktop\Users\AppData\Roaming\Microsoft\Windows + +0x00000000: 58 00 31 00 00 00 00 00 00 00 00 00 10 00 53 74 X.1...........St +0x00000010: 61 72 74 20 4d 65 6e 75 00 00 3e 00 07 00 04 00 art Menu..>..... +0x00000020: ef be 00 00 00 00 00 00 00 00 26 00 00 00 00 00 ..........&..... +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ +0x00000040: 53 00 74 00 61 00 72 00 74 00 20 00 4d 00 65 00 S.t.a.r.t. .M.e. +0x00000050: 6e 00 75 00 00 00 1a 00 00 00 n.u....... + + | | | |Desktop\Users\AppData\Roaming\Microsoft\Windows\Start Menu + +0x00000000: 52 00 31 00 00 00 00 00 00 00 00 00 10 00 50 72 R.1...........Pr +0x00000010: 6f 67 72 61 6d 73 00 00 3a 00 07 00 04 00 ef be ograms..:....... +0x00000020: 00 00 00 00 00 00 00 00 26 00 00 00 00 00 00 00 ........&....... +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 00 ..............P. +0x00000040: 72 00 6f 00 67 00 72 00 61 00 6d 00 73 00 00 00 r.o.g.r.a.m.s... +0x00000050: 18 00 00 00 .... + + | | | |Desktop\Users\AppData\Roaming\Microsoft\Windows\Start Menu\Programs + +0x00000000: 92 00 31 00 00 00 00 00 2c 39 34 8c 11 00 41 44 ..1.....,94...AD +0x00000010: 4d 49 4e 49 7e 31 00 00 7a 00 07 00 04 00 ef be MINI~1..z....... +0x00000020: 2c 39 34 8c 2c 39 34 8c 26 00 00 00 69 3d 00 00 ,94.,94.&...i=.. +0x00000030: 00 00 04 00 00 00 00 00 00 00 00 00 50 00 41 00 ............P.A. +0x00000040: 64 00 6d 00 69 00 6e 00 69 00 73 00 74 00 72 00 d.m.i.n.i.s.t.r. +0x00000050: 61 00 74 00 69 00 76 00 65 00 20 00 54 00 6f 00 a.t.i.v.e. .T.o. +0x00000060: 6f 00 6c 00 73 00 00 00 40 00 73 00 68 00 65 00 o.l.s...@.s.h.e. +0x00000070: 6c 00 6c 00 33 00 32 00 2e 00 64 00 6c 00 6c 00 l.l.3.2...d.l.l. +0x00000080: 2c 00 2d 00 32 00 31 00 37 00 36 00 32 00 00 00 ,.-.2.1.7.6.2... +0x00000090: 18 00 00 00 .... + +2008-09-12 17:33:40 | 2008-09-12 17:33:40 | 2008-09-12 17:33:40 | |Desktop\Users\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools + +0x00000000: 4c 00 31 00 00 00 00 00 00 00 00 00 10 00 57 69 L.1...........Wi +0x00000010: 6e 52 41 52 00 00 36 00 07 00 04 00 ef be 00 00 nRAR..6......... +0x00000020: 00 00 00 00 00 00 26 00 00 00 00 00 00 00 00 00 ......&......... +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 57 00 69 00 ............W.i. +0x00000040: 6e 00 52 00 41 00 52 00 00 00 16 00 00 00 n.R.A.R....... + + | | | |Desktop\Users\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinRAR + +0x00000000: 48 00 31 00 00 00 00 00 00 00 00 00 10 00 4c 6f H.1...........Lo +0x00000010: 63 61 6c 00 34 00 07 00 04 00 ef be 00 00 00 00 cal.4........... +0x00000020: 00 00 00 00 26 00 00 00 00 00 00 00 00 00 00 00 ....&........... +0x00000030: 00 00 00 00 00 00 00 00 00 00 4c 00 6f 00 63 00 ..........L.o.c. +0x00000040: 61 00 6c 00 00 00 14 00 00 00 a.l....... + + | | | |Desktop\Users\AppData\Local + +0x00000000: 46 00 31 00 00 00 00 00 00 00 00 00 10 00 54 65 F.1...........Te +0x00000010: 6d 70 00 00 32 00 07 00 04 00 ef be 00 00 00 00 mp..2........... +0x00000020: 00 00 00 00 26 00 00 00 00 00 00 00 00 00 00 00 ....&........... +0x00000030: 00 00 00 00 00 00 00 00 00 00 54 00 65 00 6d 00 ..........T.e.m. +0x00000040: 70 00 00 00 14 00 00 00 p....... + + | | | |Desktop\Users\AppData\Local\Temp + +0x00000000: 5a 00 31 00 00 00 00 00 00 00 00 00 10 00 6e 6f Z.1...........no +0x00000010: 74 65 73 36 30 33 30 43 38 00 40 00 07 00 04 00 tes6030C8.@..... +0x00000020: ef be 00 00 00 00 00 00 00 00 26 00 00 00 00 00 ..........&..... +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ +0x00000040: 6e 00 6f 00 74 00 65 00 73 00 36 00 30 00 33 00 n.o.t.e.s.6.0.3. +0x00000050: 30 00 43 00 38 00 00 00 1a 00 00 00 0.C.8....... + + | | | |Desktop\Users\AppData\Local\Temp\notes6030C8 + +0x00000000: 5a 00 32 00 00 00 00 00 00 00 00 00 20 20 49 6e Z.2......... In +0x00000010: 66 6f 55 43 4d 2e 7a 69 70 00 40 00 07 00 04 00 foUCM.zip.@..... +0x00000020: ef be 00 00 00 00 00 00 00 00 26 00 00 00 00 00 ..........&..... +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ +0x00000040: 49 00 6e 00 66 00 6f 00 55 00 43 00 4d 00 2e 00 I.n.f.o.U.C.M... +0x00000050: 7a 00 69 00 70 00 00 00 1a 00 00 00 z.i.p....... + + | | | |Desktop\Users\AppData\Local\Temp\notes6030C8\InfoUCM.zip + | | | |Desktop\Users\AppData\Local\Temp\notes6030C8\InfoUCM.zip\InfoUCM + +0x00000000: 5a 00 32 00 00 00 00 00 00 00 00 00 20 20 69 64 Z.2......... id +0x00000010: 6d 75 6e 69 74 2e 7a 69 70 00 40 00 07 00 04 00 munit.zip.@..... +0x00000020: ef be 00 00 00 00 00 00 00 00 26 00 00 00 00 00 ..........&..... +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ +0x00000040: 69 00 64 00 6d 00 75 00 6e 00 69 00 74 00 2e 00 i.d.m.u.n.i.t... +0x00000050: 7a 00 69 00 70 00 00 00 1a 00 00 00 z.i.p....... + + | | | |Desktop\Users\AppData\Local\Temp\notes6030C8\idmunit.zip + | | | |Desktop\Users\AppData\Local\Temp\notes6030C8\idmunit.zip\idmunit + | | | |Desktop\Users\Pictures + +0x00000000: 94 00 74 00 1e 00 43 46 53 46 18 00 31 00 00 00 ..t...CFSF..1... +0x00000010: 00 00 72 3b 4d 9b 10 00 53 41 4d 45 54 49 7e 31 ..r;M...SAMETI~1 +0x00000020: 00 00 00 00 74 1a 59 5e 96 df d3 48 8d 67 17 33 ....t.Y^...H.g.3 +0x00000030: bc ee 28 ba c5 cd fa df 9f 67 56 41 89 47 c5 c7 ..(......gVA.G.. +0x00000040: 6b c0 b6 7f 50 00 07 00 04 00 ef be 72 3b 4d 9b k...P.......r;M. +0x00000050: 72 3b 4d 9b 26 00 00 00 67 72 00 00 00 00 4e 00 r;M.&...gr....N. +0x00000060: 00 00 00 00 00 00 00 00 00 00 53 00 61 00 6d 00 ..........S.a.m. +0x00000070: 65 00 74 00 69 00 6d 00 65 00 54 00 72 00 61 00 e.t.i.m.e.T.r.a. +0x00000080: 6e 00 73 00 63 00 72 00 69 00 70 00 74 00 73 00 n.s.c.r.i.p.t.s. +0x00000090: 00 00 44 00 00 00 ..D... + +2009-11-18 19:26:26 | 2009-11-18 19:26:26 | 2009-11-18 19:26:26 | |Desktop\Users\r;M›& + +0x00000000: 76 00 74 00 1c 00 43 46 53 46 16 00 31 00 00 00 v.t...CFSF..1... +0x00000010: 00 00 64 3b 08 aa 10 00 53 50 53 53 7e 31 00 00 ..d;....SPSS~1.. +0x00000020: 00 00 74 1a 59 5e 96 df d3 48 8d 67 17 33 bc ee ..t.Y^...H.g.3.. +0x00000030: 28 ba c5 cd fa df 9f 67 56 41 89 47 c5 c7 6b c0 (......gVA.G..k. +0x00000040: b6 7f 34 00 07 00 04 00 ef be 64 3b 08 aa 64 3b ..4.......d;..d; +0x00000050: 08 aa 26 00 00 00 ed 9b 01 00 00 00 87 00 00 00 ..&............. +0x00000060: 00 00 00 00 00 00 00 00 2e 00 73 00 70 00 73 00 ..........s.p.s. +0x00000070: 73 00 00 00 42 00 00 00 s...B... + +2009-11-04 21:16:16 | 2009-11-04 21:16:16 | 2009-11-04 21:16:16 | |Desktop\Users\d;ª& + | | | |Desktop\Users\Music + +0x00000000: 4c 00 31 00 00 00 00 00 ee 3c 69 7d 10 00 69 54 L.1.............y<.. +0x00000050: 79 3c da 98 26 00 00 00 c2 01 02 00 00 00 34 00 y<..&.........4. +0x00000060: 00 00 00 00 00 00 00 00 00 00 53 00 61 00 76 00 ..........S.a.v. +0x00000070: 65 00 64 00 43 00 68 00 61 00 74 00 73 00 00 00 e.d.C.h.a.t.s... +0x00000080: 44 00 00 00 D... + +2010-03-25 19:06:52 | 2010-03-25 19:06:52 | 2010-03-25 19:06:52 | |Desktop\Users\y<ژ& + +0x00000000: 5e 00 32 00 44 6a 00 00 67 39 40 9a 80 00 54 65 ^.2.Dj..g9@...Te +0x00000010: 72 6d 53 65 72 76 2e 7a 69 70 00 00 42 00 07 00 rmServ.zip..B... +0x00000020: 04 00 ef be 67 39 40 9a 67 39 40 9a 26 00 00 00 ....g9@.g9@.&... +0x00000030: 23 02 01 00 00 00 0e 00 00 00 00 00 00 00 00 00 #............... +0x00000040: 00 00 54 00 65 00 72 00 6d 00 53 00 65 00 72 00 ..T.e.r.m.S.e.r. +0x00000050: 76 00 2e 00 7a 00 69 00 70 00 00 00 1c 00 00 00 v...z.i.p....... + +2008-11-07 19:18:00 | 2008-11-07 19:18:00 | 2008-11-07 19:18:00 | |Desktop\TermServ.zip [27204] + +0x00000000: 52 00 31 00 00 00 00 00 67 39 94 9a 10 00 54 65 R.1.....g9....Te +0x00000010: 72 6d 53 65 72 76 00 00 3a 00 07 00 04 00 ef be rmServ..:....... +0x00000020: 67 39 94 9a 67 39 94 9a 26 00 00 00 05 05 01 00 g9..g9..&....... +0x00000030: 00 00 1a 00 00 00 00 00 00 00 00 00 00 00 54 00 ..............T. +0x00000040: 65 00 72 00 6d 00 53 00 65 00 72 00 76 00 00 00 e.r.m.S.e.r.v... +0x00000050: 18 00 00 00 .... + +2008-11-07 19:20:40 | 2008-11-07 19:20:40 | 2008-11-07 19:20:40 | |Desktop\TermServ + | | | |Desktop\Control Panel + | | | |Desktop\Control Panel\Ease of Access Center + | | | |Desktop\Control Panel\Printers + | | | |Desktop\Control Panel\Getting Started + | | | |Desktop\Control Panel\Programs and Features + | | | |Desktop\Control Panel\{7007acc7-3202-11d1-aad2-00805fc1270e} + | | | |Desktop\Control Panel\Network and Sharing Center + | | | |Desktop\Control Panel\System + | | | |Desktop\Control Panel\Windows Update + | | | |Desktop\Control Panel\Windows Update\View available updates + | | | |Desktop\Control Panel\Windows Update\View update history + | | | |Desktop\Control Panel\Windows Update\Change settings + | | | |Desktop\Control Panel\User Accounts + | | | |Desktop\Control Panel\User Accounts\Turn User Account Control On or Off + | | | |Desktop\Control Panel\Windows Anytime Upgrade + | | | |Desktop\Control Panel\Performance Information and Tools + | | | |Desktop\Control Panel\Administrative Tools + | | | |Desktop\Control Panel\Personalization + | | | |Desktop\Control Panel\Personalization\Desktop Background + | | | |Desktop\My Games + | | | |Desktop\Explorer + +0x00000000: 5a 00 32 00 2f c5 5d 00 64 3a 4e a3 20 00 49 6e Z.2./.].d:N. .In +0x00000010: 66 6f 55 43 4d 2e 7a 69 70 00 40 00 07 00 04 00 foUCM.zip.@..... +0x00000020: ef be 64 3a 4e a3 64 3a 37 a5 26 00 00 00 1d 93 ..d:N.d:7.&..... +0x00000030: 00 00 00 00 36 00 00 00 00 00 00 00 00 00 00 00 ....6........... +0x00000040: 49 00 6e 00 66 00 6f 00 55 00 43 00 4d 00 2e 00 I.n.f.o.U.C.M... +0x00000050: 7a 00 69 00 70 00 00 00 1a 00 00 00 z.i.p....... + +2009-03-04 20:26:28 | 2009-03-04 20:41:46 | 2009-03-04 20:26:28 | |Desktop\InfoUCM.zip [6145327] + | | | |Desktop\InfoUCM.zip\InfoUCM + | | | |Desktop\Recycle Bin + +0x00000000: 54 00 32 00 00 00 00 00 00 00 00 00 20 00 75 67 T.2......... .ug +0x00000010: 5f 65 6e 2e 7a 69 70 00 3c 00 07 00 04 00 ef be _en.zip.<....... +0x00000020: 00 00 00 00 00 00 00 00 26 00 00 00 00 00 00 00 ........&....... +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 75 00 ..............u. +0x00000040: 67 00 5f 00 65 00 6e 00 2e 00 7a 00 69 00 70 00 g._.e.n...z.i.p. +0x00000050: 00 00 18 00 00 00 ...... + + | | | |Desktop\ug_en.zip + +0x00000000: 48 00 31 00 00 00 00 00 00 00 00 00 10 00 75 67 H.1...........ug +0x00000010: 5f 65 6e 00 34 00 07 00 04 00 ef be 00 00 00 00 _en.4........... +0x00000020: 00 00 00 00 26 00 00 00 00 00 00 00 00 00 00 00 ....&........... +0x00000030: 00 00 00 00 00 00 00 00 00 00 75 00 67 00 5f 00 ..........u.g._. +0x00000040: 65 00 6e 00 00 00 14 00 00 00 e.n....... + + | | | |Desktop\ug_en + | | | |Desktop\My Network Places + | | | |Desktop\My Network Places\\\sharepoint.american.edu\DavWWWRoot + +0x00000000: 48 00 31 00 00 00 00 00 48 2d cb 03 10 00 73 69 H.1.....H-....si +0x00000010: 74 65 73 00 34 00 07 00 04 00 ef be 48 2d bb 03 tes.4.......H-.. +0x00000020: 48 2d cb 03 26 00 00 00 00 00 00 00 00 00 00 00 H-..&........... +0x00000030: 00 00 00 00 00 00 00 00 00 00 73 00 69 00 74 00 ..........s.i.t. +0x00000040: 65 00 73 00 00 00 14 00 00 00 e.s....... + +2002-10-08 00:30:22 | 2002-10-08 00:30:22 | 2002-10-08 00:29:54 | |Desktop\My Network Places\\\sharepoint.american.edu\DavWWWRoot\sites + +0x00000000: 42 00 31 00 00 00 00 00 e1 3a e0 a8 10 00 73 65 B.1......:....se +0x00000010: 73 00 30 00 07 00 04 00 ef be c8 3a 02 9a e1 3a s.0........:...: +0x00000020: e0 a8 26 00 00 00 00 00 00 00 00 00 00 00 00 00 ..&............. +0x00000030: 00 00 00 00 00 00 00 00 73 00 65 00 73 00 00 00 ........s.e.s... +0x00000040: 12 00 00 00 .... + +2009-07-01 21:07:00 | 2009-07-01 21:07:00 | 2009-06-08 19:16:04 | |Desktop\My Network Places\\\sharepoint.american.edu\DavWWWRoot\sites\ses + +0x00000000: 6a 00 31 00 00 00 00 00 f0 3a 9d 7c 10 00 54 72 j.1......:.|..Tr +0x00000010: 61 69 6e 69 6e 67 20 4d 61 74 65 72 61 6c 00 00 aining Materal.. +0x00000020: 4a 00 07 00 04 00 ef be d7 3a 7c 65 f0 3a 9d 7c J........:|e.:.| +0x00000030: 26 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 &............... +0x00000040: 00 00 00 00 00 00 54 00 72 00 61 00 69 00 6e 00 ......T.r.a.i.n. +0x00000050: 69 00 6e 00 67 00 20 00 4d 00 61 00 74 00 65 00 i.n.g. .M.a.t.e. +0x00000060: 72 00 61 00 6c 00 00 00 20 00 00 00 r.a.l... ... + +2009-07-16 15:36:58 | 2009-07-16 15:36:58 | 2009-06-23 12:43:56 | |Desktop\My Network Places\\\sharepoint.american.edu\DavWWWRoot\sites\ses\Training Materal + | | | |Desktop\My Network Places\\\mysite.american.edu\DavWWWRoot + +0x00000000: 52 00 31 00 00 00 00 00 00 00 00 00 10 00 70 65 R.1...........pe +0x00000010: 72 73 6f 6e 61 6c 00 00 3a 00 07 00 04 00 ef be rsonal..:....... +0x00000020: 00 00 00 00 00 00 00 00 26 00 00 00 00 00 00 00 ........&....... +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 00 ..............p. +0x00000040: 65 00 72 00 73 00 6f 00 6e 00 61 00 6c 00 00 00 e.r.s.o.n.a.l... +0x00000050: 18 00 00 00 .... + + | | | |Desktop\My Network Places\\\mysite.american.edu\DavWWWRoot\personal + +0x00000000: 4c 00 31 00 00 00 00 00 00 00 00 00 10 00 6e 67 L.1...........ng +0x00000010: 75 79 65 6e 00 00 36 00 07 00 04 00 ef be 00 00 uyen..6......... +0x00000020: 00 00 00 00 00 00 26 00 00 00 00 00 00 00 00 00 ......&......... +0x00000030: 00 00 00 00 00 00 00 00 00 00 00 00 6e 00 67 00 ............n.g. +0x00000040: 75 00 79 00 65 00 6e 00 00 00 16 00 00 00 u.y.e.n....... + + | | | |Desktop\My Network Places\\\mysite.american.edu\DavWWWRoot\personal\nguyen + +0x00000000: 70 00 31 00 00 00 00 00 79 3b 76 a3 10 00 50 65 p.1.....y;v...Pe +0x00000010: 72 73 6f 6e 61 6c 20 44 6f 63 75 6d 65 6e 74 73 rsonal Documents +0x00000020: 00 00 4e 00 07 00 04 00 ef be 79 3b 76 a3 79 3b ..N.......y;v.y; +0x00000030: 76 a3 26 00 00 00 00 00 00 00 00 00 00 00 00 00 v.&............. +0x00000040: 00 00 00 00 00 00 00 00 50 00 65 00 72 00 73 00 ........P.e.r.s. +0x00000050: 6f 00 6e 00 61 00 6c 00 20 00 44 00 6f 00 63 00 o.n.a.l. .D.o.c. +0x00000060: 75 00 6d 00 65 00 6e 00 74 00 73 00 00 00 22 00 u.m.e.n.t.s...". +0x00000070: 00 00 .. + +2009-11-25 20:27:44 | 2009-11-25 20:27:44 | 2009-11-25 20:27:44 | |Desktop\My Network Places\\\mysite.american.edu\DavWWWRoot\personal\nguyen\Personal Documents + +0x00000000: 56 00 31 00 00 00 00 00 3e 3b 02 9d 10 00 4e 45 V.1.....>;....NE +0x00000010: 57 46 4f 4c 7e 31 00 00 3e 00 07 00 04 00 ef be WFOL~1..>....... +0x00000020: 3e 3b 02 9d 3e 3b 02 9d 26 00 00 00 84 8a 01 00 >;..>;..&....... +0x00000030: 00 00 22 00 00 00 00 00 00 00 00 00 00 00 4e 00 .."...........N. +0x00000040: 65 00 77 00 20 00 46 00 6f 00 6c 00 64 00 65 00 e.w. .F.o.l.d.e. +0x00000050: 72 00 00 00 18 00 00 00 r....... + +2009-09-30 19:40:04 | 2009-09-30 19:40:04 | 2009-09-30 19:40:04 | |Desktop\New Folder + +0x00000000: 42 00 31 00 00 00 00 00 3e 3b 02 9d 10 00 49 44 B.1.....>;....ID +0x00000010: 4d 00 30 00 07 00 04 00 ef be 3e 3b 02 9d 3e 3b M.0.......>;..>; +0x00000020: 02 9d 26 00 00 00 84 8a 01 00 00 00 22 00 00 00 ..&........."... +0x00000030: 00 00 00 00 00 00 00 00 49 00 44 00 4d 00 00 00 ........I.D.M... +0x00000040: 12 00 00 00 .... + +2009-09-30 19:40:04 | 2009-09-30 19:40:04 | 2009-09-30 19:40:04 | |Desktop\IDM + | | | |Desktop\Explorer + | | | |Desktop\My Games + +0x00000000: a0 00 32 00 00 00 00 00 00 00 00 00 20 00 42 75 ..2......... .Bu +0x00000010: 69 6c 64 69 6e 67 20 50 72 69 6e 74 65 72 20 4c ilding Printer L +0x00000020: 69 73 74 20 54 45 4d 50 4c 41 54 45 2e 7a 69 70 ist TEMPLATE.zip +0x00000030: 00 00 6e 00 07 00 04 00 ef be 00 00 00 00 00 00 ..n............. +0x00000040: 00 00 26 00 00 00 00 00 00 00 00 00 00 00 00 00 ..&............. +0x00000050: 00 00 00 00 00 00 00 00 42 00 75 00 69 00 6c 00 ........B.u.i.l. +0x00000060: 64 00 69 00 6e 00 67 00 20 00 50 00 72 00 69 00 d.i.n.g. .P.r.i. +0x00000070: 6e 00 74 00 65 00 72 00 20 00 4c 00 69 00 73 00 n.t.e.r. .L.i.s. +0x00000080: 74 00 20 00 54 00 45 00 4d 00 50 00 4c 00 41 00 t. .T.E.M.P.L.A. +0x00000090: 54 00 45 00 2e 00 7a 00 69 00 70 00 00 00 32 00 T.E...z.i.p...2. +0x000000a0: 00 00 .. + + | | | |Desktop\Building Printer List TEMPLATE.zip + | | | |Desktop\Building Printer List TEMPLATE.zip\xl + | | | |Desktop\Building Printer List TEMPLATE.zip\xl\printerSettings\xl + +0x00000000: 96 00 32 00 00 00 00 00 00 00 00 00 20 00 48 75 ..2......... .Hu +0x00000010: 72 73 74 20 76 65 72 69 66 69 65 64 20 70 72 69 rst verified pri +0x00000020: 6e 74 65 72 20 6c 69 73 74 2e 7a 69 70 00 68 00 nter list.zip.h. +0x00000030: 07 00 04 00 ef be 00 00 00 00 00 00 00 00 26 00 ..............&. +0x00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ +0x00000050: 00 00 00 00 48 00 75 00 72 00 73 00 74 00 20 00 ....H.u.r.s.t. . +0x00000060: 76 00 65 00 72 00 69 00 66 00 69 00 65 00 64 00 v.e.r.i.f.i.e.d. +0x00000070: 20 00 70 00 72 00 69 00 6e 00 74 00 65 00 72 00 .p.r.i.n.t.e.r. +0x00000080: 20 00 6c 00 69 00 73 00 74 00 2e 00 7a 00 69 00 .l.i.s.t...z.i. +0x00000090: 70 00 00 00 2e 00 00 00 p....... + + | | | |Desktop\Hurst verified printer list.zip + | | | |Desktop\Hurst verified printer list.zip\docProps + | | | |Desktop\Hurst verified printer list.zip\xl + | | | |Desktop\Hurst verified printer list.zip\xl\worksheets\xl + | | | |Desktop\Explorer + | | | |Desktop\Explorer + | | | |Desktop\Explorer + | | | |Desktop\Explorer + +0x00000000: 46 00 31 00 00 00 00 00 5a 3b 00 a3 10 00 53 46 F.1.....Z;....SF +0x00000010: 54 50 00 00 32 00 07 00 04 00 ef be 5a 3b 00 a3 TP..2.......Z;.. +0x00000020: 5a 3b 00 a3 26 00 00 00 6b 81 01 00 00 00 35 00 Z;..&...k.....5. +0x00000030: 00 00 00 00 00 00 00 00 00 00 53 00 46 00 54 00 ..........S.F.T. +0x00000040: 50 00 00 00 14 00 00 00 P....... + +2009-10-26 20:24:00 | 2009-10-26 20:24:00 | 2009-10-26 20:24:00 | |Desktop\SFTP + | | | |Desktop\Explorer + | | | |Desktop\Explorer + +0x00000000: 8e 00 32 00 00 00 00 00 00 00 00 00 20 00 57 65 ..2......... .We +0x00000010: 62 43 6f 6d 70 6f 6e 65 6e 74 55 70 64 61 74 65 bComponentUpdate +0x00000020: 30 39 31 31 30 37 2e 7a 69 70 00 00 62 00 07 00 091107.zip..b... +0x00000030: 04 00 ef be 00 00 00 00 00 00 00 00 26 00 00 00 ............&... +0x00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ +0x00000050: 00 00 57 00 65 00 62 00 43 00 6f 00 6d 00 70 00 ..W.e.b.C.o.m.p. +0x00000060: 6f 00 6e 00 65 00 6e 00 74 00 55 00 70 00 64 00 o.n.e.n.t.U.p.d. +0x00000070: 61 00 74 00 65 00 30 00 39 00 31 00 31 00 30 00 a.t.e.0.9.1.1.0. +0x00000080: 37 00 2e 00 7a 00 69 00 70 00 00 00 2c 00 00 00 7...z.i.p...,... + + | | | |Desktop\WebComponentUpdate091107.zip + +0x00000000: 56 00 31 00 00 00 00 00 87 3b b2 90 10 00 54 45 V.1......;....TE +0x00000010: 43 48 56 49 7e 31 00 00 3e 00 07 00 04 00 ef be CHVI~1..>....... +0x00000020: 87 3b b2 90 87 3b b2 90 26 00 00 00 16 3d 01 00 .;...;..&....=.. +0x00000030: 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 54 00 ..:...........T. +0x00000040: 65 00 63 00 68 00 20 00 56 00 69 00 64 00 65 00 e.c.h. .V.i.d.e. +0x00000050: 6f 00 00 00 18 00 00 00 o....... + +2009-12-07 18:05:36 | 2009-12-07 18:05:36 | 2009-12-07 18:05:36 | |Desktop\Tech Video + +0x00000000: 5a 00 31 00 00 00 00 00 87 3b b6 90 10 00 47 52 Z.1......;....GR +0x00000010: 4f 55 50 50 7e 31 00 00 42 00 07 00 04 00 ef be OUPP~1..B....... +0x00000020: 87 3b b6 90 87 3b b6 90 26 00 00 00 12 c9 01 00 .;...;..&....... +0x00000030: 00 00 1f 00 00 00 00 00 00 00 00 00 00 00 47 00 ..............G. +0x00000040: 72 00 6f 00 75 00 70 00 20 00 50 00 6f 00 6c 00 r.o.u.p. .P.o.l. +0x00000050: 69 00 63 00 79 00 00 00 18 00 00 00 i.c.y....... + +2009-12-07 18:05:44 | 2009-12-07 18:05:44 | 2009-12-07 18:05:44 | |Desktop\Tech Video\Group Policy + +0x00000000: 74 00 31 00 00 00 00 00 87 3b c1 90 10 00 43 48 t.1......;....CH +0x00000010: 41 4e 47 45 7e 31 00 00 5c 00 07 00 04 00 ef be ANGE~1..\....... +0x00000020: 87 3b c1 90 87 3b c1 90 26 00 00 00 7a ca 01 00 .;...;..&...z... +0x00000030: 00 00 0f 00 00 00 00 00 00 00 00 00 00 00 43 00 ..............C. +0x00000040: 68 00 61 00 6e 00 67 00 65 00 20 00 44 00 65 00 h.a.n.g.e. .D.e. +0x00000050: 66 00 61 00 75 00 6c 00 74 00 20 00 50 00 57 00 f.a.u.l.t. .P.W. +0x00000060: 44 00 20 00 50 00 6f 00 6c 00 69 00 63 00 79 00 D. .P.o.l.i.c.y. +0x00000070: 00 00 18 00 00 00 ...... + +2009-12-07 18:06:02 | 2009-12-07 18:06:02 | 2009-12-07 18:06:02 | |Desktop\Tech Video\Group Policy\Change Default PWD Policy + +0x00000000: 42 00 31 00 00 00 00 00 87 3b e8 96 10 00 49 44 B.1......;....ID +0x00000010: 4d 00 30 00 07 00 04 00 ef be 3e 3b 02 9d 87 3b M.0.......>;...; +0x00000020: e8 96 26 00 00 00 84 8a 01 00 00 00 22 00 00 00 ..&........."... +0x00000030: 00 00 00 00 00 00 00 00 49 00 44 00 4d 00 00 00 ........I.D.M... +0x00000040: 12 00 00 00 .... + +2009-12-07 18:55:16 | 2009-12-07 18:55:16 | 2009-09-30 19:40:04 | |Desktop\Tech Video\IDM + +0x00000000: 56 00 31 00 00 00 00 00 02 3f 53 82 10 00 4e 45 V.1......?S...NE +0x00000010: 57 46 4f 4c 7e 31 00 00 3e 00 07 00 04 00 ef be WFOL~1..>....... +0x00000020: 02 3f 53 82 02 3f 53 82 26 00 00 00 da f2 02 00 .?S..?S.&....... +0x00000030: 00 00 2b 01 00 00 00 00 00 00 00 00 00 00 4e 00 ..+...........N. +0x00000040: 65 00 77 00 20 00 46 00 6f 00 6c 00 64 00 65 00 e.w. .F.o.l.d.e. +0x00000050: 72 00 00 00 18 00 00 00 r....... + +2011-08-02 16:18:38 | 2011-08-02 16:18:38 | 2011-08-02 16:18:38 | |Desktop\Tech Video\New Folder + +0x00000000: 48 00 31 00 00 00 00 00 02 3f 53 82 10 00 56 69 H.1......?S...Vi +0x00000010: 64 65 6f 00 34 00 07 00 04 00 ef be 02 3f 53 82 deo.4........?S. +0x00000020: 02 3f 53 82 26 00 00 00 da f2 02 00 00 00 2b 01 .?S.&.........+. +0x00000030: 00 00 00 00 00 00 00 00 00 00 56 00 69 00 64 00 ..........V.i.d. +0x00000040: 65 00 6f 00 00 00 14 00 00 00 e.o....... + +2011-08-02 16:18:38 | 2011-08-02 16:18:38 | 2011-08-02 16:18:38 | |Desktop\Tech Video\Video + +0x00000000: 54 00 31 00 00 00 00 00 02 3f c7 85 10 00 43 4f T.1......?....CO +0x00000010: 4d 4d 56 41 7e 31 00 00 3c 00 07 00 04 00 ef be MMVA~1..<....... +0x00000020: 02 3f 53 82 02 3f c7 85 26 00 00 00 da f2 02 00 .?S..?..&....... +0x00000030: 00 00 2b 01 00 00 00 00 00 00 00 00 00 00 43 00 ..+...........C. +0x00000040: 6f 00 6d 00 6d 00 76 00 61 00 75 00 6c 00 74 00 o.m.m.v.a.u.l.t. +0x00000050: 00 00 18 00 00 00 ...... + +2011-08-02 16:46:14 | 2011-08-02 16:46:14 | 2011-08-02 16:18:38 | |Desktop\Tech Video\Commvault + +0x00000000: 7a 00 31 00 00 00 00 00 02 3f c7 85 10 00 43 4f z.1......?....CO +0x00000010: 4d 56 41 55 7e 31 00 00 62 00 07 00 04 00 ef be MVAU~1..b....... +0x00000020: 02 3f 27 84 02 3f c7 85 26 00 00 00 29 92 02 00 .?'..?..&...)... +0x00000030: 00 00 c3 01 00 00 00 00 00 00 00 00 00 00 43 00 ..............C. +0x00000040: 6f 00 6d 00 76 00 61 00 75 00 6c 00 74 00 2d 00 o.m.v.a.u.l.t.-. +0x00000050: 50 00 68 00 79 00 73 00 69 00 63 00 61 00 6c 00 P.h.y.s.i.c.a.l. +0x00000060: 53 00 76 00 72 00 2d 00 49 00 6e 00 73 00 74 00 S.v.r.-.I.n.s.t. +0x00000070: 61 00 6c 00 6c 00 00 00 18 00 00 00 a.l.l....... + +2011-08-02 16:46:14 | 2011-08-02 16:46:14 | 2011-08-02 16:33:14 | |Desktop\Tech Video\Commvault\Comvault-PhysicalSvr-Install + +0x00000000: 84 00 31 00 00 00 00 00 02 3f bc 89 10 00 43 4f ..1......?....CO +0x00000010: 4d 56 41 55 7e 32 00 00 6c 00 07 00 04 00 ef be MVAU~2..l....... +0x00000020: 02 3f bc 89 02 3f bc 89 26 00 00 00 19 13 01 00 .?...?..&....... +0x00000030: 00 00 2a 00 00 00 00 00 00 00 00 00 00 00 43 00 ..*...........C. +0x00000040: 6f 00 6d 00 76 00 61 00 75 00 6c 00 74 00 2d 00 o.m.v.a.u.l.t.-. +0x00000050: 46 00 61 00 74 00 43 00 6c 00 69 00 65 00 6e 00 F.a.t.C.l.i.e.n. +0x00000060: 74 00 2d 00 43 00 6f 00 6e 00 66 00 69 00 67 00 t.-.C.o.n.f.i.g. +0x00000070: 2d 00 50 00 68 00 79 00 73 00 53 00 76 00 72 00 -.P.h.y.s.S.v.r. +0x00000080: 00 00 18 00 00 00 ...... + +2011-08-02 17:13:56 | 2011-08-02 17:13:56 | 2011-08-02 17:13:56 | |Desktop\Tech Video\Commvault\Comvault-FatClient-Config-PhysSvr + +0x00000000: 80 00 31 00 00 00 00 00 03 3f f9 9b 10 00 43 4f ..1......?....CO +0x00000010: 4d 56 41 55 7e 34 00 00 68 00 07 00 04 00 ef be MVAU~4..h....... +0x00000020: 03 3f 08 9b 03 3f f9 9b 26 00 00 00 b4 92 02 00 .?...?..&....... +0x00000030: 00 00 cf 00 00 00 00 00 00 00 00 00 00 00 43 00 ..............C. +0x00000040: 6f 00 6d 00 76 00 61 00 75 00 6c 00 74 00 2d 00 o.m.v.a.u.l.t.-. +0x00000050: 46 00 61 00 74 00 43 00 6c 00 69 00 65 00 6e 00 F.a.t.C.l.i.e.n. +0x00000060: 74 00 2d 00 53 00 65 00 74 00 75 00 70 00 50 00 t.-.S.e.t.u.p.P. +0x00000070: 68 00 79 00 73 00 53 00 76 00 72 00 00 00 18 00 h.y.s.S.v.r..... +0x00000080: 00 00 .. + +2011-08-03 19:31:50 | 2011-08-03 19:31:50 | 2011-08-03 19:24:16 | |Desktop\Tech Video\Commvault\Comvault-FatClient-SetupPhysSvr + +0x00000000: 76 00 31 00 00 00 00 00 02 3f 06 89 10 00 43 4f v.1......?....CO +0x00000010: 4d 56 41 55 7e 33 00 00 5e 00 07 00 04 00 ef be MVAU~3..^....... +0x00000020: 02 3f 4c 88 02 3f 06 89 26 00 00 00 0d 90 02 00 .?L..?..&....... +0x00000030: 00 00 20 02 00 00 00 00 00 00 00 00 00 00 43 00 .. ...........C. +0x00000040: 6f 00 6d 00 76 00 61 00 75 00 6c 00 74 00 2d 00 o.m.v.a.u.l.t.-. +0x00000050: 46 00 61 00 74 00 43 00 6c 00 69 00 65 00 6e 00 F.a.t.C.l.i.e.n. +0x00000060: 74 00 2d 00 49 00 6e 00 73 00 74 00 61 00 6c 00 t.-.I.n.s.t.a.l. +0x00000070: 6c 00 00 00 18 00 00 00 l....... + +2011-08-02 17:08:12 | 2011-08-02 17:08:12 | 2011-08-02 17:02:24 | |Desktop\Tech Video\Commvault\Comvault-FatClient-Install + +0x00000000: 9a 00 31 00 00 00 00 00 02 3f 08 8b 10 00 43 4f ..1......?....CO +0x00000010: 4d 56 41 55 7e 32 00 00 82 00 07 00 04 00 ef be MVAU~2.......... +0x00000020: 02 3f bc 89 02 3f 08 8b 26 00 00 00 19 13 01 00 .?...?..&....... +0x00000030: 00 00 2a 00 00 00 00 00 00 00 00 00 00 00 43 00 ..*...........C. +0x00000040: 6f 00 6d 00 76 00 61 00 75 00 6c 00 74 00 2d 00 o.m.v.a.u.l.t.-. +0x00000050: 46 00 61 00 74 00 43 00 6c 00 69 00 65 00 6e 00 F.a.t.C.l.i.e.n. +0x00000060: 74 00 2d 00 43 00 6f 00 6e 00 66 00 69 00 67 00 t.-.C.o.n.f.i.g. +0x00000070: 2d 00 50 00 68 00 79 00 73 00 53 00 76 00 72 00 -.P.h.y.s.S.v.r. +0x00000080: 5f 00 4f 00 52 00 49 00 47 00 20 00 56 00 49 00 _.O.R.I.G. .V.I. +0x00000090: 44 00 45 00 4f 00 00 00 18 00 00 00 D.E.O....... + +2011-08-02 17:24:16 | 2011-08-02 17:24:16 | 2011-08-02 17:13:56 | |Desktop\Tech Video\Commvault\Comvault-FatClient-Config-PhysSvr_ORIG VIDEO + +0x00000000: 96 00 31 00 00 00 00 00 02 3f 08 8b 10 00 43 4f ..1......?....CO +0x00000010: 4d 56 41 55 7e 32 00 00 7e 00 07 00 04 00 ef be MVAU~2..~....... +0x00000020: 02 3f bc 89 02 3f 08 8b 26 00 00 00 19 13 01 00 .?...?..&....... +0x00000030: 00 00 2a 00 00 00 00 00 00 00 00 00 00 00 43 00 ..*...........C. +0x00000040: 6f 00 6d 00 76 00 61 00 75 00 6c 00 74 00 2d 00 o.m.v.a.u.l.t.-. +0x00000050: 46 00 61 00 74 00 43 00 6c 00 69 00 65 00 6e 00 F.a.t.C.l.i.e.n. +0x00000060: 74 00 2d 00 53 00 65 00 74 00 75 00 70 00 50 00 t.-.S.e.t.u.p.P. +0x00000070: 68 00 79 00 73 00 53 00 76 00 72 00 5f 00 4f 00 h.y.s.S.v.r._.O. +0x00000080: 52 00 49 00 47 00 20 00 56 00 49 00 44 00 45 00 R.I.G. .V.I.D.E. +0x00000090: 4f 00 00 00 18 00 00 00 O....... + +2011-08-02 17:24:16 | 2011-08-02 17:24:16 | 2011-08-02 17:13:56 | |Desktop\Tech Video\Commvault\Comvault-FatClient-SetupPhysSvr_ORIG VIDEO + +0x00000000: 76 00 31 00 00 00 00 00 02 3f 06 89 10 00 43 4f v.1......?....CO +0x00000010: 4d 56 41 55 7e 31 00 00 5e 00 07 00 04 00 ef be MVAU~1..^....... +0x00000020: 02 3f 4c 88 02 3f 06 89 26 00 00 00 0d 90 02 00 .?L..?..&....... +0x00000030: 00 00 20 02 00 00 00 00 00 00 00 00 00 00 43 00 .. ...........C. +0x00000040: 6f 00 6d 00 76 00 61 00 75 00 6c 00 74 00 2d 00 o.m.v.a.u.l.t.-. +0x00000050: 46 00 61 00 74 00 43 00 6c 00 69 00 65 00 6e 00 F.a.t.C.l.i.e.n. +0x00000060: 74 00 2d 00 49 00 6e 00 73 00 74 00 61 00 6c 00 t.-.I.n.s.t.a.l. +0x00000070: 6c 00 00 00 18 00 00 00 l....... + +2011-08-02 17:08:12 | 2011-08-02 17:08:12 | 2011-08-02 17:02:24 | |Desktop\Tech Video\Comvault-FatClient-Install + +0x00000000: 68 00 31 00 00 00 00 00 90 3b f8 a1 10 00 49 44 h.1......;....ID +0x00000010: 4d 47 52 4f 7e 31 00 00 50 00 07 00 04 00 ef be MGRO~1..P....... +0x00000020: 90 3b f8 a1 90 3b f8 a1 26 00 00 00 24 f5 00 00 .;...;..&...$... +0x00000030: 00 00 a3 00 00 00 00 00 00 00 00 00 00 00 49 00 ..............I. +0x00000040: 44 00 4d 00 20 00 47 00 72 00 6f 00 75 00 70 00 D.M. .G.r.o.u.p. +0x00000050: 20 00 4d 00 69 00 67 00 72 00 61 00 74 00 69 00 .M.i.g.r.a.t.i. +0x00000060: 6f 00 6e 00 00 00 18 00 00 00 o.n....... + +2009-12-16 20:15:48 | 2009-12-16 20:15:48 | 2009-12-16 20:15:48 | |Desktop\IDM Group Migration + +0x00000000: 52 00 32 00 0e a1 0b 02 50 3c 3d 87 20 00 44 6f R.2.....P<=. .Do +0x00000010: 63 73 2e 7a 69 70 00 00 3a 00 07 00 04 00 ef be cs.zip..:....... +0x00000020: 50 3c 31 87 50 3c 3d 87 26 00 00 00 43 c9 01 00 P<1.P<=.&...C... +0x00000030: 00 00 5b 00 00 00 00 00 00 00 00 00 00 00 44 00 ..[...........D. +0x00000040: 6f 00 63 00 73 00 2e 00 7a 00 69 00 70 00 00 00 o.c.s...z.i.p... +0x00000050: 18 00 00 00 .... + +2010-02-16 16:57:58 | 2010-02-16 16:57:58 | 2010-02-16 16:57:34 | |Desktop\Docs.zip [34316558] + +0x00000000: 4c 00 31 00 00 00 00 00 52 3c af ad 10 00 43 69 L.1.....R<....Ci +0x00000010: 73 70 72 6f 00 00 36 00 07 00 04 00 ef be 52 3c spro..6.......R< +0x00000020: ad ad 52 3c af ad 26 00 00 00 07 22 00 00 00 00 ..R<..&....".... +0x00000030: 93 00 00 00 00 00 00 00 00 00 00 00 43 00 69 00 ............C.i. +0x00000040: 73 00 70 00 72 00 6f 00 00 00 16 00 00 00 s.p.r.o....... + +2010-02-18 21:45:30 | 2010-02-18 21:45:30 | 2010-02-18 21:45:26 | |Desktop\Cispro + +0x00000000: 5e 00 31 00 00 00 00 00 5a 3c b3 8b 10 00 49 44 ^.1.....Z<....ID +0x00000010: 4d 45 4d 41 7e 31 00 00 46 00 07 00 04 00 ef be MEMA~1..F....... +0x00000020: 5a 3c b3 8b 5a 3c b3 8b 26 00 00 00 f8 ff 01 00 Z<..Z<..&....... +0x00000030: 00 00 6c 00 00 00 00 00 00 00 00 00 00 00 49 00 ..l...........I. +0x00000040: 44 00 4d 00 20 00 45 00 6d 00 61 00 69 00 6c 00 D.M. .E.m.a.i.l. +0x00000050: 20 00 53 00 79 00 6e 00 63 00 00 00 18 00 00 00 .S.y.n.c....... + +2010-02-26 17:29:38 | 2010-02-26 17:29:38 | 2010-02-26 17:29:38 | |Desktop\IDM Email Sync + +0x00000000: 5e 00 31 00 00 00 00 00 68 3c 44 a6 10 00 49 44 ^.1.....h....... +0x00000020: 7f 3c e7 89 7f 3c e7 89 26 00 00 00 34 1b 02 00 .<...<..&...4... +0x00000030: 00 00 08 00 00 00 00 00 00 00 00 00 00 00 44 00 ..............D. +0x00000040: 65 00 6c 00 6c 00 20 00 51 00 75 00 6f 00 74 00 e.l.l. .Q.u.o.t. +0x00000050: 65 00 00 00 18 00 00 00 e....... + +2010-03-31 17:15:14 | 2010-03-31 17:15:14 | 2010-03-31 17:15:14 | |Desktop\Dell Quote + +0x00000000: 74 00 31 00 00 00 00 00 9e 3c 55 8b 10 00 41 44 t.1..........Fa +0x00000010: 63 4d 61 69 6e 74 00 00 3a 00 07 00 04 00 ef be cMaint..:....... +0x00000020: 2d 3e 05 85 2d 3e 05 85 26 00 00 00 9b 92 02 00 ->..->..&....... +0x00000030: 00 00 10 00 00 00 00 00 00 00 00 00 00 00 46 00 ..............F. +0x00000040: 61 00 63 00 4d 00 61 00 69 00 6e 00 74 00 00 00 a.c.M.a.i.n.t... +0x00000050: 18 00 00 00 .... + +2011-01-13 16:40:10 | 2011-01-13 16:40:10 | 2011-01-13 16:40:10 | |Desktop\FacMaint + +0x00000000: 5c 00 31 00 00 00 00 00 39 3e 2e 99 10 00 49 44 \.1.....9>....ID +0x00000010: 4d 32 35 4a 7e 31 00 00 44 00 07 00 04 00 ef be M25J~1..D....... +0x00000020: 39 3e 2e 99 39 3e 2e 99 26 00 00 00 25 90 01 00 9>..9>..&...%... +0x00000030: 00 00 b0 00 00 00 00 00 00 00 00 00 00 00 49 00 ..............I. +0x00000040: 44 00 4d 00 20 00 32 00 35 00 4a 00 61 00 6e 00 D.M. .2.5.J.a.n. +0x00000050: 32 00 30 00 31 00 31 00 00 00 18 00 00 00 2.0.1.1....... + +2011-01-25 19:09:28 | 2011-01-25 19:09:28 | 2011-01-25 19:09:28 | |Desktop\IDM 25Jan2011 + | | | |Desktop\Explorer + | | | |Desktop\Explorer + +0x00000000: 5c 00 31 00 00 00 00 00 ef 3e 3a 7d 10 00 43 48 \.1......>:}..CH +0x00000010: 41 54 53 41 7e 31 00 00 44 00 07 00 04 00 ef be ATSA~1..D....... +0x00000020: ef 3e 3a 7d ef 3e 3a 7d 26 00 00 00 fb eb 02 00 .>:}.>:}&....... +0x00000030: 00 00 0e 01 00 00 00 00 00 00 00 00 00 00 43 00 ..............C. +0x00000040: 68 00 61 00 74 00 20 00 53 00 61 00 6d 00 65 00 h.a.t. .S.a.m.e. +0x00000050: 74 00 69 00 6d 00 65 00 00 00 18 00 00 00 t.i.m.e....... + +2011-07-15 15:41:52 | 2011-07-15 15:41:52 | 2011-07-15 15:41:52 | |Desktop\Chat Sametime + +0x00000000: 7a 00 31 00 00 00 00 00 02 3f a4 84 10 00 43 4f z.1......?....CO +0x00000010: 4d 56 41 55 7e 31 00 00 62 00 07 00 04 00 ef be MVAU~1..b....... +0x00000020: 02 3f 27 84 02 3f a4 84 26 00 00 00 29 92 02 00 .?'..?..&...)... +0x00000030: 00 00 c3 01 00 00 00 00 00 00 00 00 00 00 43 00 ..............C. +0x00000040: 6f 00 6d 00 76 00 61 00 75 00 6c 00 74 00 2d 00 o.m.v.a.u.l.t.-. +0x00000050: 50 00 68 00 79 00 73 00 69 00 63 00 61 00 6c 00 P.h.y.s.i.c.a.l. +0x00000060: 53 00 76 00 72 00 2d 00 49 00 6e 00 73 00 74 00 S.v.r.-.I.n.s.t. +0x00000070: 61 00 6c 00 6c 00 00 00 18 00 00 00 a.l.l....... + +2011-08-02 16:37:08 | 2011-08-02 16:37:08 | 2011-08-02 16:33:14 | |Desktop\Comvault-PhysicalSvr-Install + +0x00000000: 76 00 31 00 00 00 00 00 02 3f 4c 88 10 00 43 4f v.1......?L...CO +0x00000010: 4d 56 41 55 7e 32 00 00 5e 00 07 00 04 00 ef be MVAU~2..^....... +0x00000020: 02 3f 4c 88 02 3f 4c 88 26 00 00 00 0d 90 02 00 .?L..?L.&....... +0x00000030: 00 00 20 02 00 00 00 00 00 00 00 00 00 00 43 00 .. ...........C. +0x00000040: 6f 00 6d 00 76 00 61 00 75 00 6c 00 74 00 2d 00 o.m.v.a.u.l.t.-. +0x00000050: 46 00 61 00 74 00 43 00 6c 00 69 00 65 00 6e 00 F.a.t.C.l.i.e.n. +0x00000060: 74 00 2d 00 49 00 6e 00 73 00 74 00 61 00 6c 00 t.-.I.n.s.t.a.l. +0x00000070: 6c 00 00 00 18 00 00 00 l....... + +2011-08-02 17:02:24 | 2011-08-02 17:02:24 | 2011-08-02 17:02:24 | |Desktop\Comvault-FatClient-Install + | | | |Desktop\Explorer + | | | |Desktop\Explorer + | | | |Desktop\Explorer + | | | |Desktop\Libraries diff --git a/thirdparty/rr-full/shellitems.pl b/thirdparty/rr-full/shellitems.pl new file mode 100644 index 0000000000..ec39234690 --- /dev/null +++ b/thirdparty/rr-full/shellitems.pl @@ -0,0 +1,835 @@ +#----------------------------------------------------------- +# shellitems.pl +# Perl script to parse shell items; access via 'require' pragma +# +# History: +# 20130923 - updated printData() code with (what I hope is) more stable +# code +# 20130522 - created +# +# References +# Andrew's Python code for Registry Decoder +# http://code.google.com/p/registrydecoder/source/browse/trunk/templates/template_files/ShellBagMRU.py +# Joachim Metz's shell item format specification +# http://download.polytechnic.edu.na/pub4/download.sourceforge.net/pub/ +# sourceforge/l/project/li/liblnk/Documentation/Windows%20Shell%20Item%20format/ +# Windows%20Shell%20Item%20format.pdf +# Converting DOS Date format +# http://msdn.microsoft.com/en-us/library/windows/desktop/ms724274(v=VS.85).aspx +# +# Thanks to Willi Ballenthin and Joachim Metz for the documentation they +# provided, Andrew Case for posting the Registry Decoder code, and Kevin +# Moore for writing the shell bag parser for Registry Decoder, as well as +# assistance with some parsing. +# +# +# copyright 2012 Quantum Analytics Research, LLC +# Author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +use Time::Local; + +my %guids = ("{bb64f8a7-bee7-4e1a-ab8d-7d8273f7fdb6}" => "Action Center", + "{7a979262-40ce-46ff-aeee-7884ac3b6136}" => "Add Hardware", + "{d20ea4e1-3957-11d2-a40b-0c5020524153}" => "Administrative Tools", + "{c57a6066-66a3-4d91-9eb9-41532179f0a5}" => "AppSuggestedLocations", + "{9c60de1e-e5fc-40f4-a487-460851a8d915}" => "AutoPlay", + "{b98a2bea-7d42-4558-8bd1-832f41bac6fd}" => "Backup and Restore Center", + "{0142e4d0-fb7a-11dc-ba4a-000ffe7ab428}" => "Biometric Devices", + "{d9ef8727-cac2-4e60-809e-86f80a666c91}" => "BitLocker Drive Encryption", + "{56784854-c6cb-462b-8169-88e350acb882}" => "Contacts", + "{26ee0668-a00a-44d7-9371-beb064c98683}" => "Control Panel (Cat. View)", + "{b2c761c6-29bc-4f19-9251-e6195265baf1}" => "Color Management", + "{1206f5f1-0569-412c-8fec-3204630dfb70}" => "Credential Manager", + "{e2e7934b-dce5-43c4-9576-7fe4f75e7480}" => "Date and Time", + "{00c6d95f-329c-409a-81d7-c46c66ea7f33}" => "Default Location", + "{17cd9488-1228-4b2f-88ce-4298e93e0966}" => "Default Programs", + "{37efd44d-ef8d-41b1-940d-96973a50e9e0}" => "Desktop Gadgets", + "{74246bfc-4c96-11d0-abef-0020af6b0b7a}" => "Device Manager", + "{a8a91a66-3a7d-4424-8d24-04e180695c7a}" => "Devices and Printers", + "{c555438b-3c23-4769-a71f-b6d3d9b6053a}" => "Display", + "{d555645e-d4f8-4c29-a827-d93c859c4f2a}" => "Ease of Access Center", + "{1777f761-68ad-4d8a-87bd-30b759fa33dd}" => "Favorites", + "{323ca680-c24d-4099-b94d-446dd2d7249e}" => "Favorites", + "{6dfd7c5c-2451-11d3-a299-00c04f8ef6af}" => "Folder Options", + "{93412589-74d4-4e4e-ad0e-e0cb621440fd}" => "Fonts", + "{259ef4b1-e6c9-4176-b574-481532c9bce8}" => "Game Controllers", + "{15eae92e-f17a-4431-9f28-805e482dafd4}" => "Get Programs", + "{cb1b7f8c-c50a-4176-b604-9e24dee8d4d1}" => "Getting Started", + "{67ca7650-96e6-4fdd-bb43-a8e774f73a57}" => "HomeGroup", + "{b4fb3f98-c1ea-428d-a78a-d1f5659cba93}" => "HomeGroup", + "{87d66a43-7b11-4a28-9811-c86ee395acf7}" => "Indexing Options", + "{a0275511-0e86-4eca-97c2-ecd8f1221d08}" => "Infrared", + "{a3dd4f92-658a-410f-84fd-6fbbbef2fffe}" => "Internet Options", + "{a304259d-52b8-4526-8b1a-a1d6cecc8243}" => "iSCSI Initiator", + "{725be8f7-668e-4c7b-8f90-46bdb0936430}" => "Keyboard", + "{bfb9d5e0-c6a9-404c-b2b2-ae6db6af4968}" => "Links", + "{e9950154-c418-419e-a90a-20c5287ae24b}" => "Location and Other Sensors", + "{1fa9085f-25a2-489b-85d4-86326eedcd87}" => "Manage Wireless Networks", + "{6c8eec18-8d75-41b2-a177-8831d59d2d50}" => "Mouse", + "{2112ab0a-c86a-4ffe-a368-0de96e47012e}" => "Music Library", + "{7007acc7-3202-11d1-aad2-00805fc1270e}" => "Network Connections", + "{8e908fc9-becc-40f6-915b-f4ca0e70d03d}" => "Network and Sharing Center", + "{05d7b0f4-2121-4eff-bf6b-ed3f69b894d9}" => "Notification Area Icons", + "{d24f75aa-4f2b-4d07-a3c4-469b3d9030c4}" => "Offline Files", + "{96ae8d84-a250-4520-95a5-a47a7e3c548b}" => "Parental Controls", + "{f82df8f7-8b9f-442e-a48c-818ea735ff9b}" => "Pen and Input Devices", + "{5224f545-a443-4859-ba23-7b5a95bdc8ef}" => "People Near Me", + "{78f3955e-3b90-4184-bd14-5397c15f1efc}" => "Performance Information and Tools", + "{ed834ed6-4b5a-4bfe-8f11-a626dcb6a921}" => "Personalization", + "{40419485-c444-4567-851a-2dd7bfa1684d}" => "Phone and Modem", + "{f0d63f85-37ec-4097-b30d-61b4a8917118}" => "Photo Stream", + "{025a5937-a6be-4686-a844-36fe4bec8b6d}" => "Power Options", + "{2227a280-3aea-1069-a2de-08002b30309d}" => "Printers", + "{fcfeecae-ee1b-4849-ae50-685dcf7717ec}" => "Problem Reports and Solutions", + "{7b81be6a-ce2b-4676-a29e-eb907a5126c5}" => "Programs and Features", + "{22877a6d-37a1-461a-91b0-dbda5aaebc99}" => "Recent Places", + "{9fe63afd-59cf-4419-9775-abcc3849f861}" => "Recovery", + "{62d8ed13-c9d0-4ce8-a914-47dd628fb1b0}" => "Regional and Language Options", + "{241d7c96-f8bf-4f85-b01f-e2b043341a4b}" => "RemoteApp and Desktop Connections", + "{4c5c32ff-bb9d-43b0-b5b4-2d72e54eaaa4}" => "Saved Games", + "{7d1d3a04-debb-4115-95cf-2f29da2920da}" => "Saved Searches", + "{00f2886f-cd64-4fc9-8ec5-30ef6cdbe8c3}" => "Scanners and Cameras", + "{e211b736-43fd-11d1-9efb-0000f8757fcd}" => "Scanners and Cameras", + "{d6277990-4c6a-11cf-8d87-00aa0060f5bf}" => "Scheduled Tasks", + "{f2ddfc82-8f12-4cdd-b7dc-d4fe1425aa4d}" => "Sound", + "{58e3c745-d971-4081-9034-86e34b30836a}" => "Speech Recognition Options", + "{9c73f5e5-7ae7-4e32-a8e8-8d23b85255bf}" => "Sync Center", + "{e413d040-6788-4c22-957e-175d1c513a34}" => "Sync Center Conflict Delegate Folder", + "{bc48b32f-5910-47f5-8570-5074a8a5636a}" => "Sync Results Delegate Folder", + "{f1390a9a-a3f4-4e5d-9c5f-98f3bd8d935c}" => "Sync Setup Delegate Folder", + "{bb06c0e4-d293-4f75-8a90-cb05b6477eee}" => "System", + "{80f3f1d5-feca-45f3-bc32-752c152e456e}" => "Tablet PC Settings", + "{0df44eaa-ff21-4412-828e-260a8728e7f1}" => "Taskbar and Start Menu", + "{d17d1d6d-cc3f-4815-8fe3-607e7d5d10b3}" => "Text to Speech", + "{c58c4893-3be0-4b45-abb5-a63e4b8c8651}" => "Troubleshooting", + "{60632754-c523-4b62-b45c-4172da012619}" => "User Accounts", + "{be122a0e-4503-11da-8bde-f66bad1e3f3a}" => "Windows Anytime Upgrade", + "{78cb147a-98ea-4aa6-b0df-c8681f69341c}" => "Windows CardSpace", + "{d8559eb9-20c0-410e-beda-7ed416aecc2a}" => "Windows Defender", + "{4026492f-2f69-46b8-b9bf-5654fc07e423}" => "Windows Firewall", + "{3e7efb4c-faf1-453d-89eb-56026875ef90}" => "Windows Marketplace", + "{5ea4f148-308c-46d7-98a9-49041b1dd468}" => "Windows Mobility Center", + "{087da31b-0dd3-4537-8e23-64a18591f88b}" => "Windows Security Center", + "{e95a4861-d57a-4be1-ad0f-35267e261739}" => "Windows SideShow", + "{36eef7db-88ad-4e81-ad49-0e313f0c35f8}" => "Windows Update", + "{724ef170-a42d-4fef-9f26-b60e846fba4f}" => "Administrative Tools", + "{d0384e7d-bac3-4797-8f14-cba229b392b5}" => "Common Administrative Tools", + "{de974d24-d9c6-4d3e-bf91-f4455120b917}" => "Common Files", + "{c1bae2d0-10df-4334-bedd-7aa20b227a9d}" => "Common OEM Links", + "{5399e694-6ce5-4d6c-8fce-1d8870fdcba0}" => "Control Panel", + "{21ec2020-3aea-1069-a2dd-08002b30309d}" => "Control Panel", + "{1ac14e77-02e7-4e5d-b744-2eb1ae5198b7}" => "CSIDL_SYSTEM", + "{b4bfcc3a-db2c-424c-b029-7fe99a87c641}" => "Desktop", + "{7b0db17d-9cd2-4a93-9733-46cc89022e7c}" => "Documents Library", + "{fdd39ad0-238f-46af-adb4-6c85480369c7}" => "Documents", + "{374de290-123f-4565-9164-39c4925e467b}" => "Downloads", + "{de61d971-5ebc-4f02-a3a9-6c82895e5c04}" => "Get Programs", + "{a305ce99-f527-492b-8b1a-7e76fa98d6e4}" => "Installed Updates", + "{871c5380-42a0-1069-a2ea-08002b30309d}" => "Internet Explorer (Homepage)", + "{031e4825-7b94-4dc3-b131-e946b44c8dd5}" => "Libraries", + "{49bf5420-fa7f-11cf-8011-00a0c90a8f78}" => "Mobile Device", #MS KB836152 + "{4bd8d571-6d19-48d3-be97-422220080e43}" => "Music", + "{20d04fe0-3aea-1069-a2d8-08002b30309d}" => "My Computer", + "{450d8fba-ad25-11d0-98a8-0800361b1103}" => "My Documents", + "{fc9fb64a-1eb2-4ccf-af5e-1a497a9b5c2d}" => "My Shared Folders", +# "{5e591a74-df96-48d3-8d67-1733bcee28ba}" => "My Documents", + "{ed228fdf-9ea8-4870-83b1-96b02cfe0d52}" => "My Games", + "{208d2c60-3aea-1069-a2d7-08002b30309d}" => "My Network Places", + "{f02c1a0d-be21-4350-88b0-7367fc96ef3c}" => "Network", + "{33e28130-4e1e-4676-835a-98395c3bc3bb}" => "Pictures", + "{a990ae9f-a03b-4e80-94bc-9912d7504104}" => "Pictures", + "{7c5a40ef-a0fb-4bfc-874a-c0f2e0b9fa8e}" => "Program Files (x86)", + "{905e63b6-c1bf-494e-b29c-65b732d3d21a}" => "Program Files", + "{df7266ac-9274-4867-8d55-3bd661de872d}" => "Programs and Features", + "{3214fab5-9757-4298-bb61-92a9deaa44ff}" => "Public Music", + "{b6ebfb86-6907-413c-9af7-4fc2abf07cc5}" => "Public Pictures", + "{2400183a-6185-49fb-a2d8-4a392a602ba3}" => "Public Videos", + "{4336a54d-38b-4685-ab02-99bb52d3fb8b}" => "Public", + "{491e922f-5643-4af4-a7eb-4e7a138d8174}" => "Public", + "{dfdf76a2-c82a-4d63-906a-5644ac457385}" => "Public", + "{645ff040-5081-101b-9f08-00aa002f954e}" => "Recycle Bin", + "{e17d4fc0-5564-11d1-83f2-00a0c90dc849}" => "Search Results", + "{d65231b0-b2f1-4857-a4ce-a8e7c6ea7d27}" => "System32 (x86)", + "{9e52ab10-f80d-49df-acb8-4330f5687855}" => "Temporary Burn Folder", + "{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}" => "Users Files", + "{59031a47-3f72-44a7-89c5-5595fe6b30ee}" => "User Files", + "{59031a47-3f72-44a7-89c5-5595fe6b30ee}" => "Users", + "{18989b1d-99b5-455b-841c-ab7c74e4ddfc}" => "Videos", + "{f38bf404-1d43-42f2-9305-67de0b28fc23}" => "Windows"); + +#----------------------------------------------------------- +# parseVariableEntry() +# type = 0x00 +#----------------------------------------------------------- +sub parseVariableEntry { + my $data = shift; + my %item = (); + + $item{type} = unpack("C",substr($data,2,1)); + my $tag = unpack("C",substr($data,0x0A,1)); + + if (unpack("v",substr($data,4,2)) == 0x1A) { + my $guid = parseGUID(substr($data,14,16)); + + if (exists $folder_types{$guid}) { + $item{name} = $folder_types{$guid}; + } + else { + $item{name} = $guid; + } + } + elsif (grep(/1SPS/,$data)) { + my @seg = split(/1SPS/,$data); + + my %segs = (); + foreach my $s (0..(scalar(@seg) - 1)) { + my $guid = parseGUID(substr($seg[$s],0,16)); + $segs{$guid} = $seg[$s]; + } + + if (exists $segs{"{b725f130-47ef-101a-a5f1-02608c9eebac}"}) { +# Ref: http://msdn.microsoft.com/en-us/library/aa965725(v=vs.85).aspx + my $stuff = $segs{"{b725f130-47ef-101a-a5f1-02608c9eebac}"}; + + my $tag = 1; + my $cnt = 0x10; + while($tag) { + my $sz = unpack("V",substr($stuff,$cnt,4)); + my $id = unpack("V",substr($stuff,$cnt + 4,4)); +#-------------------------------------------------------------- +# sub-segment types +# 0x0a - file name +# 0x14 - short name +# 0x0e, 0x0f, 0x10 - mod date, create date, access date(?) +# 0x0c - size +#-------------------------------------------------------------- + if ($sz == 0x00) { + $tag = 0; + next; + } + elsif ($id == 0x0a) { + + my $num = unpack("V",substr($stuff,$cnt + 13,4)); + my $str = substr($stuff,$cnt + 13 + 4,($num * 2)); + $str =~ s/\x00//g; + $item{name} = $str; + } + $cnt += $sz; + } + } + +# if (exists $segs{"{5cbf2787-48cf-4208-b90e-ee5e5d420294}"}) { +# my $stuff = $segs{"{5cbf2787-48cf-4208-b90e-ee5e5d420294}"}; +# my $tag = 1; +# my $cnt = 0x10; +# while($tag) { +# my $sz = unpack("V",substr($stuff,$cnt,4)); +# my $id = unpack("V",substr($stuff,$cnt + 4,4)); +# +# if ($sz == 0x00) { +# $tag = 0; +# next; +# } +# elsif ($id == 0x19) { +# +# my $num = unpack("V",substr($stuff,$cnt + 13,4)); +# my $str = substr($stuff,$cnt + 13 + 4,($num * 2)); +# $str =~ s/\x00//g; +# $item{name} = $str; +# } +# $cnt += $sz; +# } +# } + } + elsif (substr($data,4,4) eq "AugM") { + + my @beef = split(/\xef\xbe/,$data); + if (scalar (@beef) < 3) { +# %item = parseFolderEntry($data); + $item{name} = "Test"; + } + else { + my $temp = substr($beef[2],22,length($beef[2]) - 22); + my $temp2 = substr($temp,12,length($temp) - 12); + $item{name} = (split(/\x00\x00/,$temp2))[0]; + $item{name} =~ s/\x00//g; + } + + } +# Following two entries are for Device Property data + elsif ($tag == 0x7b || $tag == 0xbb || $tag == 0xfb) { + my ($sz1,$sz2,$sz3) = unpack("VVV",substr($data,0x3e,12)); + $item{name} = substr($data,0x4a,$sz1 * 2); + $item{name} =~ s/\x00//g; + } + elsif ($tag == 0x02 || $tag == 0x03) { + my ($sz1,$sz2,$sz3,$sz4) = unpack("VVVV",substr($data,0x26,16)); + $item{name} = substr($data,0x36,$sz1 * 2); + $item{name} =~ s/\x00//g; + } + else { + $item{name} = "Unknown Type"; + } + return %item; +} + +#----------------------------------------------------------- +# parseNetworkEntry() +# +#----------------------------------------------------------- +sub parseNetworkEntry { + my $data = shift; + my %item = (); + $item{type} = unpack("C",substr($data,2,1)); + + my @n = split(/\x00/,substr($data,5,length($data) - 5)); + $item{name} = $n[0]; + return %item; +} + +#----------------------------------------------------------- +# parseZipSubFolderItem() +# parses what appears to be Zip file subfolders; this type +# appears to contain the date and time of when the subfolder +# was accessed/opened, in string format. +#----------------------------------------------------------- +sub parseZipSubFolderItem { + my $data = shift; + my %item = (); + +# Get the opened/accessed date/time + $item{datetime} = substr($data,0x24,6); + $item{datetime} =~ s/\x00//g; + if ($item{datetime} eq "N/A") { + + } + else { + $item{datetime} = substr($data,0x24,40); + $item{datetime} =~ s/\x00//g; + my ($date,$time) = split(/\s+/,$item{datetime},2); + my ($mon,$day,$yr) = split(/\//,$date,3); + my ($hr,$min,$sec) = split(/:/,$time,3); + + my $gmtime = timegm($sec,$min,$hr,$day,($mon - 1),$yr); + $item{datetime} = "$yr-$mon-$day $hr:$min:$sec"; +# ::rptMsg("[Access_Time]: ".gmtime($gmtime)); + } + + my $sz = unpack("V",substr($data,0x54,4)); + my $sz2 = unpack("V",substr($data,0x58,4)); + + my $str1 = substr($data,0x5C,$sz *2) if ($sz > 0); + $str1 =~ s/\x00//g; + + if ($sz2 > 0) { + my $str2 = substr($data,0x5C + ($sz * 2),$sz2 *2); + $str2 =~ s/\x00//g; + $item{name} = $str1."\\".$str2; + } + else { + $item{name} = $str1; + } + return %item; +} + +#----------------------------------------------------------- +# parse01ShellItem() +# I honestly have no idea what to do with this data; there's really +# no reference for or description of the format of this data. For +# now, this is just a place holder +#----------------------------------------------------------- +sub parse01ShellItem { + my $data = shift; + my %item = (); + $item{type} = unpack("C",substr($data,2,1));; + $item{name} = ""; +# ($item{val0},$item{val1}) = unpack("VV",substr($data,2,length($data) - 2)); + return %item; +} + +#----------------------------------------------------------- +# parseXPShellDeviceItem() +# +#----------------------------------------------------------- +sub parseXPShellDeviceItem { + my $data = shift; + my %item = (); + my ($t0,$t1) = unpack("VV",substr($data,0x04,8)); + if ($t0 == 0 && $t1 == 0) { + $item{timestamp} = 0; + } + else { + $item{timestamp} = ::getTime($t0,$t1); + } +# starting at offset 0x18, read the null-term. string as the name value + my $str = substr($data,0x18,length($data) - 0x18); + $item{name} = (split(/\x00/,$str))[0]; + return %item; +} + +#----------------------------------------------------------- +# parseType64Item() +# Parses types 0x64, 0x65, 0x69 +#----------------------------------------------------------- +sub parseType64Item { + my $data = shift; + my %item = (); + + $item{name} = substr($data,4,length($data) - 4); + $item{name} =~ s/\x00//g; + + return %item; +} +#----------------------------------------------------------- +# +#----------------------------------------------------------- +sub parseURIEntry { + my $data = shift; + my %item = (); + $item{type} = unpack("C",substr($data,2,1)); + + my ($lo,$hi) = unpack("VV",substr($data,0x0e,8)); + $item{uritime} = ::getTime($lo,$hi); + + my $sz = unpack("V",substr($data,0x2a,4)); + my $uri = substr($data,0x2e,$sz); + $uri =~ s/\x00//g; + + my $proto = substr($data,length($data) - 6, 6); + $proto =~ s/\x00//g; + + $item{name} = $proto."://".$uri." [".gmtime($item{uritime})."]"; + + return %item; +} + +#----------------------------------------------------------- +# +#----------------------------------------------------------- +sub parseSystemFolderEntry { + my $data = shift; + my %item = (); + + my %vals = (0x00 => "Explorer", + 0x42 => "Libraries", + 0x44 => "Users", + 0x4c => "Public", + 0x48 => "My Documents", + 0x50 => "My Computer", + 0x58 => "My Network Places", + 0x60 => "Recycle Bin", + 0x68 => "Explorer", + 0x70 => "Control Panel", + 0x78 => "Recycle Bin", + 0x80 => "My Games"); + + $item{type} = unpack("C",substr($data,2,1)); + $item{id} = unpack("C",substr($data,3,1)); + if (exists $vals{$item{id}}) { + $item{name} = $vals{$item{id}}; + } + else { + $item{name} = parseGUID(substr($data,4,16)); + } + return %item; +} + +#----------------------------------------------------------- +# parseGUID() +# Takes 16 bytes of binary data, returns a string formatted +# as an MS GUID. +#----------------------------------------------------------- +sub parseGUID { + my $data = shift; + my $d1 = unpack("V",substr($data,0,4)); + my $d2 = unpack("v",substr($data,4,2)); + my $d3 = unpack("v",substr($data,6,2)); + my $d4 = unpack("H*",substr($data,8,2)); + my $d5 = unpack("H*",substr($data,10,6)); + my $guid = sprintf "{%08x-%04x-%04x-$d4-$d5}",$d1,$d2,$d3; + + if (exists $guids{$guid}) { + return "CLSID_".$guids{$guid}; + } + else { + return $guid; + } +} + +#----------------------------------------------------------- +# +#----------------------------------------------------------- +sub parseDeviceEntry { + my $data = shift; + my %item = (); + + my $ofs = unpack("v",substr($data,4,2)); + my $tag = unpack("V",substr($data,6,4)); + + if ($tag == 0) { + my $guid1 = parseGUID(substr($data,$ofs + 6,16)); + my $guid2 = parseGUID(substr($data,$ofs + 6 + 16,16)); + $item{name} = $guid1."\\".$guid2 + } + elsif ($tag == 2) { + $item{name} = substr($data,0x0a,($ofs + 6) - 0x0a); + $item{name} =~ s/\x00//g; + } + else { + my $ver = unpack("C",substr($data,9,1)); + +# Version 3 = XP + if ($ver == 3) { + my $guid1 = parseGUID(substr($data,$ofs + 6,16)); + my $guid2 = parseGUID(substr($data,$ofs + 6 + 16,16)); + $item{name} = $guid1."\\".$guid2 + + } +# Version 8 = Win7 + elsif ($ver == 8) { + my $userlen = unpack("V",substr($data,30,4)); + my $devlen = unpack("V",substr($data,34,4)); + my $user = substr($data,0x28,$userlen * 2); + $user =~ s/\x00//g; + my $dev = substr($data,0x28 + ($userlen * 2),$devlen * 2); + $dev =~ s/\x00//g; + $item{name} = $user; + } + else { +# Version unknown + + } + } + return %item; +} + +#----------------------------------------------------------- +# +#----------------------------------------------------------- +sub parseDriveEntry { + my $data = shift; + my %item = (); + $item{type} = unpack("C",substr($data,2,1));; + $item{name} = substr($data,3,3); + return %item; +} + +#----------------------------------------------------------- +# +#----------------------------------------------------------- +sub parseControlPanelEntry { + my $data = shift; + my %item = (); + $item{type} = unpack("C",substr($data,2,1)); + my $guid = parseGUID(substr($data,14,16)); + if (exists $guids{$guid}) { + $item{name} = $guids{$guid}; + } + else { + $item{name} = $guid; + } + return %item; +} + +#----------------------------------------------------------- +# +#----------------------------------------------------------- +sub parseFolderEntry { + my $data = shift; + my %item = (); + + $item{type} = unpack("C",substr($data,2,1)); +# Type 0x74 folders have a slightly different format + + my $ofs_mdate; + my $ofs_shortname; + + if ($item{type} == 0x74) { + $ofs_mdate = 0x12; + } + elsif (substr($data,4,4) eq "AugM") { + $ofs_mdate = 0x1c; + } + else { + $ofs_mdate = 0x08; + } +# some type 0x32 items will include a file size + if ($item{type} == 0x32) { + my $size = unpack("V",substr($data,4,4)); + if ($size != 0) { + $item{filesize} = $size; + } + } + + my @m = unpack("vv",substr($data,$ofs_mdate,4)); + ($item{mtime_str},$item{mtime}) = convertDOSDate($m[0],$m[1]); + +# Need to read in short name; nul-term ASCII +# $item{shortname} = (split(/\x00/,substr($data,12,length($data) - 12),2))[0]; + $ofs_shortname = $ofs_mdate + 6; + my $tag = 1; + my $cnt = 0; + my $str = ""; + while($tag) { + my $s = substr($data,$ofs_shortname + $cnt,1); + if ($s =~ m/\x00/ && ((($cnt + 1) % 2) == 0)) { + $tag = 0; + } + else { + $str .= $s; + $cnt++; + } + } +# $str =~ s/\x00//g; + my $shortname = $str; + my $ofs = $ofs_shortname + $cnt + 1; + +# Read progressively, 1 byte at a time, looking for 0xbeef + $tag = 1; + $cnt = 0; + while ($tag) { + if (unpack("v",substr($data,$ofs + $cnt,2)) == 0xbeef) { + $tag = 0; + } + else { + $cnt++; + } + } + $item{extver} = unpack("v",substr($data,$ofs + $cnt - 4,2)); + $ofs = $ofs + $cnt + 2; + + @m = unpack("vv",substr($data,$ofs,4)); + ($item{ctime_str},$item{ctime}) = convertDOSDate($m[0],$m[1]); + $ofs += 4; + @m = unpack("vv",substr($data,$ofs,4)); + ($item{atime_str},$item{atime}) = convertDOSDate($m[0],$m[1]); + + my $jmp; + if ($item{extver} == 0x03) { + $jmp = 8; + } + elsif ($item{extver} == 0x07) { + $jmp = 26; + } + elsif ($item{extver} == 0x08) { + $jmp = 30; + } + else {} + + if ($item{extver} >= 0x07) { + my @n = unpack("Vvv",substr($data,$ofs + 8, 8)); + $item{mft_rec_num} = getNum48($n[0],$n[1]); + $item{mft_seq_num} = $n[2]; + } + + $ofs += $jmp; + + $str = substr($data,$ofs,length($data) - 30); + my $longname = (split(/\x00\x00/,$str,2))[0]; + $longname =~ s/\x00//g; + + if ($longname ne "") { + $item{name} = $longname; + } + else { + $item{name} = $shortname; + } + return %item; +} + +#----------------------------------------------------------- +# convertDOSDate() +# subroutine to convert 4 bytes of binary data into a human- +# readable format. Returns both a string and a Unix-epoch +# time. +#----------------------------------------------------------- +sub convertDOSDate { + my $date = shift; + my $time = shift; + + if ($date == 0x00 || $time == 0x00){ + return (0,0); + } + else { + my $sec = ($time & 0x1f) * 2; + $sec = "0".$sec if (length($sec) == 1); + if ($sec == 60) {$sec = 59}; + my $min = ($time & 0x7e0) >> 5; + $min = "0".$min if (length($min) == 1); + my $hr = ($time & 0xF800) >> 11; + $hr = "0".$hr if (length($hr) == 1); + my $day = ($date & 0x1f); + $day = "0".$day if (length($day) == 1); + my $mon = ($date & 0x1e0) >> 5; + $mon = "0".$mon if (length($mon) == 1); + my $yr = (($date & 0xfe00) >> 9) + 1980; + my $gmtime = timegm($sec,$min,$hr,$day,($mon - 1),$yr); + return ("$yr-$mon-$day $hr:$min:$sec",$gmtime); +# return gmtime(timegm($sec,$min,$hr,$day,($mon - 1),$yr)); + } +} + +#----------------------------------------------------------- +# parseFolderEntry2() +# +# Initial code for parsing type 0x35 +#----------------------------------------------------------- +sub parseFolderEntry2 { + my $data = shift; + my %item = (); + + my $ofs = 0; + my $tag = 1; + + while ($tag) { + if (unpack("v",substr($data,$ofs,2)) == 0xbeef) { + $tag = 0; + } + else { + $ofs++; + } + } + $item{extver} = unpack("v",substr($data,$ofs - 4,2)); +# Move offset over to end of where the ctime value would be + $ofs += 4; + + my $jmp; + if ($item{extver} == 0x03) { + $jmp = 8; + } + elsif ($item{extver} == 0x07) { + $jmp = 26; + } + elsif ($item{extver} == 0x08) { + $jmp = 30; + } + else {} + + $ofs += $jmp; + + my $str = substr($data,$ofs,length($data) - 30); + + $item{name} = (split(/\x00\x00/,$str,2))[0]; + $item{name} =~ s/\x13\x20/\x2D\x00/; + $item{name} =~ s/\x00//g; + + return %item; +} +#----------------------------------------------------------- +# +#----------------------------------------------------------- +sub parseFolderEntry3 { + my $data = shift; + my %item = (); + $item{name} = substr($data,4,length($data) - 4); + $item{name} =~ s/\x00//g; + return %item; +} + +#----------------------------------------------------------- +# +#----------------------------------------------------------- +sub parseDatePathItem { + my $data = shift; + my %item = (); + $item{datestr} = substr($data,0x18,30); + my ($file,$dir) = split(/\x00\x00/,substr($data,0x44,length($data) - 0x44)); + $file =~ s/\x00//g; + $dir =~ s/\x00//g; + $item{name} = $dir.$file; + return %item; +} + +#----------------------------------------------------------- +# parseTypex53() +#----------------------------------------------------------- +sub parseTypex53 { + my $data = shift; + my %item = (); + + my $item1 = parseGUID(substr($data,0x14,16)); + my $item2 = parseGUID(substr($data,0x24,16)); + + $item{name} = $item1."\\".$item2; + + return %item; +} + +#----------------------------------------------------------- +# probe() +# +# Code the uses printData() to insert a 'probe' into a specific +# location and display the data +# +# Input: binary data of arbitrary length +# Output: Nothing, no return value. Displays data to the console +#----------------------------------------------------------- +sub probe { + my $data = shift; + my @d = printData($data); + ::rptMsg(""); + foreach (0..(scalar(@d) - 1)) { + ::rptMsg($d[$_]); + } + ::rptMsg(""); +} + +#----------------------------------------------------------- +# printData() +# subroutine used primarily for debugging; takes an arbitrary +# length of binary data, prints it out in hex editor-style +# format for easy debugging +# +# Usage: see probe() +#----------------------------------------------------------- +sub printData { + my $data = shift; + my $len = length($data); + + my @display = (); + + my $loop = $len/16; + $loop++ if ($len%16); + + foreach my $cnt (0..($loop - 1)) { +# How much is left? + my $left = $len - ($cnt * 16); + + my $n; + ($left < 16) ? ($n = $left) : ($n = 16); + + my $seg = substr($data,$cnt * 16,$n); + my $lhs = ""; + my $rhs = ""; + foreach my $i ($seg =~ m/./gs) { +# This loop is to process each character at a time. + $lhs .= sprintf(" %02X",ord($i)); + if ($i =~ m/[ -~]/) { + $rhs .= $i; + } + else { + $rhs .= "."; + } + } + $display[$cnt] = sprintf("0x%08X %-50s %s",$cnt,$lhs,$rhs); + } + return @display; +} + +#----------------------------------------------------------- +# getNum48() +# borrowed from David Cowen's code +#----------------------------------------------------------- +sub getNum48 { + my $n1 = shift; + my $n2 = shift; + if ($n2 == 0) { + return $n1; + } + else { + $n2 = ($n2 *16777216); + return $n1 + $n2; + } +} + +1; diff --git a/thirdparty/rr-full/time.pl b/thirdparty/rr-full/time.pl new file mode 100644 index 0000000000..c56ccc9fbd --- /dev/null +++ b/thirdparty/rr-full/time.pl @@ -0,0 +1,89 @@ +#------------------------------------------------------------- +# time.pl +# This file contains helper functions for translating time values +# into something readable. This file is accessed by the main UI +# code via the 'require' pragma. +# +# Note: The main UI code (GUI or CLI) must 'use' the Time::Local +# module. +# +# Change history: +# 20120925 - created +# +# copyright 2012 Quantum Analytics Research, LLC +# Author: H. Carvey, keydet89@yahoo.com +#------------------------------------------------------------- + +#------------------------------------------------------------- +# getTime() +# Translate FILETIME object (2 DWORDS) to Unix time, to be passed +# to gmtime() or localtime() +# +# The code was borrowed from Andreas Schuster's excellent work +#------------------------------------------------------------- +sub getTime($$) { + my $lo = $_[0]; + my $hi = $_[1]; + my $t; + + if ($lo == 0 && $hi == 0) { + $t = 0; + } else { + $lo -= 0xd53e8000; + $hi -= 0x019db1de; + $t = int($hi*429.4967296 + $lo/1e7); + }; + $t = 0 if ($t < 0); + return $t; +} + +#----------------------------------------------------------- +# convertDOSDate() +# subroutine to convert 4 bytes of binary data into a human- +# readable format. Returns both a string and a Unix-epoch +# time. +#----------------------------------------------------------- +sub convertDOSDate { + my $date = shift; + my $time = shift; + + if ($date == 0x00 || $time == 0x00){ + return (0,0); + } + else { + my $sec = ($time & 0x1f) * 2; + $sec = "0".$sec if (length($sec) == 1); + if ($sec == 60) {$sec = 59}; + my $min = ($time & 0x7e0) >> 5; + $min = "0".$min if (length($min) == 1); + my $hr = ($time & 0xF800) >> 11; + $hr = "0".$hr if (length($hr) == 1); + my $day = ($date & 0x1f); + $day = "0".$day if (length($day) == 1); + my $mon = ($date & 0x1e0) >> 5; + $mon = "0".$mon if (length($mon) == 1); + my $yr = (($date & 0xfe00) >> 9) + 1980; + my $gmtime = timegm($sec,$min,$hr,$day,($mon - 1),$yr); + return ("$yr-$mon-$day $hr:$min:$sec",$gmtime); +# return gmtime(timegm($sec,$min,$hr,$day,($mon - 1),$yr)); + } +} + +#----------------------------------------------------------- +# convertSystemTime() +# Converts 128-bit SYSTEMTIME object to readable format +#----------------------------------------------------------- +sub convertSystemTime { + my $date = $_[0]; + my @months = ("Jan","Feb","Mar","Apr","May","Jun","Jul", + "Aug","Sep","Oct","Nov","Dec"); + my @days = ("Sun","Mon","Tue","Wed","Thu","Fri","Sat"); + my ($yr,$mon,$dow,$dom,$hr,$min,$sec,$ms) = unpack("v*",$date); + $hr = "0".$hr if ($hr < 10); + $min = "0".$min if ($min < 10); + $sec = "0".$sec if ($sec < 10); + my $str = $days[$dow]." ".$months[$mon - 1]." ".$dom." ".$hr.":".$min.":".$sec." ".$yr; + return $str; +} + +1; \ No newline at end of file diff --git a/thirdparty/rr-full/updates.txt b/thirdparty/rr-full/updates.txt new file mode 100644 index 0000000000..7bb1db2dc5 --- /dev/null +++ b/thirdparty/rr-full/updates.txt @@ -0,0 +1,232 @@ +20141112 + -created mixer.pl,mixer_tln.pl,audiodev.pl + +21041111 + -updated usb.pl, usbstor.pl, wpdbusenum.pl + +20141103 + -updated inprocserver.pl to include detection for PowerLiks + +20141015 + -updated/modified usb.pl, usbstor.pl, wpdbusenum.pl + +20140821 + -created at.pl, at_tln.pl + +20140808 + -updated inprocserver.pl, removed inprocserver_u.pl + +20140807 + -created del.pl, del_tln.pl + +20140730 + -updated winzip.pl + -updated ares.pl (G. Nieves submission) + -updated lsa_packages.pl & shares.pl (S. Kelm submission) + -created secrets.pl, based on input from Jamie Levy + +20140724 + -updated appcompatcache.pl w/ 64-bit Win8.1 support, based on + data provided by Shafik Punja + +20140723 + -updated applets.pl + -updated ie_version.pl + +20140721 + -update to mountdev2.pl submitted/incorporated + +------------------------------------------------------------ +20140512 + -updated uninstall.pl, uninstall_tln.pl + +20140510 + -added profiler.pl + +20140501 (These plugins were added to the available online archive) + -added processor_architecture.pl, wevtx.pl (C. Harrell) + -updated pagefile.pl (C. Harrell) + +20140416 + -updated usbdevices.pl (updates by J. Chau) + +20140415 + -added winevt.pl (C. Harrell) + -removed winlivemail.pl, winlivemsn.pl (errors) + -removed streammru.pl, streams.pl + +20140414 + -added knowndev.pl, ddo.pl (J. Chau) + -RELEASED + +20140408 + -updated lsasecrets.pl (improved error message) + +20140326 + -created susclient.pl + +20142020 + -updated recentdocs_tln.pl + +20140203 + -added winscp.pl (not associated with winscp_sessions.pl) + +20140131 + -added reading_locations.pl, from Jason Hale + +20140115 + -updated user_run.pl to look for odd char in paths + +20131210 + -updated crashcontrol.pl + -updated amcache.pl + +20131118 + -created cdstaginginfo.pl + +20131108 + -updated svc.pl to look for WOW64 value in service keys; + indicative of a 32-bit EXE running on a 64-bit OS + +20131025 + -created startup.pl + +20131011 + -created kankan.pl plugin + +20131010 + -created vawtrak.pl + -updated svcll.pl with Derbusi detection + -updated svc.pl (Backdoor.Kopdel checks) + +20131009 + -created ahaha.pl + +20131008 + -created opencandy.pl plugin + +20131007 + -created lazyshell.pl, comfoo.pl + -updated imagefile.pl with carnal0wnage link to sticky keys info + +20130930 + -updated appcompatflags.pl to support Win8 Store key + +20130925 + -retired compatassist.pl; functionality rolled into appcompatflags.pl + +20130911 + -updated svc.pl/svc_tln.pl to alert on FailureAction value + -updated installedcomp.pl to look for StubPath values that point to + rundll32, but point to other than a .dll (i.e., some malware points to + .cpl files) + +20130910 + -updated winlogon.pl/winlogon_tln.pl to check for GinaDLL value + +20130905 + -removed winlivemsn.pl from ntuser profile - Module dependencies make it + throw errors (if I had test data, I'd rewrite it) + -updated installedcomp.pl to make the output more searchable + -created netsvcs.pl plugin + +20130904 + -created rlo.pl plugin (all hives) + -updated backuprestore.pl (cleaned up code) + +20130830 + -updated timezone.pl, based on findings from Mike W. + +20130801 + -added initial Win8 support to appcompatcache.pl + -added cross-platform support to rip.pl (File::Spec) + +20130731 + -updated ie_settings.pl + +20130711 + -created pending.pl + +20130706 + -updated appcompatflags.pl to retrieve values from Persisted key + +20130630 + -updated usbstor.pl - added parsing of Properties values (Win7) + -updated devclass.pl - added additional device class check + +20130603 + -updated alert code (new alert function & check for ADSs) + -appcompatcache.pl,inprocserver.pl,clsid.pl + -appcompatcache_tln.pl,soft_run.pl,user_run.pl,srun_tln.pl,urun_tln.pl + -svc.pl,svcdll.pl,svc_tln.pl + +20130530 + -updated mountdev.pl to address endian issues in display of disk signatures + +20130522 + -minor changes to attachmgr.pl, attachmgr_tln.pl + +20130514 + -updated itempos.pl to parse ItemPos* value data beneath ShellNoRoam\Bags subkeys + +20130513 + -updated userinfo.pl to include UserName value beneath "Common" subkey + +20130509 + -added alert and warnings to appcompatcache.pl, appcompatcache_tln.pl + -updated svc.pl, retired svc2.pl + -created svc_tln.pl, based on svc.pl + +20130504 + -added alert to Run key plugins to check for %AppData% paths (malware) + +20130429 + -created winlogon_tln.pl, applets_tln.pl + + -added alertMsg() func. to: + -brisv.pl, inprocserver.pl, inprocserver_u.pl, iejava.pl, + spp_clients.pl + + -retired scanwithav.pl (func. included in attachmgr.pl) + -retired taskman.pl (func. included in winlogon.pl) + -retired vista_wireless.pl (func. in networklist.pl) + +20130425 + -RegRipper and rip updated to v2.8; added alertMsg() capability + -retired userinit.pl (functionality included in winlogon.pl) + -created new plugins + -srun_tln.pl, urun_tln.pl,cmdproc_tln.pl + -cmd_shell_tln.pl,muicache_tln.pl + + -added alertMsg() functionality to rip.pl, rr.pl, and plugins + -appcompatcache.pl, appcompatcache_tln.pl + -appinitdlls.pl + -soft_run.pl, user_run.pl + -imagefile.pl + -winlogon.pl, winlogon_u.pl + -muicache.pl (look for values with "[Tt]emp" paths) + -attachmgr.pl (look for values per KB 883260) + -virut.pl + -cmdproc.pl, cmd_shell.pl + +20130411 + -retired specaccts.pl & notify.pl; incorporated functionality into + winlogon.pl + +20130410 + -retired taskman.pl; merged into winlogon.pl + -updated winlogon.pl (Wow6432Node support, etc.) + -updated winlogon_u.pl (Wow6432Node support) + -updated shellexec.pl, imagefile.pl, installedcomp.pl (Wow6432Node support) + +20130409 + -added drivers32.pl (C. Harrell) to the archive + +20130408 + -updated bho.pl to support Wow6432Node + +20130405 + -updated cmd_shell.pl to include Clients subkey in the Software hive + -created cmd_shell_u.pl + -fixed issue with rip.exe syntax info containing 'rr' + -fixed banner in findexes.pl \ No newline at end of file diff --git a/thirdparty/rr/plugins/autopsyuninstall.pl b/thirdparty/rr/plugins/autopsyuninstall.pl index 470b9c47f5..c82316c45e 100644 --- a/thirdparty/rr/plugins/autopsyuninstall.pl +++ b/thirdparty/rr/plugins/autopsyuninstall.pl @@ -9,6 +9,8 @@ # http://msdn.microsoft.com/en-us/library/ms954376.aspx # # Change History: +# 20140512 - updated to include NTUSER.DAT (recommended by +# Bartosz Inglot, bartosz.inglot@uk.pwc.com) # 20120523 - updated to include 64-bit systems # 20100116 - Minor updates # 20090413 - Extract DisplayVersion info @@ -19,7 +21,7 @@ package autopsyuninstall; use strict; -my %config = (hive => "Software", +my %config = (hive => "Software, NTUSER\.DAT", osmask => 22, hasShortDescr => 1, hasDescr => 0,