We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Hi,
I've observed, that the muicache sample on slide NIST_Data_Leakage_01_Registry_Correction.pptx uses the wrong inode number. (Slide 52, last page).
Would it be correct like the following?
`┌──(root㉿forensiclinux)-[/FORENSIC/lab_data_leaks_Win] └─# fls -rF -o 206848 cfreds_2015_data_leakage_pc.dd|grep -i usrclass.dat$ r/r 63765-128-3: Users/admin11/AppData/Local/Microsoft/Windows/UsrClass.dat r/r 13929-128-3: Users/informant/AppData/Local/Microsoft/Windows/UsrClass.dat r/r 70107-128-3: Users/temporary/AppData/Local/Microsoft/Windows/UsrClass.dat
┌──(root㉿forensiclinux)-[/FORENSIC/lab_data_leaks_Win] └─# icat -o 206848 cfreds_2015_data_leakage_pc.dd 13929 > usrclass_informant.dat
┌──(root㉿forensiclinux)-[/FORENSIC/lab_data_leaks_Win] └─# rip.pl -r usrclass_informant.dat -p muicache Launching muicache v.20200525 muicache v.20200525 (NTUSER.DAT,USRCLASS.DAT) Gets EXEs from user's MUICache key
Software\Microsoft\Windows\ShellNoRoam\MUICache not found.
Local Settings\Software\Microsoft\Windows\Shell\MUICache LastWrite Time 2015-03-25 15:29:12Z
C:\Windows\system32\WFS.exe (Microsoft Windows Fax and Scan) C:\Program Files\Internet Explorer\iexplore.exe (Internet Explorer) C:\Users\informant\Desktop\Download\IE11-Windows6.1-x64-en-us.exe (Internet Explorer 11 Setup utility) C:\Windows\System32\xpsrchvw.exe (XPS Viewer) `
The text was updated successfully, but these errors were encountered:
No branches or pull requests
Hi,
I've observed, that the muicache sample on slide NIST_Data_Leakage_01_Registry_Correction.pptx uses the wrong inode number. (Slide 52, last page).
Would it be correct like the following?
`┌──(root㉿forensiclinux)-[/FORENSIC/lab_data_leaks_Win]
└─# fls -rF -o 206848 cfreds_2015_data_leakage_pc.dd|grep -i usrclass.dat$
r/r 63765-128-3: Users/admin11/AppData/Local/Microsoft/Windows/UsrClass.dat
r/r 13929-128-3: Users/informant/AppData/Local/Microsoft/Windows/UsrClass.dat
r/r 70107-128-3: Users/temporary/AppData/Local/Microsoft/Windows/UsrClass.dat
┌──(root㉿forensiclinux)-[/FORENSIC/lab_data_leaks_Win]
└─# icat -o 206848 cfreds_2015_data_leakage_pc.dd 13929 > usrclass_informant.dat
┌──(root㉿forensiclinux)-[/FORENSIC/lab_data_leaks_Win]
└─# rip.pl -r usrclass_informant.dat -p muicache
Launching muicache v.20200525
muicache v.20200525
(NTUSER.DAT,USRCLASS.DAT) Gets EXEs from user's MUICache key
Software\Microsoft\Windows\ShellNoRoam\MUICache not found.
Local Settings\Software\Microsoft\Windows\Shell\MUICache
LastWrite Time 2015-03-25 15:29:12Z
C:\Windows\system32\WFS.exe (Microsoft Windows Fax and Scan)
C:\Program Files\Internet Explorer\iexplore.exe (Internet Explorer)
C:\Users\informant\Desktop\Download\IE11-Windows6.1-x64-en-us.exe (Internet Explorer 11 Setup utility)
C:\Windows\System32\xpsrchvw.exe (XPS Viewer)
`
The text was updated successfully, but these errors were encountered: