Friday, June 13, 2008

What does this tell you

I have been doing some testing with Harlan Carvey's RegRipper which is a pretty cool tool and I ran accross this entry after running it against my ntuser.dat file.

ComDlg32\OpenSaveMRU
**All values printed in MRUList order.
Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU
LastWrite Time Wed Jun 11 18:48:27 2008 (UTC)

..
..

Subkey: pdf
LastWrite Time Fri Jun 13 12:41:16 2008 (UTC)
MRUList = cdba
c -> C:\Mark\dc3_challenge\methodology_form_blank.pdf
d -> C:\Mark\dc3_challenge\report_blank.pdf
b ->
a ->

..
..

I cut out the stuff before and after the pdf subkey. Now after looking at this what do you think it is telling you. Is this some kind of Anti Forensics tool that was run. Why are there entries missing. I will hold of the answer until next week to see if someone wants to throw an answer out there.

Questions/Comments/Thoughts?

1 comment:

kids games online said...

I was working and suddenly I visits your site frequently and recommended it to me to read also. The writing style is superior and the content is relevant. Thanks for the insight you provide the readers!

Signature: games for kids
kids games
kid games