Difference between pages "File:Timestomp mace change proof.jpg" and "Files changed at boot:Windows XP"
From Forensics Wiki
(Difference between pages)
Cobalt2020 (Talk | contribs) (Timestomp MACE value change proof) |
(Editing Files changed at boot Windows XP) |
||
| Line 1: | Line 1: | ||
| − | + | == Methodology and tools == | |
| + | |||
| + | To make some different off line tests and collect this information you can boot test system and power off it without software shutdown. On other hand it is possible to make virtual system and make an offline test online :) | ||
| + | |||
| + | Tools you need are: qemu, fls, mactime. | ||
| + | |||
| + | Steps to reproduce: | ||
| + | * qemu-img create -f raw windows_xp.img 4G ( it should be exactly raw format ) | ||
| + | * install windows or other OS on this image | ||
| + | * qemu windows_xp.img -localtime ( option -localtime will help see exact boot/start time, it is important for our investigation ) | ||
| + | * fls -o 63 windows_xp.img -r -m / > body | ||
| + | * mactime -b body 10/18/2007 > afterboot_report ( 10/18/2007 instead here should be the day you make this test ) | ||
| + | |||
| + | |||
| + | Not all file marked as changed really changed. | ||
| + | |||
| + | |||
| + | |||
| + | |||
| + | == Files changed on boot == | ||
| + | <pre> | ||
| + | Sat Oct 20 2007 17:07:47 2097152 m.c -/-rwxrwxrwx 0 0 2427-128-3 /WINDOWS/system32/config/system | ||
| + | 201326592 m.c -/-r-xr-xr-x 0 0 27-128-1 /pagefile.sys | ||
| + | Sat Oct 20 2007 17:07:48 133746688 m.c -/-r-xr-xr-x 0 0 3316-128-1 /hiberfil.sys | ||
| + | Sat Oct 20 2007 17:07:49 256 ..c d/dr-xr-xr-x 0 0 8166-144-1 /Documents and Settings/NetworkService/Local Settings/History | ||
| + | 256 ..c d/dr-xr-xr-x 0 0 8809-144-1 /Documents and Settings/NetworkService/Local Settings/Application Data | ||
| + | 0 m.c -/-rwxrwxrwx 0 0 3337-128-11 /WINDOWS/Debug/PASSWD.LOG | ||
| + | 62 m.c -/-r-xr-xr-x 0 0 8815-128-1 /Documents and Settings/NetworkService/Local Settings/desktop.ini | ||
| + | 20 ..c -/-r-xr-xr-x 0 0 8814-128-1 /Documents and Settings/NetworkService/ntuser.ini | ||
| + | 56 ..c d/dr-xr-xr-x 0 0 8112-144-6 /Documents and Settings/NetworkService/Local Settings | ||
| + | 256 ..c d/dr-xr-xr-x 0 0 8114-144-1 /Documents and Settings/NetworkService/Local Settings/Temporary Internet Files | ||
| + | 2048 m.c -/-rwxrwxrwx 0 0 2261-128-1 /WINDOWS/bootstat.dat | ||
| + | Sat Oct 20 2007 17:07:51 56 ..c d/dr-xr-xr-x 0 0 8823-144-6 /Documents and Settings/LocalService/Local Settings | ||
| + | 20 ..c -/-r-xr-xr-x 0 0 8855-128-1 /Documents and Settings/LocalService/ntuser.ini | ||
| + | 62 m.c -/-r-xr-xr-x 0 0 8856-128-1 /Documents and Settings/LocalService/Local Settings/desktop.ini | ||
| + | 256 ..c d/dr-xr-xr-x 0 0 8850-144-1 /Documents and Settings/LocalService/Local Settings/Application Data | ||
| + | Sat Oct 20 2007 17:07:52 472 ..c d/dr-xr-xr-x 0 0 8903-144-1 /Documents and Settings/qwert/Local Settings/Application Data | ||
| + | 56 ..c d/dr-xr-xr-x 0 0 8893-144-6 /Documents and Settings/qwert/Local Settings | ||
| + | 256 ..c d/dr-xr-xr-x 0 0 8894-144-1 /Documents and Settings/qwert/Local Settings/Temporary Internet Files | ||
| + | 62 m.c -/-r-xr-xr-x 0 0 8959-128-3 /Documents and Settings/qwert/Local Settings/desktop.ini | ||
| + | 180 ..c -/-r-xr-xr-x 0 0 8968-128-1 /Documents and Settings/qwert/ntuser.ini | ||
| + | 256 ..c d/dr-xr-xr-x 0 0 8901-144-1 /Documents and Settings/qwert/Local Settings/History | ||
| + | 1024 m.c -/-r-xr-xr-x 0 0 3331-128-3 /WINDOWS/system32/config/SAM.LOG | ||
| + | Sat Oct 20 2007 17:07:53 280 ..c d/drwxrwxrwx 0 0 8863-144-5 /WINDOWS/Prefetch | ||
| + | 6 m.c -/-r-xr-xr-x 0 0 5269-128-11 /WINDOWS/Tasks/SA.DAT | ||
| + | Sat Oct 20 2007 17:08:00 16384 m.c -/-rwxrwxrwx 0 0 8826-128-3 /Documents and Settings/LocalService/Cookies/index.dat | ||
| + | 32768 m.c -/-rwxrwxrwx 0 0 8876-128-3 /Documents and Settings/LocalService/Local Settings/Temporary Internet Files/Content.IE5/index.dat | ||
| + | 0 ..c -/-rwxrwxrwx 0 0 8828-128-1 /WINDOWS/Debug/oakley.log.sav | ||
| + | 0 mac -/-rwxrwxrwx 0 0 8844-128-1 /WINDOWS/Debug/oakley.log | ||
| + | 256 ..c d/drwxrwxrwx 0 0 8830-144-1 /Documents and Settings/LocalService/Local Settings/History | ||
| + | 152 ..c d/drwxrwxrwx 0 0 8832-144-1 /Documents and Settings/LocalService/Cookies | ||
| + | 256 ..c d/drwxrwxrwx 0 0 8831-144-1 /Documents and Settings/LocalService/Local Settings/History/History.IE5 | ||
| + | 56 ..c d/drwxrwxrwx 0 0 8825-144-5 /Documents and Settings/LocalService/Local Settings/Temporary Internet Files/Content.IE5 | ||
| + | 12104 m.c -/-rwxrwxrwx 0 0 3400-128-3 /WINDOWS/Debug/UserMode/userenv.log | ||
| + | 256 ..c d/drwxrwxrwx 0 0 8824-144-1 /Documents and Settings/LocalService/Local Settings/Temporary Internet Files | ||
| + | 16384 m.c -/-rwxrwxrwx 0 0 8827-128-3 /Documents and Settings/LocalService/Local Settings/History/History.IE5/index.dat | ||
| + | 696 mac d/drwxrwxrwx 0 0 88-144-1 /WINDOWS/Debug | ||
| + | Sat Oct 20 2007 17:08:03 261 ..c -/-rwxrwxrwx 0 0 5196-128-1 /WINDOWS/system32/wbem/Logs/FrameWork.log | ||
| + | 2439 ..c -/-rwxrwxrwx 0 0 5138-128-3 /WINDOWS/system32/wbem/Logs/wmiprov.log | ||
| + | 108 ..c -/-rwxrwxrwx 0 0 4446-128-1 /WINDOWS/system32/wbem/Logs/WinMgmt.log | ||
| + | 0 m.c -/-rwxrwxrwx 0 0 8974-128-10 /WINDOWS/0.log | ||
| + | 14365 ..c -/-rwxrwxrwx 0 0 7088-128-3 /WINDOWS/system32/wbem/Logs/wbemess.log | ||
| + | 120 ..c -/-rwxrwxrwx 0 0 5202-128-1 /WINDOWS/system32/wbem/Logs/wbemcore.log | ||
| + | 4943 ..c -/-rwxrwxrwx 0 0 5199-128-3 /WINDOWS/system32/wbem/Logs/setup.log | ||
| + | 97 ..c -/-rwxrwxrwx 0 0 9019-128-1 /WINDOWS/system32/wbem/Logs/wmiadap.log | ||
| + | 16 ..c -/-rwxrwxrwx 0 0 5209-128-1 /WINDOWS/system32/wbem/Repository/$WinMgmt.CFG | ||
| + | 950272 ..c -/-rwxrwxrwx 0 0 5206-128-3 /WINDOWS/system32/wbem/Repository/FS/INDEX.BTR | ||
| + | 5005312 ..c -/-rwxrwxrwx 0 0 5205-128-4 /WINDOWS/system32/wbem/Repository/FS/OBJECTS.DATA | ||
| + | 10021 ..c -/-rwxrwxrwx 0 0 5201-128-3 /WINDOWS/system32/wbem/Logs/mofcomp.log | ||
| + | Sat Oct 20 2007 17:08:08 1024 m.c -/-r-xr-xr-x 0 0 8967-128-4 /Documents and Settings/qwert/Local Settings/Application Data/Microsoft/Windows/UsrClass.dat.LOG | ||
| + | Sat Oct 20 2007 17:08:09 1024 m.c -/-r-xr-xr-x 0 0 3332-128-3 /WINDOWS/system32/config/SECURITY.LOG | ||
| + | 1024 m.c -/-r-xr-xr-x 0 0 8813-128-4 /Documents and Settings/NetworkService/Local Settings/Application Data/Microsoft/Windows/UsrClass.dat.LOG | ||
| + | 1024 m.c -/-r-xr-xr-x 0 0 8854-128-4 /Documents and Settings/LocalService/Local Settings/Application Data/Microsoft/Windows/UsrClass.dat.LOG | ||
| + | Sat Oct 20 2007 17:08:18 8192 m.c -/-r-xr-xr-x 0 0 3869-128-4 /Documents and Settings/qwert/NTUSER.DAT.LOG | ||
| + | 56 mac d/drwxrwxrwx 0 0 5203-144-5 /WINDOWS/system32/wbem/Repository/FS | ||
| + | 488 mac -/-rwxrwxrwx 0 0 9021-128-1 /WINDOWS/system32/wbem/Repository/FS/INDEX.MAP | ||
| + | 8192 m.c -/-r-xr-xr-x 0 0 8808-128-4 /Documents and Settings/NetworkService/ntuser.dat.LOG | ||
| + | 8192 m.c -/-r-xr-xr-x 0 0 3321-128-3 /WINDOWS/system32/config/default.LOG | ||
| + | 8192 m.c -/-r-xr-xr-x 0 0 3320-128-0 /WINDOWS/system32/config/software.LOG | ||
| + | 8192 m.c -/-r-xr-xr-x 0 0 8849-128-4 /Documents and Settings/LocalService/ntuser.dat.LOG | ||
| + | 2468 mac -/-rwxrwxrwx 0 0 8866-128-4 /WINDOWS/system32/wbem/Repository/FS/OBJECTS.MAP | ||
| + | Sat Oct 20 2007 17:08:24 20480 m.c -/-r-xr-xr-x 0 0 3319-128-0 /WINDOWS/system32/config/system.LOG | ||
| + | </pre> | ||
| + | |||
| + | |||
| + | == Files changed on power off == | ||
| + | <pre> | ||
| + | Sat Oct 20 2007 17:12:00 2634 m.c -/-rwxrwxrwx 0 0 5138-128-3 /WINDOWS/system32/wbem/Logs/wmiprov.log | ||
| + | 162 m.c -/-rwxrwxrwx 0 0 4446-128-1 /WINDOWS/system32/wbem/Logs/WinMgmt.log | ||
| + | Sat Oct 20 2007 17:12:34 1024 m.c -/-r-xr-xr-x 0 0 3869-128-4 /Documents and Settings/qwert/NTUSER.DAT.LOG | ||
| + | 524288 ma. -/-r-xr-xr-x 0 0 3344-128-4 /Documents and Settings/qwert/NTUSER.DAT | ||
| + | 262144 ma. -/-r-xr-xr-x 0 0 8966-128-3 /Documents and Settings/qwert/Local Settings/Application Data/Microsoft/Windows/UsrClass.dat | ||
| + | 180 m.c -/-r-xr-xr-x 0 0 8968-128-1 /Documents and Settings/qwert/ntuser.ini | ||
| + | Sat Oct 20 2007 17:12:36 56 mac d/drwxrwxrwx 0 0 5203-144-5 /WINDOWS/system32/wbem/Repository/FS | ||
| + | 6 m.c -/-r-xr-xr-x 0 0 5269-128-11 /WINDOWS/Tasks/SA.DAT | ||
| + | 2468 mac -/-rwxrwxrwx 0 0 8866-128-4 /WINDOWS/system32/wbem/Repository/FS/OBJECTS.MAP | ||
| + | 17121 m.c -/-rwxrwxrwx 0 0 7088-128-3 /WINDOWS/system32/wbem/Logs/wbemess.log | ||
| + | 2288 m.c -/-rwxrwxrwx 0 0 8862-128-3 /WINDOWS/SchedLgU.Txt | ||
| + | 488 mac -/-rwxrwxrwx 0 0 9021-128-1 /WINDOWS/system32/wbem/Repository/FS/INDEX.MAP | ||
| + | 65536 m.c -/-rwxrwxrwx 0 0 3341-128-1 /WINDOWS/system32/config/SysEvent.Evt | ||
| + | Sat Oct 20 2007 17:12:37 1024 m.c -/-r-xr-xr-x 0 0 3320-128-0 /WINDOWS/system32/config/software.LOG | ||
| + | 2048 m.c -/-rwxrwxrwx 0 0 2261-128-1 /WINDOWS/bootstat.dat | ||
| + | Sat Oct 20 2007 17:12:38 8650752 ma. -/-rwxrwxrwx 0 0 3298-128-3 /WINDOWS/inf/wkstamig.inf (deleted-realloc) | ||
| + | 8650752 ma. -/-rwxrwxrwx 0 0 3298-128-3 /WINDOWS/system32/config/software | ||
| + | 262144 ma. -/-r-xr-xr-x 0 0 8812-128-3 /Documents and Settings/NetworkService/Local Settings/Application Data/Microsoft/Windows/UsrClass.dat | ||
| + | 1024 m.c -/-r-xr-xr-x 0 0 3319-128-0 /WINDOWS/system32/config/system.LOG | ||
| + | 262144 ma. -/-r-xr-xr-x 0 0 8853-128-3 /Documents and Settings/LocalService/Local Settings/Application Data/Microsoft/Windows/UsrClass.dat | ||
| + | 2097152 ma. -/-rwxrwxrwx 0 0 2427-128-3 /WINDOWS/system32/config/system | ||
| + | 262144 ma. -/-rwxrwxrwx 0 0 3329-128-3 /WINDOWS/system32/config/SECURITY | ||
| + | 229376 ma. -/-r-xr-xr-x 0 0 7133-128-4 /Documents and Settings/NetworkService/NTUSER.DAT | ||
| + | 229376 ma. -/-r-xr-xr-x 0 0 8822-128-4 /Documents and Settings/LocalService/NTUSER.DAT | ||
| + | 262144 ma. -/-rwxrwxrwx 0 0 3899-128-3 /WINDOWS/system32/config/default | ||
| + | 262144 ma. -/-rwxrwxrwx 0 0 3330-128-3 /WINDOWS/system32/config/SAM | ||
| + | </pre> | ||
Revision as of 02:06, 26 October 2007
Methodology and tools
To make some different off line tests and collect this information you can boot test system and power off it without software shutdown. On other hand it is possible to make virtual system and make an offline test online :)
Tools you need are: qemu, fls, mactime.
Steps to reproduce:
- qemu-img create -f raw windows_xp.img 4G ( it should be exactly raw format )
- install windows or other OS on this image
- qemu windows_xp.img -localtime ( option -localtime will help see exact boot/start time, it is important for our investigation )
- fls -o 63 windows_xp.img -r -m / > body
- mactime -b body 10/18/2007 > afterboot_report ( 10/18/2007 instead here should be the day you make this test )
Not all file marked as changed really changed.
Files changed on boot
Sat Oct 20 2007 17:07:47 2097152 m.c -/-rwxrwxrwx 0 0 2427-128-3 /WINDOWS/system32/config/system
201326592 m.c -/-r-xr-xr-x 0 0 27-128-1 /pagefile.sys
Sat Oct 20 2007 17:07:48 133746688 m.c -/-r-xr-xr-x 0 0 3316-128-1 /hiberfil.sys
Sat Oct 20 2007 17:07:49 256 ..c d/dr-xr-xr-x 0 0 8166-144-1 /Documents and Settings/NetworkService/Local Settings/History
256 ..c d/dr-xr-xr-x 0 0 8809-144-1 /Documents and Settings/NetworkService/Local Settings/Application Data
0 m.c -/-rwxrwxrwx 0 0 3337-128-11 /WINDOWS/Debug/PASSWD.LOG
62 m.c -/-r-xr-xr-x 0 0 8815-128-1 /Documents and Settings/NetworkService/Local Settings/desktop.ini
20 ..c -/-r-xr-xr-x 0 0 8814-128-1 /Documents and Settings/NetworkService/ntuser.ini
56 ..c d/dr-xr-xr-x 0 0 8112-144-6 /Documents and Settings/NetworkService/Local Settings
256 ..c d/dr-xr-xr-x 0 0 8114-144-1 /Documents and Settings/NetworkService/Local Settings/Temporary Internet Files
2048 m.c -/-rwxrwxrwx 0 0 2261-128-1 /WINDOWS/bootstat.dat
Sat Oct 20 2007 17:07:51 56 ..c d/dr-xr-xr-x 0 0 8823-144-6 /Documents and Settings/LocalService/Local Settings
20 ..c -/-r-xr-xr-x 0 0 8855-128-1 /Documents and Settings/LocalService/ntuser.ini
62 m.c -/-r-xr-xr-x 0 0 8856-128-1 /Documents and Settings/LocalService/Local Settings/desktop.ini
256 ..c d/dr-xr-xr-x 0 0 8850-144-1 /Documents and Settings/LocalService/Local Settings/Application Data
Sat Oct 20 2007 17:07:52 472 ..c d/dr-xr-xr-x 0 0 8903-144-1 /Documents and Settings/qwert/Local Settings/Application Data
56 ..c d/dr-xr-xr-x 0 0 8893-144-6 /Documents and Settings/qwert/Local Settings
256 ..c d/dr-xr-xr-x 0 0 8894-144-1 /Documents and Settings/qwert/Local Settings/Temporary Internet Files
62 m.c -/-r-xr-xr-x 0 0 8959-128-3 /Documents and Settings/qwert/Local Settings/desktop.ini
180 ..c -/-r-xr-xr-x 0 0 8968-128-1 /Documents and Settings/qwert/ntuser.ini
256 ..c d/dr-xr-xr-x 0 0 8901-144-1 /Documents and Settings/qwert/Local Settings/History
1024 m.c -/-r-xr-xr-x 0 0 3331-128-3 /WINDOWS/system32/config/SAM.LOG
Sat Oct 20 2007 17:07:53 280 ..c d/drwxrwxrwx 0 0 8863-144-5 /WINDOWS/Prefetch
6 m.c -/-r-xr-xr-x 0 0 5269-128-11 /WINDOWS/Tasks/SA.DAT
Sat Oct 20 2007 17:08:00 16384 m.c -/-rwxrwxrwx 0 0 8826-128-3 /Documents and Settings/LocalService/Cookies/index.dat
32768 m.c -/-rwxrwxrwx 0 0 8876-128-3 /Documents and Settings/LocalService/Local Settings/Temporary Internet Files/Content.IE5/index.dat
0 ..c -/-rwxrwxrwx 0 0 8828-128-1 /WINDOWS/Debug/oakley.log.sav
0 mac -/-rwxrwxrwx 0 0 8844-128-1 /WINDOWS/Debug/oakley.log
256 ..c d/drwxrwxrwx 0 0 8830-144-1 /Documents and Settings/LocalService/Local Settings/History
152 ..c d/drwxrwxrwx 0 0 8832-144-1 /Documents and Settings/LocalService/Cookies
256 ..c d/drwxrwxrwx 0 0 8831-144-1 /Documents and Settings/LocalService/Local Settings/History/History.IE5
56 ..c d/drwxrwxrwx 0 0 8825-144-5 /Documents and Settings/LocalService/Local Settings/Temporary Internet Files/Content.IE5
12104 m.c -/-rwxrwxrwx 0 0 3400-128-3 /WINDOWS/Debug/UserMode/userenv.log
256 ..c d/drwxrwxrwx 0 0 8824-144-1 /Documents and Settings/LocalService/Local Settings/Temporary Internet Files
16384 m.c -/-rwxrwxrwx 0 0 8827-128-3 /Documents and Settings/LocalService/Local Settings/History/History.IE5/index.dat
696 mac d/drwxrwxrwx 0 0 88-144-1 /WINDOWS/Debug
Sat Oct 20 2007 17:08:03 261 ..c -/-rwxrwxrwx 0 0 5196-128-1 /WINDOWS/system32/wbem/Logs/FrameWork.log
2439 ..c -/-rwxrwxrwx 0 0 5138-128-3 /WINDOWS/system32/wbem/Logs/wmiprov.log
108 ..c -/-rwxrwxrwx 0 0 4446-128-1 /WINDOWS/system32/wbem/Logs/WinMgmt.log
0 m.c -/-rwxrwxrwx 0 0 8974-128-10 /WINDOWS/0.log
14365 ..c -/-rwxrwxrwx 0 0 7088-128-3 /WINDOWS/system32/wbem/Logs/wbemess.log
120 ..c -/-rwxrwxrwx 0 0 5202-128-1 /WINDOWS/system32/wbem/Logs/wbemcore.log
4943 ..c -/-rwxrwxrwx 0 0 5199-128-3 /WINDOWS/system32/wbem/Logs/setup.log
97 ..c -/-rwxrwxrwx 0 0 9019-128-1 /WINDOWS/system32/wbem/Logs/wmiadap.log
16 ..c -/-rwxrwxrwx 0 0 5209-128-1 /WINDOWS/system32/wbem/Repository/$WinMgmt.CFG
950272 ..c -/-rwxrwxrwx 0 0 5206-128-3 /WINDOWS/system32/wbem/Repository/FS/INDEX.BTR
5005312 ..c -/-rwxrwxrwx 0 0 5205-128-4 /WINDOWS/system32/wbem/Repository/FS/OBJECTS.DATA
10021 ..c -/-rwxrwxrwx 0 0 5201-128-3 /WINDOWS/system32/wbem/Logs/mofcomp.log
Sat Oct 20 2007 17:08:08 1024 m.c -/-r-xr-xr-x 0 0 8967-128-4 /Documents and Settings/qwert/Local Settings/Application Data/Microsoft/Windows/UsrClass.dat.LOG
Sat Oct 20 2007 17:08:09 1024 m.c -/-r-xr-xr-x 0 0 3332-128-3 /WINDOWS/system32/config/SECURITY.LOG
1024 m.c -/-r-xr-xr-x 0 0 8813-128-4 /Documents and Settings/NetworkService/Local Settings/Application Data/Microsoft/Windows/UsrClass.dat.LOG
1024 m.c -/-r-xr-xr-x 0 0 8854-128-4 /Documents and Settings/LocalService/Local Settings/Application Data/Microsoft/Windows/UsrClass.dat.LOG
Sat Oct 20 2007 17:08:18 8192 m.c -/-r-xr-xr-x 0 0 3869-128-4 /Documents and Settings/qwert/NTUSER.DAT.LOG
56 mac d/drwxrwxrwx 0 0 5203-144-5 /WINDOWS/system32/wbem/Repository/FS
488 mac -/-rwxrwxrwx 0 0 9021-128-1 /WINDOWS/system32/wbem/Repository/FS/INDEX.MAP
8192 m.c -/-r-xr-xr-x 0 0 8808-128-4 /Documents and Settings/NetworkService/ntuser.dat.LOG
8192 m.c -/-r-xr-xr-x 0 0 3321-128-3 /WINDOWS/system32/config/default.LOG
8192 m.c -/-r-xr-xr-x 0 0 3320-128-0 /WINDOWS/system32/config/software.LOG
8192 m.c -/-r-xr-xr-x 0 0 8849-128-4 /Documents and Settings/LocalService/ntuser.dat.LOG
2468 mac -/-rwxrwxrwx 0 0 8866-128-4 /WINDOWS/system32/wbem/Repository/FS/OBJECTS.MAP
Sat Oct 20 2007 17:08:24 20480 m.c -/-r-xr-xr-x 0 0 3319-128-0 /WINDOWS/system32/config/system.LOG
Files changed on power off
Sat Oct 20 2007 17:12:00 2634 m.c -/-rwxrwxrwx 0 0 5138-128-3 /WINDOWS/system32/wbem/Logs/wmiprov.log
162 m.c -/-rwxrwxrwx 0 0 4446-128-1 /WINDOWS/system32/wbem/Logs/WinMgmt.log
Sat Oct 20 2007 17:12:34 1024 m.c -/-r-xr-xr-x 0 0 3869-128-4 /Documents and Settings/qwert/NTUSER.DAT.LOG
524288 ma. -/-r-xr-xr-x 0 0 3344-128-4 /Documents and Settings/qwert/NTUSER.DAT
262144 ma. -/-r-xr-xr-x 0 0 8966-128-3 /Documents and Settings/qwert/Local Settings/Application Data/Microsoft/Windows/UsrClass.dat
180 m.c -/-r-xr-xr-x 0 0 8968-128-1 /Documents and Settings/qwert/ntuser.ini
Sat Oct 20 2007 17:12:36 56 mac d/drwxrwxrwx 0 0 5203-144-5 /WINDOWS/system32/wbem/Repository/FS
6 m.c -/-r-xr-xr-x 0 0 5269-128-11 /WINDOWS/Tasks/SA.DAT
2468 mac -/-rwxrwxrwx 0 0 8866-128-4 /WINDOWS/system32/wbem/Repository/FS/OBJECTS.MAP
17121 m.c -/-rwxrwxrwx 0 0 7088-128-3 /WINDOWS/system32/wbem/Logs/wbemess.log
2288 m.c -/-rwxrwxrwx 0 0 8862-128-3 /WINDOWS/SchedLgU.Txt
488 mac -/-rwxrwxrwx 0 0 9021-128-1 /WINDOWS/system32/wbem/Repository/FS/INDEX.MAP
65536 m.c -/-rwxrwxrwx 0 0 3341-128-1 /WINDOWS/system32/config/SysEvent.Evt
Sat Oct 20 2007 17:12:37 1024 m.c -/-r-xr-xr-x 0 0 3320-128-0 /WINDOWS/system32/config/software.LOG
2048 m.c -/-rwxrwxrwx 0 0 2261-128-1 /WINDOWS/bootstat.dat
Sat Oct 20 2007 17:12:38 8650752 ma. -/-rwxrwxrwx 0 0 3298-128-3 /WINDOWS/inf/wkstamig.inf (deleted-realloc)
8650752 ma. -/-rwxrwxrwx 0 0 3298-128-3 /WINDOWS/system32/config/software
262144 ma. -/-r-xr-xr-x 0 0 8812-128-3 /Documents and Settings/NetworkService/Local Settings/Application Data/Microsoft/Windows/UsrClass.dat
1024 m.c -/-r-xr-xr-x 0 0 3319-128-0 /WINDOWS/system32/config/system.LOG
262144 ma. -/-r-xr-xr-x 0 0 8853-128-3 /Documents and Settings/LocalService/Local Settings/Application Data/Microsoft/Windows/UsrClass.dat
2097152 ma. -/-rwxrwxrwx 0 0 2427-128-3 /WINDOWS/system32/config/system
262144 ma. -/-rwxrwxrwx 0 0 3329-128-3 /WINDOWS/system32/config/SECURITY
229376 ma. -/-r-xr-xr-x 0 0 7133-128-4 /Documents and Settings/NetworkService/NTUSER.DAT
229376 ma. -/-r-xr-xr-x 0 0 8822-128-4 /Documents and Settings/LocalService/NTUSER.DAT
262144 ma. -/-rwxrwxrwx 0 0 3899-128-3 /WINDOWS/system32/config/default
262144 ma. -/-rwxrwxrwx 0 0 3330-128-3 /WINDOWS/system32/config/SAM
File history
Click on a date/time to view the file as it appeared at that time.
| Date/Time | Thumbnail | Dimensions | User | Comment | |
|---|---|---|---|---|---|
| current | 22:43, 18 March 2013 |  | 317 × 311 (28 KB) | Maintenance script (Talk) | Importing image file |
- You cannot overwrite this file.
- Edit this file using an external application (See the setup instructions for more information)
File usage
The following page links to this file:
