Difference between pages "File:Timestomp mace.jpg" and "Files changed at boot:Windows XP"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Screenshot of TimeStomp application being used to display MACE attributes of a text.txt file.)
 
m
 
Line 1: Line 1:
Screenshot of TimeStomp application being used to display MACE attributes of a text.txt file.
+
== Methodology and tools ==
 +
 
 +
To make some different off line tests and collect this information you can boot test system and power off it without software shutdown. On other hand it is possible to make virtual system and make an offline test online :)
 +
 
 +
Tools you need are: qemu, fls, mactime.  
 +
 
 +
Steps to reproduce:
 +
* qemu-img create -f raw windows_xp.img 4G ( it should be exactly raw format )
 +
* install Windows or other OS on this image
 +
* qemu windows_xp.img -localtime          ( option -localtime will help see exact boot/start time, it is important for our investigation )
 +
* fls -o 63 windows_xp.img -r -m / > body
 +
* mactime -b body 10/18/2007 > afterboot_report  ( 10/18/2007 instead here should be the day you make this test )
 +
 
 +
 
 +
Not all file marked as changed really changed.
 +
It is better to disable last access time update if you working with NTFS:
 +
 +
To disable Last Access timestamps create the following registry key on your run-time image:
 +
 
 +
<pre>
 +
      Key Name: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem
 +
      Name: NtfsDisableLastAccessUpdate
 +
      Type: REG_DWORD
 +
      Value: 1
 +
</pre>
 +
 
 +
 
 +
== Files changed on boot ==
 +
<pre>
 +
Sat Oct 20 2007 17:07:47  2097152 m.c -/-rwxrwxrwx 0        0        2427-128-3 /WINDOWS/system32/config/system
 +
                        201326592 m.c -/-r-xr-xr-x 0        0        27-128-1 /pagefile.sys
 +
Sat Oct 20 2007 17:07:48 133746688 m.c -/-r-xr-xr-x 0        0        3316-128-1 /hiberfil.sys
 +
Sat Oct 20 2007 17:07:49      256 ..c d/dr-xr-xr-x 0        0        8166-144-1 /Documents and Settings/NetworkService/Local Settings/History
 +
                              256 ..c d/dr-xr-xr-x 0        0        8809-144-1 /Documents and Settings/NetworkService/Local Settings/Application Data
 +
                                0 m.c -/-rwxrwxrwx 0        0        3337-128-11 /WINDOWS/Debug/PASSWD.LOG
 +
                              62 m.c -/-r-xr-xr-x 0        0        8815-128-1 /Documents and Settings/NetworkService/Local Settings/desktop.ini
 +
                              20 ..c -/-r-xr-xr-x 0        0        8814-128-1 /Documents and Settings/NetworkService/ntuser.ini
 +
                              56 ..c d/dr-xr-xr-x 0        0        8112-144-6 /Documents and Settings/NetworkService/Local Settings
 +
                              256 ..c d/dr-xr-xr-x 0        0        8114-144-1 /Documents and Settings/NetworkService/Local Settings/Temporary Internet Files
 +
                            2048 m.c -/-rwxrwxrwx 0        0        2261-128-1 /WINDOWS/bootstat.dat
 +
Sat Oct 20 2007 17:07:51      56 ..c d/dr-xr-xr-x 0        0        8823-144-6 /Documents and Settings/LocalService/Local Settings
 +
                              20 ..c -/-r-xr-xr-x 0        0        8855-128-1 /Documents and Settings/LocalService/ntuser.ini
 +
                              62 m.c -/-r-xr-xr-x 0        0        8856-128-1 /Documents and Settings/LocalService/Local Settings/desktop.ini
 +
                              256 ..c d/dr-xr-xr-x 0        0        8850-144-1 /Documents and Settings/LocalService/Local Settings/Application Data
 +
Sat Oct 20 2007 17:07:52      472 ..c d/dr-xr-xr-x 0        0        8903-144-1 /Documents and Settings/qwert/Local Settings/Application Data
 +
                              56 ..c d/dr-xr-xr-x 0        0        8893-144-6 /Documents and Settings/qwert/Local Settings
 +
                              256 ..c d/dr-xr-xr-x 0        0        8894-144-1 /Documents and Settings/qwert/Local Settings/Temporary Internet Files
 +
                              62 m.c -/-r-xr-xr-x 0        0        8959-128-3 /Documents and Settings/qwert/Local Settings/desktop.ini
 +
                              180 ..c -/-r-xr-xr-x 0        0        8968-128-1 /Documents and Settings/qwert/ntuser.ini
 +
                              256 ..c d/dr-xr-xr-x 0        0        8901-144-1 /Documents and Settings/qwert/Local Settings/History
 +
                            1024 m.c -/-r-xr-xr-x 0        0        3331-128-3 /WINDOWS/system32/config/SAM.LOG
 +
Sat Oct 20 2007 17:07:53      280 ..c d/drwxrwxrwx 0        0        8863-144-5 /WINDOWS/Prefetch
 +
                                6 m.c -/-r-xr-xr-x 0        0        5269-128-11 /WINDOWS/Tasks/SA.DAT
 +
Sat Oct 20 2007 17:08:00    16384 m.c -/-rwxrwxrwx 0        0        8826-128-3 /Documents and Settings/LocalService/Cookies/index.dat
 +
                            32768 m.c -/-rwxrwxrwx 0        0        8876-128-3 /Documents and Settings/LocalService/Local Settings/Temporary Internet Files/Content.IE5/index.dat
 +
                                0 ..c -/-rwxrwxrwx 0        0        8828-128-1 /WINDOWS/Debug/oakley.log.sav
 +
                                0 mac -/-rwxrwxrwx 0        0        8844-128-1 /WINDOWS/Debug/oakley.log
 +
                              256 ..c d/drwxrwxrwx 0        0        8830-144-1 /Documents and Settings/LocalService/Local Settings/History
 +
                              152 ..c d/drwxrwxrwx 0        0        8832-144-1 /Documents and Settings/LocalService/Cookies
 +
                              256 ..c d/drwxrwxrwx 0        0        8831-144-1 /Documents and Settings/LocalService/Local Settings/History/History.IE5
 +
                              56 ..c d/drwxrwxrwx 0        0        8825-144-5 /Documents and Settings/LocalService/Local Settings/Temporary Internet Files/Content.IE5
 +
                            12104 m.c -/-rwxrwxrwx 0        0        3400-128-3 /WINDOWS/Debug/UserMode/userenv.log
 +
                              256 ..c d/drwxrwxrwx 0        0        8824-144-1 /Documents and Settings/LocalService/Local Settings/Temporary Internet Files
 +
                            16384 m.c -/-rwxrwxrwx 0        0        8827-128-3 /Documents and Settings/LocalService/Local Settings/History/History.IE5/index.dat
 +
                              696 mac d/drwxrwxrwx 0        0        88-144-1 /WINDOWS/Debug
 +
Sat Oct 20 2007 17:08:03      261 ..c -/-rwxrwxrwx 0        0        5196-128-1 /WINDOWS/system32/wbem/Logs/FrameWork.log
 +
                            2439 ..c -/-rwxrwxrwx 0        0        5138-128-3 /WINDOWS/system32/wbem/Logs/wmiprov.log
 +
                              108 ..c -/-rwxrwxrwx 0        0        4446-128-1 /WINDOWS/system32/wbem/Logs/WinMgmt.log
 +
                                0 m.c -/-rwxrwxrwx 0        0        8974-128-10 /WINDOWS/0.log
 +
                            14365 ..c -/-rwxrwxrwx 0        0        7088-128-3 /WINDOWS/system32/wbem/Logs/wbemess.log
 +
                              120 ..c -/-rwxrwxrwx 0        0        5202-128-1 /WINDOWS/system32/wbem/Logs/wbemcore.log
 +
                            4943 ..c -/-rwxrwxrwx 0        0        5199-128-3 /WINDOWS/system32/wbem/Logs/setup.log
 +
                              97 ..c -/-rwxrwxrwx 0        0        9019-128-1 /WINDOWS/system32/wbem/Logs/wmiadap.log
 +
                              16 ..c -/-rwxrwxrwx 0        0        5209-128-1 /WINDOWS/system32/wbem/Repository/$WinMgmt.CFG
 +
                          950272 ..c -/-rwxrwxrwx 0        0        5206-128-3 /WINDOWS/system32/wbem/Repository/FS/INDEX.BTR
 +
                          5005312 ..c -/-rwxrwxrwx 0        0        5205-128-4 /WINDOWS/system32/wbem/Repository/FS/OBJECTS.DATA
 +
                            10021 ..c -/-rwxrwxrwx 0        0        5201-128-3 /WINDOWS/system32/wbem/Logs/mofcomp.log
 +
Sat Oct 20 2007 17:08:08    1024 m.c -/-r-xr-xr-x 0        0        8967-128-4 /Documents and Settings/qwert/Local Settings/Application Data/Microsoft/Windows/UsrClass.dat.LOG
 +
Sat Oct 20 2007 17:08:09    1024 m.c -/-r-xr-xr-x 0        0        3332-128-3 /WINDOWS/system32/config/SECURITY.LOG
 +
                            1024 m.c -/-r-xr-xr-x 0        0        8813-128-4 /Documents and Settings/NetworkService/Local Settings/Application Data/Microsoft/Windows/UsrClass.dat.LOG
 +
                            1024 m.c -/-r-xr-xr-x 0        0        8854-128-4 /Documents and Settings/LocalService/Local Settings/Application Data/Microsoft/Windows/UsrClass.dat.LOG
 +
Sat Oct 20 2007 17:08:18    8192 m.c -/-r-xr-xr-x 0        0        3869-128-4 /Documents and Settings/qwert/NTUSER.DAT.LOG
 +
                              56 mac d/drwxrwxrwx 0        0        5203-144-5 /WINDOWS/system32/wbem/Repository/FS
 +
                              488 mac -/-rwxrwxrwx 0        0        9021-128-1 /WINDOWS/system32/wbem/Repository/FS/INDEX.MAP
 +
                            8192 m.c -/-r-xr-xr-x 0        0        8808-128-4 /Documents and Settings/NetworkService/ntuser.dat.LOG
 +
                            8192 m.c -/-r-xr-xr-x 0        0        3321-128-3 /WINDOWS/system32/config/default.LOG
 +
                            8192 m.c -/-r-xr-xr-x 0        0        3320-128-0 /WINDOWS/system32/config/software.LOG
 +
                            8192 m.c -/-r-xr-xr-x 0        0        8849-128-4 /Documents and Settings/LocalService/ntuser.dat.LOG
 +
                            2468 mac -/-rwxrwxrwx 0        0        8866-128-4 /WINDOWS/system32/wbem/Repository/FS/OBJECTS.MAP
 +
Sat Oct 20 2007 17:08:24    20480 m.c -/-r-xr-xr-x 0        0        3319-128-0 /WINDOWS/system32/config/system.LOG
 +
</pre>
 +
 
 +
 
 +
== Files changed on power off ==
 +
<pre>
 +
Sat Oct 20 2007 17:12:00    2634 m.c -/-rwxrwxrwx 0        0        5138-128-3 /WINDOWS/system32/wbem/Logs/wmiprov.log
 +
                              162 m.c -/-rwxrwxrwx 0        0        4446-128-1 /WINDOWS/system32/wbem/Logs/WinMgmt.log
 +
Sat Oct 20 2007 17:12:34    1024 m.c -/-r-xr-xr-x 0        0        3869-128-4 /Documents and Settings/qwert/NTUSER.DAT.LOG
 +
                          524288 ma. -/-r-xr-xr-x 0        0        3344-128-4 /Documents and Settings/qwert/NTUSER.DAT
 +
                          262144 ma. -/-r-xr-xr-x 0        0        8966-128-3 /Documents and Settings/qwert/Local Settings/Application Data/Microsoft/Windows/UsrClass.dat
 +
                              180 m.c -/-r-xr-xr-x 0        0        8968-128-1 /Documents and Settings/qwert/ntuser.ini
 +
Sat Oct 20 2007 17:12:36      56 mac d/drwxrwxrwx 0        0        5203-144-5 /WINDOWS/system32/wbem/Repository/FS
 +
                                6 m.c -/-r-xr-xr-x 0        0        5269-128-11 /WINDOWS/Tasks/SA.DAT
 +
                            2468 mac -/-rwxrwxrwx 0        0        8866-128-4 /WINDOWS/system32/wbem/Repository/FS/OBJECTS.MAP
 +
                            17121 m.c -/-rwxrwxrwx 0        0        7088-128-3 /WINDOWS/system32/wbem/Logs/wbemess.log
 +
                            2288 m.c -/-rwxrwxrwx 0        0        8862-128-3 /WINDOWS/SchedLgU.Txt
 +
                              488 mac -/-rwxrwxrwx 0        0        9021-128-1 /WINDOWS/system32/wbem/Repository/FS/INDEX.MAP
 +
                            65536 m.c -/-rwxrwxrwx 0        0        3341-128-1 /WINDOWS/system32/config/SysEvent.Evt
 +
Sat Oct 20 2007 17:12:37    1024 m.c -/-r-xr-xr-x 0        0        3320-128-0 /WINDOWS/system32/config/software.LOG
 +
                            2048 m.c -/-rwxrwxrwx 0        0        2261-128-1 /WINDOWS/bootstat.dat
 +
Sat Oct 20 2007 17:12:38  8650752 ma. -/-rwxrwxrwx 0        0        3298-128-3 /WINDOWS/inf/wkstamig.inf (deleted-realloc)
 +
                          8650752 ma. -/-rwxrwxrwx 0        0        3298-128-3 /WINDOWS/system32/config/software
 +
                          262144 ma. -/-r-xr-xr-x 0        0        8812-128-3 /Documents and Settings/NetworkService/Local Settings/Application Data/Microsoft/Windows/UsrClass.dat
 +
                            1024 m.c -/-r-xr-xr-x 0        0        3319-128-0 /WINDOWS/system32/config/system.LOG
 +
                          262144 ma. -/-r-xr-xr-x 0        0        8853-128-3 /Documents and Settings/LocalService/Local Settings/Application Data/Microsoft/Windows/UsrClass.dat
 +
                          2097152 ma. -/-rwxrwxrwx 0        0        2427-128-3 /WINDOWS/system32/config/system
 +
                          262144 ma. -/-rwxrwxrwx 0        0        3329-128-3 /WINDOWS/system32/config/SECURITY
 +
                          229376 ma. -/-r-xr-xr-x 0        0        7133-128-4 /Documents and Settings/NetworkService/NTUSER.DAT
 +
                          229376 ma. -/-r-xr-xr-x 0        0        8822-128-4 /Documents and Settings/LocalService/NTUSER.DAT
 +
                          262144 ma. -/-rwxrwxrwx 0        0        3899-128-3 /WINDOWS/system32/config/default
 +
                          262144 ma. -/-rwxrwxrwx 0        0        3330-128-3 /WINDOWS/system32/config/SAM
 +
</pre>

Latest revision as of 07:56, 17 July 2008

Methodology and tools

To make some different off line tests and collect this information you can boot test system and power off it without software shutdown. On other hand it is possible to make virtual system and make an offline test online :)

Tools you need are: qemu, fls, mactime.

Steps to reproduce:

  • qemu-img create -f raw windows_xp.img 4G ( it should be exactly raw format )
  • install Windows or other OS on this image
  • qemu windows_xp.img -localtime ( option -localtime will help see exact boot/start time, it is important for our investigation )
  • fls -o 63 windows_xp.img -r -m / > body
  • mactime -b body 10/18/2007 > afterboot_report ( 10/18/2007 instead here should be the day you make this test )


Not all file marked as changed really changed. It is better to disable last access time update if you working with NTFS:

To disable Last Access timestamps create the following registry key on your run-time image:

      Key Name: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem
      Name: NtfsDisableLastAccessUpdate
      Type: REG_DWORD
      Value: 1


Files changed on boot

Sat Oct 20 2007 17:07:47  2097152 m.c -/-rwxrwxrwx 0        0        2427-128-3 /WINDOWS/system32/config/system
                         201326592 m.c -/-r-xr-xr-x 0        0        27-128-1 /pagefile.sys
Sat Oct 20 2007 17:07:48 133746688 m.c -/-r-xr-xr-x 0        0        3316-128-1 /hiberfil.sys
Sat Oct 20 2007 17:07:49      256 ..c d/dr-xr-xr-x 0        0        8166-144-1 /Documents and Settings/NetworkService/Local Settings/History
                              256 ..c d/dr-xr-xr-x 0        0        8809-144-1 /Documents and Settings/NetworkService/Local Settings/Application Data
                                0 m.c -/-rwxrwxrwx 0        0        3337-128-11 /WINDOWS/Debug/PASSWD.LOG
                               62 m.c -/-r-xr-xr-x 0        0        8815-128-1 /Documents and Settings/NetworkService/Local Settings/desktop.ini
                               20 ..c -/-r-xr-xr-x 0        0        8814-128-1 /Documents and Settings/NetworkService/ntuser.ini
                               56 ..c d/dr-xr-xr-x 0        0        8112-144-6 /Documents and Settings/NetworkService/Local Settings
                              256 ..c d/dr-xr-xr-x 0        0        8114-144-1 /Documents and Settings/NetworkService/Local Settings/Temporary Internet Files
                             2048 m.c -/-rwxrwxrwx 0        0        2261-128-1 /WINDOWS/bootstat.dat
Sat Oct 20 2007 17:07:51       56 ..c d/dr-xr-xr-x 0        0        8823-144-6 /Documents and Settings/LocalService/Local Settings
                               20 ..c -/-r-xr-xr-x 0        0        8855-128-1 /Documents and Settings/LocalService/ntuser.ini
                               62 m.c -/-r-xr-xr-x 0        0        8856-128-1 /Documents and Settings/LocalService/Local Settings/desktop.ini
                              256 ..c d/dr-xr-xr-x 0        0        8850-144-1 /Documents and Settings/LocalService/Local Settings/Application Data
Sat Oct 20 2007 17:07:52      472 ..c d/dr-xr-xr-x 0        0        8903-144-1 /Documents and Settings/qwert/Local Settings/Application Data
                               56 ..c d/dr-xr-xr-x 0        0        8893-144-6 /Documents and Settings/qwert/Local Settings
                              256 ..c d/dr-xr-xr-x 0        0        8894-144-1 /Documents and Settings/qwert/Local Settings/Temporary Internet Files
                               62 m.c -/-r-xr-xr-x 0        0        8959-128-3 /Documents and Settings/qwert/Local Settings/desktop.ini
                              180 ..c -/-r-xr-xr-x 0        0        8968-128-1 /Documents and Settings/qwert/ntuser.ini
                              256 ..c d/dr-xr-xr-x 0        0        8901-144-1 /Documents and Settings/qwert/Local Settings/History
                             1024 m.c -/-r-xr-xr-x 0        0        3331-128-3 /WINDOWS/system32/config/SAM.LOG
Sat Oct 20 2007 17:07:53      280 ..c d/drwxrwxrwx 0        0        8863-144-5 /WINDOWS/Prefetch
                                6 m.c -/-r-xr-xr-x 0        0        5269-128-11 /WINDOWS/Tasks/SA.DAT
Sat Oct 20 2007 17:08:00    16384 m.c -/-rwxrwxrwx 0        0        8826-128-3 /Documents and Settings/LocalService/Cookies/index.dat
                            32768 m.c -/-rwxrwxrwx 0        0        8876-128-3 /Documents and Settings/LocalService/Local Settings/Temporary Internet Files/Content.IE5/index.dat
                                0 ..c -/-rwxrwxrwx 0        0        8828-128-1 /WINDOWS/Debug/oakley.log.sav
                                0 mac -/-rwxrwxrwx 0        0        8844-128-1 /WINDOWS/Debug/oakley.log
                              256 ..c d/drwxrwxrwx 0        0        8830-144-1 /Documents and Settings/LocalService/Local Settings/History
                              152 ..c d/drwxrwxrwx 0        0        8832-144-1 /Documents and Settings/LocalService/Cookies
                              256 ..c d/drwxrwxrwx 0        0        8831-144-1 /Documents and Settings/LocalService/Local Settings/History/History.IE5
                               56 ..c d/drwxrwxrwx 0        0        8825-144-5 /Documents and Settings/LocalService/Local Settings/Temporary Internet Files/Content.IE5
                            12104 m.c -/-rwxrwxrwx 0        0        3400-128-3 /WINDOWS/Debug/UserMode/userenv.log
                              256 ..c d/drwxrwxrwx 0        0        8824-144-1 /Documents and Settings/LocalService/Local Settings/Temporary Internet Files
                            16384 m.c -/-rwxrwxrwx 0        0        8827-128-3 /Documents and Settings/LocalService/Local Settings/History/History.IE5/index.dat
                              696 mac d/drwxrwxrwx 0        0        88-144-1 /WINDOWS/Debug
Sat Oct 20 2007 17:08:03      261 ..c -/-rwxrwxrwx 0        0        5196-128-1 /WINDOWS/system32/wbem/Logs/FrameWork.log
                             2439 ..c -/-rwxrwxrwx 0        0        5138-128-3 /WINDOWS/system32/wbem/Logs/wmiprov.log
                              108 ..c -/-rwxrwxrwx 0        0        4446-128-1 /WINDOWS/system32/wbem/Logs/WinMgmt.log
                                0 m.c -/-rwxrwxrwx 0        0        8974-128-10 /WINDOWS/0.log
                            14365 ..c -/-rwxrwxrwx 0        0        7088-128-3 /WINDOWS/system32/wbem/Logs/wbemess.log
                              120 ..c -/-rwxrwxrwx 0        0        5202-128-1 /WINDOWS/system32/wbem/Logs/wbemcore.log
                             4943 ..c -/-rwxrwxrwx 0        0        5199-128-3 /WINDOWS/system32/wbem/Logs/setup.log
                               97 ..c -/-rwxrwxrwx 0        0        9019-128-1 /WINDOWS/system32/wbem/Logs/wmiadap.log
                               16 ..c -/-rwxrwxrwx 0        0        5209-128-1 /WINDOWS/system32/wbem/Repository/$WinMgmt.CFG
                           950272 ..c -/-rwxrwxrwx 0        0        5206-128-3 /WINDOWS/system32/wbem/Repository/FS/INDEX.BTR
                          5005312 ..c -/-rwxrwxrwx 0        0        5205-128-4 /WINDOWS/system32/wbem/Repository/FS/OBJECTS.DATA
                            10021 ..c -/-rwxrwxrwx 0        0        5201-128-3 /WINDOWS/system32/wbem/Logs/mofcomp.log
Sat Oct 20 2007 17:08:08     1024 m.c -/-r-xr-xr-x 0        0        8967-128-4 /Documents and Settings/qwert/Local Settings/Application Data/Microsoft/Windows/UsrClass.dat.LOG
Sat Oct 20 2007 17:08:09     1024 m.c -/-r-xr-xr-x 0        0        3332-128-3 /WINDOWS/system32/config/SECURITY.LOG
                             1024 m.c -/-r-xr-xr-x 0        0        8813-128-4 /Documents and Settings/NetworkService/Local Settings/Application Data/Microsoft/Windows/UsrClass.dat.LOG
                             1024 m.c -/-r-xr-xr-x 0        0        8854-128-4 /Documents and Settings/LocalService/Local Settings/Application Data/Microsoft/Windows/UsrClass.dat.LOG
Sat Oct 20 2007 17:08:18     8192 m.c -/-r-xr-xr-x 0        0        3869-128-4 /Documents and Settings/qwert/NTUSER.DAT.LOG
                               56 mac d/drwxrwxrwx 0        0        5203-144-5 /WINDOWS/system32/wbem/Repository/FS
                              488 mac -/-rwxrwxrwx 0        0        9021-128-1 /WINDOWS/system32/wbem/Repository/FS/INDEX.MAP
                             8192 m.c -/-r-xr-xr-x 0        0        8808-128-4 /Documents and Settings/NetworkService/ntuser.dat.LOG
                             8192 m.c -/-r-xr-xr-x 0        0        3321-128-3 /WINDOWS/system32/config/default.LOG
                             8192 m.c -/-r-xr-xr-x 0        0        3320-128-0 /WINDOWS/system32/config/software.LOG
                             8192 m.c -/-r-xr-xr-x 0        0        8849-128-4 /Documents and Settings/LocalService/ntuser.dat.LOG
                             2468 mac -/-rwxrwxrwx 0        0        8866-128-4 /WINDOWS/system32/wbem/Repository/FS/OBJECTS.MAP
Sat Oct 20 2007 17:08:24    20480 m.c -/-r-xr-xr-x 0        0        3319-128-0 /WINDOWS/system32/config/system.LOG


Files changed on power off

Sat Oct 20 2007 17:12:00     2634 m.c -/-rwxrwxrwx 0        0        5138-128-3 /WINDOWS/system32/wbem/Logs/wmiprov.log
                              162 m.c -/-rwxrwxrwx 0        0        4446-128-1 /WINDOWS/system32/wbem/Logs/WinMgmt.log
Sat Oct 20 2007 17:12:34     1024 m.c -/-r-xr-xr-x 0        0        3869-128-4 /Documents and Settings/qwert/NTUSER.DAT.LOG
                           524288 ma. -/-r-xr-xr-x 0        0        3344-128-4 /Documents and Settings/qwert/NTUSER.DAT
                           262144 ma. -/-r-xr-xr-x 0        0        8966-128-3 /Documents and Settings/qwert/Local Settings/Application Data/Microsoft/Windows/UsrClass.dat
                              180 m.c -/-r-xr-xr-x 0        0        8968-128-1 /Documents and Settings/qwert/ntuser.ini
Sat Oct 20 2007 17:12:36       56 mac d/drwxrwxrwx 0        0        5203-144-5 /WINDOWS/system32/wbem/Repository/FS
                                6 m.c -/-r-xr-xr-x 0        0        5269-128-11 /WINDOWS/Tasks/SA.DAT
                             2468 mac -/-rwxrwxrwx 0        0        8866-128-4 /WINDOWS/system32/wbem/Repository/FS/OBJECTS.MAP
                            17121 m.c -/-rwxrwxrwx 0        0        7088-128-3 /WINDOWS/system32/wbem/Logs/wbemess.log
                             2288 m.c -/-rwxrwxrwx 0        0        8862-128-3 /WINDOWS/SchedLgU.Txt
                              488 mac -/-rwxrwxrwx 0        0        9021-128-1 /WINDOWS/system32/wbem/Repository/FS/INDEX.MAP
                            65536 m.c -/-rwxrwxrwx 0        0        3341-128-1 /WINDOWS/system32/config/SysEvent.Evt
Sat Oct 20 2007 17:12:37     1024 m.c -/-r-xr-xr-x 0        0        3320-128-0 /WINDOWS/system32/config/software.LOG
                             2048 m.c -/-rwxrwxrwx 0        0        2261-128-1 /WINDOWS/bootstat.dat
Sat Oct 20 2007 17:12:38  8650752 ma. -/-rwxrwxrwx 0        0        3298-128-3 /WINDOWS/inf/wkstamig.inf (deleted-realloc)
                          8650752 ma. -/-rwxrwxrwx 0        0        3298-128-3 /WINDOWS/system32/config/software
                           262144 ma. -/-r-xr-xr-x 0        0        8812-128-3 /Documents and Settings/NetworkService/Local Settings/Application Data/Microsoft/Windows/UsrClass.dat
                             1024 m.c -/-r-xr-xr-x 0        0        3319-128-0 /WINDOWS/system32/config/system.LOG
                           262144 ma. -/-r-xr-xr-x 0        0        8853-128-3 /Documents and Settings/LocalService/Local Settings/Application Data/Microsoft/Windows/UsrClass.dat
                          2097152 ma. -/-rwxrwxrwx 0        0        2427-128-3 /WINDOWS/system32/config/system
                           262144 ma. -/-rwxrwxrwx 0        0        3329-128-3 /WINDOWS/system32/config/SECURITY
                           229376 ma. -/-r-xr-xr-x 0        0        7133-128-4 /Documents and Settings/NetworkService/NTUSER.DAT
                           229376 ma. -/-r-xr-xr-x 0        0        8822-128-4 /Documents and Settings/LocalService/NTUSER.DAT
                           262144 ma. -/-rwxrwxrwx 0        0        3899-128-3 /WINDOWS/system32/config/default
                           262144 ma. -/-rwxrwxrwx 0        0        3330-128-3 /WINDOWS/system32/config/SAM

File history

Click on a date/time to view the file as it appeared at that time.

Date/TimeThumbnailDimensionsUserComment
current23:43, 18 March 2013Thumbnail for version as of 23:43, 18 March 2013440 × 89 (20 KB)Maintenance script (Talk)Importing image file
  • You cannot overwrite this file.

The following page links to this file:

Metadata