I believe that user.dat is the registry in Windows 95 and 98. Your best bet is to look at it under a registry editor (or a tool that can parse the information). My initial thought is that it could be an MRU (or Most Recently Used) link within the registry. In this particular case it could be web browsing. A lot would depend on where this information resided within the registry. The reason I mentioned this is b/c I encountered this very issue when a client who was trying to perform key word searches (on his own) on a live PC. He got a hit in user.dat. He was using the Windows search feature conduct the searching, first in Outlook and then overall. After we looked in the registry file, a colleague and I determined that what he had found was evidence of his Outlook search in the registry. I don't have to tell anyone on this list the lesson he learned here . . . Anyway, just an idea. Hope it helps. Regards, Doug -----Original Message----- From: Burnette, Michael To: forensicsat_private Sent: 4/23/02 4:08 PM Subject: Desktop files enumerated in windows user.dat? Is anyone aware of what the file listing at the end of a Windows 98 User.dat is? When I open the file with a text editor I see the following (binary removed): ptsscreenshot1small.gif PTSSCR~1.GIF 108 O :i +00 #C:\ 1 ( n Windows 1 ( p Temp 1 2 o * good wife's guide.jpg GOODWI~1.JPG 109 O :i +00 #C:\ 1 ( n Windows 1 ( p Temp ( 2 * ATT00003.htm ATT00003.HTM 110 O :i +00 #C:\ 1 ( n Windows 1 ( p Temp ) 2 t +i UW Outing.jpg UWOUTI~1.JPG 111 O :i +00 #C:\ 1 ( n Windows 1 ( p Temp ( 2 t +i ~0022115.jpg ~0022115.JPG 112 O :i +00 #C:\ 1 ( n Windows 1 ( p Temp 7 2 -+ I looked at my own to compare and found the filenames in mine match my Windows 2000 desktop. The binary in-between the filenames look a lot like file attributes although I haven't yet been able to decode the raw file using a DOS or W32 file time interpreter (winhex). Notice also the incrementing decimal values. There are also entries for folders on the desktop. I'd be interested in knowing if anyone has a way to read this as a directory listing. Thanks, Michael Burnette Rogers & Hardin LLP Atlanta, GA USA This message and any attachments are intended for the use of the addressee(s) only and may be confidential and covered by the attorney/client and other privileges. If the reader is not the intended recipient, DO NOT READ, notify sender and delete this message. In addition, be aware that any disclosure, copying, distribution or use of the contents of this message is strictly prohibited. ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Apr 24 2002 - 20:22:31 PDT