From 8dd9271c45a480725c555c99e9a42b2686606002 Mon Sep 17 00:00:00 2001 From: unknown Date: Tue, 27 Oct 2015 00:08:09 -0500 Subject: [PATCH] Added GcLinkParser output to indexing examples --- index_reports.bat | 4 +- report_examples/gc_jmp_report.json | 27453 +++++++++++++++++++++ report_examples/gc_lnk_report.json | 35276 +++++++++++++++++++++++++++ 3 files changed, 62732 insertions(+), 1 deletion(-) create mode 100644 report_examples/gc_jmp_report.json create mode 100644 report_examples/gc_lnk_report.json diff --git a/index_reports.bat b/index_reports.bat index 3c9a1e0..d32c7e8 100644 --- a/index_reports.bat +++ b/index_reports.bat @@ -3,4 +3,6 @@ elastichandler.py --host 127.0.0.1 --index case_index --config etc\tz_lp_config. elastichandler.py --host 127.0.0.1 --index case_index --config etc\tz_jmp_config.json --report report_examples\tz_jmp.txt elastichandler.py --host 127.0.0.1 --index case_index --config etc\tz_usp_config.json --report report_examples\tz_usp.txt elastichandler.py --host 127.0.0.1 --index case_index --config etc\tz_sbag_usrclass_config.json --report report_examples\tz_sbag_usrclass.txt -elastichandler.py --host 127.0.0.1 --index case_index --config etc\tz_sbag_ntuser_config.json --report report_examples\tz_sbag_ntuser.txt \ No newline at end of file +elastichandler.py --host 127.0.0.1 --index case_index --config etc\tz_sbag_ntuser_config.json --report report_examples\tz_sbag_ntuser.txt +elastichandler.py --host 127.0.0.1 --index case_index --config etc\gc_link_config.json --report report_examples\gc_lnk_report.json +elastichandler.py --host 127.0.0.1 --index case_index --config etc\gc_link_config.json --report report_examples\gc_jmp_report.json \ No newline at end of file diff --git a/report_examples/gc_jmp_report.json b/report_examples/gc_jmp_report.json new file mode 100644 index 0000000..cd0656d --- /dev/null +++ b/report_examples/gc_jmp_report.json @@ -0,0 +1,27453 @@ +{ + "gc_link_file": [ + { + "VolumeLabel": "Windows8_OS", + "BaseName": "Asgard Venture Capital, Inc. Team Site - Home.website", + "WorkingDir": null, + "LocalPath": "C:\\Users\\Donald\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Asgard Venture Capital, Inc. Team Site - Home.website", + "ModificationDateTime": "10/07/2013 08:29:45.330865", + "CmdArgs": "-private", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\10371.Donald.d53aec6c82c7bb74.customDestinations-ms", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "10/07/2013 08:29:44.803771", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "d53aec6c82c7bb74", + "LnkTrgData": { + "ParentLongName": "Start Menu", + "DistinctTypesHex": "0x0L;0x31L;0x32L;0x1fL", + "ParentSeqNum": 3, + "DistinctTypesStr": "item;root_folder;file_entry", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "LongName": "AppData", + "ExtentionBlockSize": 64, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 232350, + "FileReferenceInt": 844424930364318, + "AccessTime": "09/23/2013 19:18:00.000000", + "CreationTime": "09/23/2013 19:17:32.000000", + "Signature": "0xbeef0004L", + "RefNum": "232350-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Roaming", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 19:47:22.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Roaming", + "ExtentionBlockSize": 64, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 232353, + "FileReferenceInt": 844424930364321, + "AccessTime": "09/23/2013 19:47:22.000000", + "CreationTime": "09/23/2013 19:17:32.000000", + "Signature": "0xbeef0004L", + "RefNum": "232353-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "MICROS~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:41:52.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Microsoft", + "ExtentionBlockSize": 68, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 232356, + "FileReferenceInt": 844424930364324, + "AccessTime": "09/23/2013 20:41:52.000000", + "CreationTime": "09/23/2013 19:17:32.000000", + "Signature": "0xbeef0004L", + "RefNum": "232356-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Windows", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 19:22:20.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Windows", + "ExtentionBlockSize": 64, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 232357, + "FileReferenceInt": 844424930364325, + "AccessTime": "09/23/2013 19:22:20.000000", + "CreationTime": "09/23/2013 19:17:32.000000", + "Signature": "0xbeef0004L", + "RefNum": "232357-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "STARTM~1", + "Location": null, + "Comments": null, + "ModificationTime": "10/07/2013 08:29:46.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Start Menu", + "ExtentionBlockSize": 110, + "LocalizedName": "@shell32.dll,-21786", + "SeqNum": 3, + "EntryNum": 232365, + "FileReferenceInt": 844424930364333, + "AccessTime": "10/07/2013 08:29:46.000000", + "CreationTime": "09/23/2013 19:17:32.000000", + "Signature": "0xbeef0004L", + "RefNum": "232365-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "ASGARD~1.WEB", + "Location": null, + "Comments": null, + "ModificationTime": "10/07/2013 08:29:46.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 581, + "ExtentionBlocks": [ + { + "LongName": "Asgard Venture Capital, Inc. Team Site - Home.website", + "ExtentionBlockSize": 156, + "LocalizedName": null, + "SeqNum": 5, + "EntryNum": 9165, + "FileReferenceInt": 1407374883562445, + "AccessTime": "10/07/2013 08:29:46.000000", + "CreationTime": "10/07/2013 08:29:46.000000", + "Signature": "0xbeef0004L", + "RefNum": "9165-5" + } + ] + } + ], + "ExtentionListing": "0xbeef0025L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 8, + "ParentRefStr": "232365-3", + "ParentEntryNum": 232365, + "RootFolder": [ + { + "ShellFolderId": "59031a47-3f72-44a7-89c5-5595fe6b30ee", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "ExtentionBlockSize": 30, + "Signature": "0xbeef0025L" + } + ] + } + ] + }, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%SystemRoot%\\SYSTEM32\\IEFRAME.dll", + "AppIdName": null, + "FileExt": "website", + "NetworkPath": "\\\\BIFROST\\Users\\Donald\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Asgard Venture Capital, Inc. Team Site - Home.website", + "FileSize": 581, + "CreationDateTime": "10/07/2013 08:29:44.803771", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "Business_Plan_Mail_Order_Pharmacy2.docx", + "WorkingDir": null, + "LocalPath": "C:\\Users\\Donald\\Documents\\Business_Plan_Mail_Order_Pharmacy2.docx", + "ModificationDateTime": "10/21/2013 18:39:57.951604", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\114461.Donald.fb3b0dbfee58fac8.automaticDestinations-ms", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "10/21/2013 18:39:57.832760", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "fb3b0dbfee58fac8", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x0L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ExtentionListing": "", + "ItemCount": 5, + "ParentRefStr": null, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "031e4825-7b94-4dc3-b131-e946b44c8dd5", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 27, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "92abc06b11f16f499067ec5c94ffa9f5", + "DLE_PathSize": 130, + "DLE_DroidVolId": "92abc06b11f16f499067ec5c94ffa9f5", + "DLE_DroidFileId": "87fa8fdc6b3ae311be8a24fd52566ede", + "DLE_Unknown1Hash": "0ffc2c5c3be9dba9", + "DLE_Path": "C:\\Users\\Donald\\Documents\\Business_Plan_Mail_Order_Pharmacy2.docx", + "DLE_BirthDroidFileId": "87fa8fdc6b3ae311be8a24fd52566ede", + "DLE_LastModificationDatetime": "10/22/2013 16:33:53.934438", + "DLE_Unknown3": 1077936128, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "bifrost\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "docx", + "NetworkPath": "\\\\BIFROST\\Users\\Donald\\Documents\\Business_Plan_Mail_Order_Pharmacy2.docx", + "FileSize": 504872, + "CreationDateTime": "10/21/2013 18:39:52.221974", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "HighFiveBusinessPlanV20.docx", + "WorkingDir": null, + "LocalPath": "C:\\Users\\Donald\\Documents\\HighFiveBusinessPlanV20.docx", + "ModificationDateTime": "10/21/2013 18:40:34.772638", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\114461.Donald.fb3b0dbfee58fac8.automaticDestinations-ms", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "10/21/2013 18:40:34.572502", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "fb3b0dbfee58fac8", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x0L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ExtentionListing": "", + "ItemCount": 5, + "ParentRefStr": null, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "031e4825-7b94-4dc3-b131-e946b44c8dd5", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 29, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "92abc06b11f16f499067ec5c94ffa9f5", + "DLE_PathSize": 108, + "DLE_DroidVolId": "92abc06b11f16f499067ec5c94ffa9f5", + "DLE_DroidFileId": "98fa8fdc6b3ae311be8a24fd52566ede", + "DLE_Unknown1Hash": "428aad9b15dd555c", + "DLE_Path": "C:\\Users\\Donald\\Documents\\HighFiveBusinessPlanV20.docx", + "DLE_BirthDroidFileId": "98fa8fdc6b3ae311be8a24fd52566ede", + "DLE_LastModificationDatetime": "10/22/2013 16:33:23.142080", + "DLE_Unknown3": 1082130432, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "bifrost\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "docx", + "NetworkPath": "\\\\BIFROST\\Users\\Donald\\Documents\\HighFiveBusinessPlanV20.docx", + "FileSize": 82297, + "CreationDateTime": "10/21/2013 18:40:27.821180", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "WINWORD.EXE", + "WorkingDir": null, + "LocalPath": "C:\\Program Files\\Microsoft Office 15\\root\\office15\\WINWORD.EXE", + "ModificationDateTime": "09/23/2013 20:28:41.621819", + "CmdArgs": "https://asgardventurecapital.sharepoint.com/Shared%20Documents/Business%20Plans/Cafe-Paradiso-business-plan.docx", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\114461.Donald.fb3b0dbfee58fac8.automaticDestinations-ms", + "Flags": "Sparse File;Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "09/23/2013 20:28:41.309315", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "fb3b0dbfee58fac8", + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 6, + "ParentRefStr": "5225-6", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~1", + "Location": null, + "Comments": null, + "ModificationTime": "10/05/2013 20:35:38.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files", + "ExtentionBlockSize": 116, + "LocalizedName": "@shell32.dll,-21781", + "SeqNum": 6, + "EntryNum": 197634, + "FileReferenceInt": 1688849860461570, + "AccessTime": "10/05/2013 20:35:38.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "197634-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "MICROS~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:24:20.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Microsoft Office 15", + "ExtentionBlockSize": 88, + "LocalizedName": null, + "SeqNum": 15, + "EntryNum": 4229, + "FileReferenceInt": 4222124650664069, + "AccessTime": "09/23/2013 20:24:20.000000", + "CreationTime": "09/23/2013 20:23:56.000000", + "Signature": "0xbeef0004L", + "RefNum": "4229-15" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "root", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:24:22.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "root", + "ExtentionBlockSize": 58, + "LocalizedName": null, + "SeqNum": 9, + "EntryNum": 5190, + "FileReferenceInt": 2533274790401094, + "AccessTime": "09/23/2013 20:24:22.000000", + "CreationTime": "09/23/2013 20:24:08.000000", + "Signature": "0xbeef0004L", + "RefNum": "5190-9" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "office15", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:40:10.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "office15", + "ExtentionBlockSize": 66, + "LocalizedName": null, + "SeqNum": 6, + "EntryNum": 5225, + "FileReferenceInt": 1688849860269161, + "AccessTime": "09/23/2013 20:40:10.000000", + "CreationTime": "09/23/2013 20:24:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "5225-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "WINWORD.EXE", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:28:42.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 1925280, + "ExtentionBlocks": [ + { + "LongName": "WINWORD.EXE", + "ExtentionBlockSize": 72, + "LocalizedName": null, + "SeqNum": 10, + "EntryNum": 7453, + "FileReferenceInt": 2814749767114013, + "AccessTime": "09/23/2013 20:28:42.000000", + "CreationTime": "09/23/2013 20:24:22.000000", + "Signature": "0xbeef0004L", + "RefNum": "7453-10" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "office15", + "ParentEntryNum": 5225, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 8, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "https://asgardventurecapital.sharepoint.com/Shared Documents/Business Plans/Cafe-Paradiso-business-plan.docx", + "DestInfo": { + "DLE_EntryNum": 7, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 32, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "f9a0fab670144c5e", + "DLE_Path": "ea61dd429b2c0cc1", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "10/21/2013 20:19:24.329871", + "DLE_Unknown3": 1082130432, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%ProgramFiles%\\Microsoft Office 15\\Root\\Office15\\WINWORD.EXE", + "AppIdName": null, + "FileExt": "EXE", + "NetworkPath": null, + "FileSize": 1925280, + "CreationDateTime": "09/23/2013 20:24:21.399667", + "EnvVarLoc": null + }, + { + "VolumeLabel": "USB", + "BaseName": "business_plan1.doc", + "WorkingDir": null, + "LocalPath": "F:\\Templates\\business_plan1.doc", + "ModificationDateTime": "10/21/2013 19:47:30.000000", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\114461.Donald.fb3b0dbfee58fac8.automaticDestinations-ms", + "Flags": "Archive;", + "DriveType": "DRIVE_REMOVABLE;", + "AccessDateTime": "10/21/2013 04:00:00.000000", + "DriveSerialNumber": "39c7-1beb", + "AppIdCode": "fb3b0dbfee58fac8", + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 0, + "ParentRefStr": "253312-0", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "TEMPLA~1", + "Location": null, + "Comments": null, + "ModificationTime": "10/21/2013 20:04:18.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Templates", + "ExtentionBlockSize": 68, + "LocalizedName": null, + "SeqNum": 0, + "EntryNum": 253312, + "FileReferenceInt": 253312, + "AccessTime": "10/21/2013 04:00:00.000000", + "CreationTime": "10/21/2013 20:16:24.000000", + "Signature": "0xbeef0004L", + "RefNum": "253312-0" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "BUSINE~3.DOC", + "Location": null, + "Comments": null, + "ModificationTime": "10/21/2013 19:47:30.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 2, + "Description": null, + "FileSize": 153600, + "ExtentionBlocks": [ + { + "LongName": "business_plan1.doc", + "ExtentionBlockSize": 86, + "LocalizedName": null, + "SeqNum": 0, + "EntryNum": 2494848, + "FileReferenceInt": 2494848, + "AccessTime": "10/21/2013 04:00:00.000000", + "CreationTime": "10/21/2013 20:16:26.000000", + "Signature": "0xbeef0004L", + "RefNum": "2494848-0" + }, + { + "ExtentionBlockSize": 44, + "Signature": "0xbeef001aL" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "F:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "Templates", + "ParentEntryNum": 253312, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef001aL", + "ItemCount": 5, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 47, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 62, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "b2e03074a8381705", + "DLE_Path": "F:\\Templates\\business_plan1.doc", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "10/21/2013 20:16:36.395256", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "doc", + "NetworkPath": null, + "FileSize": 153600, + "CreationDateTime": "10/21/2013 20:16:24.870000", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "WINWORD.EXE", + "WorkingDir": null, + "LocalPath": "C:\\Program Files\\Microsoft Office 15\\root\\office15\\WINWORD.EXE", + "ModificationDateTime": "09/23/2013 20:28:41.621819", + "CmdArgs": "https://d.docs.live.net/7f095149027848ed/Documents/Articles/Jordan%20Boone%20Article.docx", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\114461.Donald.fb3b0dbfee58fac8.automaticDestinations-ms", + "Flags": "Sparse File;Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "09/23/2013 20:28:41.309315", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "fb3b0dbfee58fac8", + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 6, + "ParentRefStr": "5225-6", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~1", + "Location": null, + "Comments": null, + "ModificationTime": "10/18/2013 00:28:36.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files", + "ExtentionBlockSize": 116, + "LocalizedName": "@shell32.dll,-21781", + "SeqNum": 6, + "EntryNum": 197634, + "FileReferenceInt": 1688849860461570, + "AccessTime": "10/18/2013 00:28:36.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "197634-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "MICROS~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:24:20.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Microsoft Office 15", + "ExtentionBlockSize": 88, + "LocalizedName": null, + "SeqNum": 15, + "EntryNum": 4229, + "FileReferenceInt": 4222124650664069, + "AccessTime": "09/23/2013 20:24:20.000000", + "CreationTime": "09/23/2013 20:23:56.000000", + "Signature": "0xbeef0004L", + "RefNum": "4229-15" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "root", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:24:22.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "root", + "ExtentionBlockSize": 58, + "LocalizedName": null, + "SeqNum": 9, + "EntryNum": 5190, + "FileReferenceInt": 2533274790401094, + "AccessTime": "09/23/2013 20:24:22.000000", + "CreationTime": "09/23/2013 20:24:08.000000", + "Signature": "0xbeef0004L", + "RefNum": "5190-9" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "office15", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:40:10.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "office15", + "ExtentionBlockSize": 66, + "LocalizedName": null, + "SeqNum": 6, + "EntryNum": 5225, + "FileReferenceInt": 1688849860269161, + "AccessTime": "09/23/2013 20:40:10.000000", + "CreationTime": "09/23/2013 20:24:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "5225-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "WINWORD.EXE", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:28:42.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 1925280, + "ExtentionBlocks": [ + { + "LongName": "WINWORD.EXE", + "ExtentionBlockSize": 72, + "LocalizedName": null, + "SeqNum": 10, + "EntryNum": 7453, + "FileReferenceInt": 2814749767114013, + "AccessTime": "09/23/2013 20:28:42.000000", + "CreationTime": "09/23/2013 20:24:22.000000", + "Signature": "0xbeef0004L", + "RefNum": "7453-10" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "office15", + "ParentEntryNum": 5225, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 8, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "https://d.docs.live.net/7f095149027848ed/Documents/Articles/Jordan Boone Article.docx", + "DestInfo": { + "DLE_EntryNum": 46, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 32, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "7deac3e627ad67b7", + "DLE_Path": "8323b258b5070ce5", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "10/21/2013 20:05:35.340216", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%ProgramFiles%\\Microsoft Office 15\\Root\\Office15\\WINWORD.EXE", + "AppIdName": null, + "FileExt": "EXE", + "NetworkPath": null, + "FileSize": 1925280, + "CreationDateTime": "09/23/2013 20:24:21.399667", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": "Jordan Boone Article.docx", + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "10/21/2013 19:46:54.813631", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\114461.Donald.fb3b0dbfee58fac8.automaticDestinations-ms", + "Flags": "Archive;", + "DriveType": "DRIVE_UNKNOWN;", + "AccessDateTime": "10/21/2013 20:04:16.941634", + "DriveSerialNumber": "0000-0000", + "AppIdCode": "fb3b0dbfee58fac8", + "LnkTrgData": null, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 44, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "1e389934d79236429fc979e377f2430a", + "DLE_PathSize": 150, + "DLE_DroidVolId": "1e389934d79236429fc979e377f2430a", + "DLE_DroidFileId": "f4973a5b8b39e311be82000af7048353", + "DLE_Unknown1Hash": "ebf0b844580fbdbf", + "DLE_Path": "\\\\192.168.1.48\\Users\\dblak_000\\Documents\\Articles\\Jordan Boone Article.docx", + "DLE_BirthDroidFileId": "f4973a5b8b39e311be82000af7048353", + "DLE_LastModificationDatetime": "10/21/2013 20:04:45.958870", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "docx", + "NetworkPath": "\\\\192.168.1.48\\USERS\\dblak_000\\Documents\\Articles\\Jordan Boone Article.docx", + "FileSize": 76387, + "CreationDateTime": "10/21/2013 20:04:16.941634", + "EnvVarLoc": "\\\\192.168.1.48\\Users\\dblak_000\\Documents\\Articles\\Jordan Boone Article.docx" + }, + { + "VolumeLabel": null, + "BaseName": "A Hubris Theory of Entrepreneurship.docx", + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "10/21/2013 19:46:54.416672", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\114461.Donald.fb3b0dbfee58fac8.automaticDestinations-ms", + "Flags": "Archive;", + "DriveType": "DRIVE_UNKNOWN;", + "AccessDateTime": "10/21/2013 20:04:16.940634", + "DriveSerialNumber": "0000-0000", + "AppIdCode": "fb3b0dbfee58fac8", + "LnkTrgData": null, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 43, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "1e389934d79236429fc979e377f2430a", + "DLE_PathSize": 180, + "DLE_DroidVolId": "1e389934d79236429fc979e377f2430a", + "DLE_DroidFileId": "f2973a5b8b39e311be82000af7048353", + "DLE_Unknown1Hash": "bde9170acfa9daae", + "DLE_Path": "\\\\192.168.1.48\\Users\\dblak_000\\Documents\\Articles\\A Hubris Theory of Entrepreneurship.docx", + "DLE_BirthDroidFileId": "f2973a5b8b39e311be82000af7048353", + "DLE_LastModificationDatetime": "10/21/2013 20:04:38.035390", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "docx", + "NetworkPath": "\\\\192.168.1.48\\USERS\\dblak_000\\Documents\\Articles\\A Hubris Theory of Entrepreneurship.docx", + "FileSize": 89935, + "CreationDateTime": "10/21/2013 20:04:16.940634", + "EnvVarLoc": "\\\\192.168.1.48\\Users\\dblak_000\\Documents\\Articles\\A Hubris Theory of Entrepreneurship.docx" + }, + { + "VolumeLabel": null, + "BaseName": "Jordan Boone Article.docx", + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "10/21/2013 19:46:54.813631", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\114461.Donald.fb3b0dbfee58fac8.automaticDestinations-ms", + "Flags": "Archive;", + "DriveType": "DRIVE_UNKNOWN;", + "AccessDateTime": "10/21/2013 19:46:54.635125", + "DriveSerialNumber": "0000-0000", + "AppIdCode": "fb3b0dbfee58fac8", + "LnkTrgData": null, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 42, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "1e389934d79236429fc979e377f2430a", + "DLE_PathSize": 136, + "DLE_DroidVolId": "1e389934d79236429fc979e377f2430a", + "DLE_DroidFileId": "89973a5b8b39e311be82000af7048353", + "DLE_Unknown1Hash": "84c07757cb467d7f", + "DLE_Path": "\\\\VALHALLA\\Users\\Public\\Documents\\Articles\\Jordan Boone Article.docx", + "DLE_BirthDroidFileId": "89973a5b8b39e311be82000af7048353", + "DLE_LastModificationDatetime": "10/21/2013 19:52:51.020530", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "valhalla\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "docx", + "NetworkPath": "\\\\VALHALLA\\USERS\\Public\\Documents\\Articles\\Jordan Boone Article.docx", + "FileSize": 76387, + "CreationDateTime": "10/21/2013 19:46:54.635125", + "EnvVarLoc": "\\\\VALHALLA\\Users\\Public\\Documents\\Articles\\Jordan Boone Article.docx" + }, + { + "VolumeLabel": null, + "BaseName": "DECISION MAKING CONTINGENCIES.doc", + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "10/21/2013 19:46:54.626965", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\114461.Donald.fb3b0dbfee58fac8.automaticDestinations-ms", + "Flags": "Archive;", + "DriveType": "DRIVE_UNKNOWN;", + "AccessDateTime": "10/21/2013 19:46:54.425004", + "DriveSerialNumber": "0000-0000", + "AppIdCode": "fb3b0dbfee58fac8", + "LnkTrgData": null, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 41, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "1e389934d79236429fc979e377f2430a", + "DLE_PathSize": 152, + "DLE_DroidVolId": "1e389934d79236429fc979e377f2430a", + "DLE_DroidFileId": "88973a5b8b39e311be82000af7048353", + "DLE_Unknown1Hash": "44197831088251c4", + "DLE_Path": "\\\\VALHALLA\\Users\\Public\\Documents\\Articles\\DECISION MAKING CONTINGENCIES.doc", + "DLE_BirthDroidFileId": "88973a5b8b39e311be82000af7048353", + "DLE_LastModificationDatetime": "10/21/2013 19:52:44.470779", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "valhalla\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "doc", + "NetworkPath": "\\\\VALHALLA\\USERS\\Public\\Documents\\Articles\\DECISION MAKING CONTINGENCIES.doc", + "FileSize": 154112, + "CreationDateTime": "10/21/2013 19:46:54.425004", + "EnvVarLoc": "\\\\VALHALLA\\Users\\Public\\Documents\\Articles\\DECISION MAKING CONTINGENCIES.doc" + }, + { + "VolumeLabel": null, + "BaseName": "A Hubris Theory of Entrepreneurship.docx", + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "10/21/2013 19:46:54.416672", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\114461.Donald.fb3b0dbfee58fac8.automaticDestinations-ms", + "Flags": "Archive;", + "DriveType": "DRIVE_UNKNOWN;", + "AccessDateTime": "10/21/2013 19:46:54.200067", + "DriveSerialNumber": "0000-0000", + "AppIdCode": "fb3b0dbfee58fac8", + "LnkTrgData": null, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 40, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "1e389934d79236429fc979e377f2430a", + "DLE_PathSize": 166, + "DLE_DroidVolId": "1e389934d79236429fc979e377f2430a", + "DLE_DroidFileId": "81973a5b8b39e311be82000af7048353", + "DLE_Unknown1Hash": "58eb1033efe71a25", + "DLE_Path": "\\\\VALHALLA\\Users\\Public\\Documents\\Articles\\A Hubris Theory of Entrepreneurship.docx", + "DLE_BirthDroidFileId": "81973a5b8b39e311be82000af7048353", + "DLE_LastModificationDatetime": "10/21/2013 19:52:36.462080", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "valhalla\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "docx", + "NetworkPath": "\\\\VALHALLA\\USERS\\Public\\Documents\\Articles\\A Hubris Theory of Entrepreneurship.docx", + "FileSize": 89935, + "CreationDateTime": "10/21/2013 19:46:54.200067", + "EnvVarLoc": "\\\\VALHALLA\\Users\\Public\\Documents\\Articles\\A Hubris Theory of Entrepreneurship.docx" + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "Mini Patisserie Business Plan2.docx", + "WorkingDir": null, + "LocalPath": "C:\\Users\\Donald\\Documents\\Mini Patisserie Business Plan2.docx", + "ModificationDateTime": "10/21/2013 19:35:44.705541", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\114461.Donald.fb3b0dbfee58fac8.automaticDestinations-ms", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "10/21/2013 19:35:42.595515", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "fb3b0dbfee58fac8", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x0L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ExtentionListing": "", + "ItemCount": 5, + "ParentRefStr": null, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "031e4825-7b94-4dc3-b131-e946b44c8dd5", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 39, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "92abc06b11f16f499067ec5c94ffa9f5", + "DLE_PathSize": 122, + "DLE_DroidVolId": "92abc06b11f16f499067ec5c94ffa9f5", + "DLE_DroidFileId": "45fd8fdc6b3ae311be8a24fd52566ede", + "DLE_Unknown1Hash": "bcd7ab845b0c5921", + "DLE_Path": "C:\\Users\\Donald\\Documents\\Mini Patisserie Business Plan2.docx", + "DLE_BirthDroidFileId": "45fd8fdc6b3ae311be8a24fd52566ede", + "DLE_LastModificationDatetime": "10/21/2013 19:40:21.929466", + "DLE_Unknown3": 1077936128, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "bifrost\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "docx", + "NetworkPath": "\\\\BIFROST\\Users\\Donald\\Documents\\Mini Patisserie Business Plan2.docx", + "FileSize": 2026868, + "CreationDateTime": "10/21/2013 19:35:39.813921", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "Mini Patisserie Business Plan.docx", + "WorkingDir": null, + "LocalPath": "C:\\Users\\Donald\\Documents\\Mini Patisserie Business Plan.docx", + "ModificationDateTime": "10/21/2013 18:44:49.258750", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\114461.Donald.fb3b0dbfee58fac8.automaticDestinations-ms", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "10/21/2013 18:44:47.933961", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "fb3b0dbfee58fac8", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x0L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ExtentionListing": "", + "ItemCount": 5, + "ParentRefStr": null, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "031e4825-7b94-4dc3-b131-e946b44c8dd5", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 38, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "92abc06b11f16f499067ec5c94ffa9f5", + "DLE_PathSize": 120, + "DLE_DroidVolId": "92abc06b11f16f499067ec5c94ffa9f5", + "DLE_DroidFileId": "3ffd8fdc6b3ae311be8a24fd52566ede", + "DLE_Unknown1Hash": "abb1438f8fb8dfd1", + "DLE_Path": "C:\\Users\\Donald\\Documents\\Mini Patisserie Business Plan.docx", + "DLE_BirthDroidFileId": "3ffd8fdc6b3ae311be8a24fd52566ede", + "DLE_LastModificationDatetime": "10/21/2013 19:35:24.426085", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "bifrost\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "docx", + "NetworkPath": "\\\\BIFROST\\Users\\Donald\\Documents\\Mini Patisserie Business Plan.docx", + "FileSize": 2026404, + "CreationDateTime": "10/21/2013 18:44:45.783504", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "Blue Harvest Business Plan.docx", + "WorkingDir": null, + "LocalPath": "C:\\Users\\Donald\\Dropbox\\Shared Documents\\Confidential Analysis Data\\Blue Harvest Business Plan.docx", + "ModificationDateTime": "08/12/2013 03:39:23.540000", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\114461.Donald.fb3b0dbfee58fac8.automaticDestinations-ms", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "08/08/2013 19:18:11.402623", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "fb3b0dbfee58fac8", + "LnkTrgData": { + "ParentLongName": "Confidential Analysis Data", + "DistinctTypesHex": "0x0L;0x31L;0x32L;0x1fL", + "ParentSeqNum": 4, + "DistinctTypesStr": "item;root_folder;file_entry", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "LongName": "Dropbox", + "ExtentionBlockSize": 64, + "LocalizedName": null, + "SeqNum": 4, + "EntryNum": 48220, + "FileReferenceInt": 1125899906890844, + "AccessTime": "08/08/2013 19:17:00.000000", + "CreationTime": "08/08/2013 19:17:00.000000", + "Signature": "0xbeef0004L", + "RefNum": "48220-4" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "SHARED~1", + "Location": null, + "Comments": null, + "ModificationTime": "08/08/2013 19:18:12.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Shared Documents", + "ExtentionBlockSize": 82, + "LocalizedName": null, + "SeqNum": 4, + "EntryNum": 48358, + "FileReferenceInt": 1125899906890982, + "AccessTime": "08/08/2013 19:18:12.000000", + "CreationTime": "08/08/2013 19:18:12.000000", + "Signature": "0xbeef0004L", + "RefNum": "48358-4" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "CONFID~1", + "Location": null, + "Comments": null, + "ModificationTime": "08/08/2013 19:18:12.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Confidential Analysis Data", + "ExtentionBlockSize": 102, + "LocalizedName": null, + "SeqNum": 4, + "EntryNum": 48359, + "FileReferenceInt": 1125899906890983, + "AccessTime": "08/08/2013 19:18:12.000000", + "CreationTime": "08/08/2013 19:18:12.000000", + "Signature": "0xbeef0004L", + "RefNum": "48359-4" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "BLUEHA~1.DOC", + "Location": null, + "Comments": null, + "ModificationTime": "08/12/2013 03:39:24.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 2, + "Description": null, + "FileSize": 366117, + "ExtentionBlocks": [ + { + "LongName": "Blue Harvest Business Plan.docx", + "ExtentionBlockSize": 112, + "LocalizedName": null, + "SeqNum": 9, + "EntryNum": 48361, + "FileReferenceInt": 2533274790444265, + "AccessTime": "08/08/2013 19:18:12.000000", + "CreationTime": "08/08/2013 19:18:12.000000", + "Signature": "0xbeef0004L", + "RefNum": "48361-9" + }, + { + "ExtentionBlockSize": 46, + "Signature": "0xbeef001aL" + } + ] + } + ], + "ExtentionListing": "0xbeef0025L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef001aL", + "ItemCount": 6, + "ParentRefStr": "48359-4", + "ParentEntryNum": 48359, + "RootFolder": [ + { + "ShellFolderId": "59031a47-3f72-44a7-89c5-5595fe6b30ee", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "ExtentionBlockSize": 30, + "Signature": "0xbeef0025L" + } + ] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 37, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "92abc06b11f16f499067ec5c94ffa9f5", + "DLE_PathSize": 198, + "DLE_DroidVolId": "92abc06b11f16f499067ec5c94ffa9f5", + "DLE_DroidFileId": "9dfc8fdc6b3ae311be8a24fd52566ede", + "DLE_Unknown1Hash": "3c3bbd03faf108f1", + "DLE_Path": "C:\\Users\\Donald\\Dropbox\\Shared Documents\\Confidential Analysis Data\\Blue Harvest Business Plan.docx", + "DLE_BirthDroidFileId": "9dfc8fdc6b3ae311be8a24fd52566ede", + "DLE_LastModificationDatetime": "08/01/2013 19:21:18.540328", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "bifrost\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "docx", + "NetworkPath": "\\\\BIFROST\\Users\\Donald\\Dropbox\\Shared Documents\\Confidential Analysis Data\\Blue Harvest Business Plan.docx", + "FileSize": 366117, + "CreationDateTime": "08/08/2013 19:18:11.402623", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "WINWORD.EXE", + "WorkingDir": null, + "LocalPath": "C:\\Program Files\\Microsoft Office 15\\root\\office15\\WINWORD.EXE", + "ModificationDateTime": "09/23/2013 20:28:41.621819", + "CmdArgs": "https://d.docs.live.net/7f095149027848ed/Documents/TIVO%20Research.docx", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\114461.Donald.fb3b0dbfee58fac8.automaticDestinations-ms", + "Flags": "Sparse File;Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "09/23/2013 20:28:41.309315", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "fb3b0dbfee58fac8", + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 6, + "ParentRefStr": "5225-6", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/26/2013 17:54:36.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files", + "ExtentionBlockSize": 116, + "LocalizedName": "@shell32.dll,-21781", + "SeqNum": 6, + "EntryNum": 197634, + "FileReferenceInt": 1688849860461570, + "AccessTime": "09/26/2013 17:54:36.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "197634-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "MICROS~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:24:20.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Microsoft Office 15", + "ExtentionBlockSize": 88, + "LocalizedName": null, + "SeqNum": 15, + "EntryNum": 4229, + "FileReferenceInt": 4222124650664069, + "AccessTime": "09/23/2013 20:24:20.000000", + "CreationTime": "09/23/2013 20:23:56.000000", + "Signature": "0xbeef0004L", + "RefNum": "4229-15" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "root", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:24:22.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "root", + "ExtentionBlockSize": 58, + "LocalizedName": null, + "SeqNum": 9, + "EntryNum": 5190, + "FileReferenceInt": 2533274790401094, + "AccessTime": "09/23/2013 20:24:22.000000", + "CreationTime": "09/23/2013 20:24:08.000000", + "Signature": "0xbeef0004L", + "RefNum": "5190-9" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "office15", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:40:10.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "office15", + "ExtentionBlockSize": 66, + "LocalizedName": null, + "SeqNum": 6, + "EntryNum": 5225, + "FileReferenceInt": 1688849860269161, + "AccessTime": "09/23/2013 20:40:10.000000", + "CreationTime": "09/23/2013 20:24:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "5225-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "WINWORD.EXE", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:28:42.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 1925280, + "ExtentionBlocks": [ + { + "LongName": "WINWORD.EXE", + "ExtentionBlockSize": 72, + "LocalizedName": null, + "SeqNum": 10, + "EntryNum": 7453, + "FileReferenceInt": 2814749767114013, + "AccessTime": "09/23/2013 20:28:42.000000", + "CreationTime": "09/23/2013 20:24:22.000000", + "Signature": "0xbeef0004L", + "RefNum": "7453-10" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "office15", + "ParentEntryNum": 5225, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 8, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "https://d.docs.live.net/7f095149027848ed/Documents/TIVO Research.docx", + "DestInfo": { + "DLE_EntryNum": 4, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 32, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "f9e2382d554906a2", + "DLE_Path": "6cdf779d9a58a81a", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "10/21/2013 18:57:56.134894", + "DLE_Unknown3": 1077936128, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%ProgramFiles%\\Microsoft Office 15\\Root\\Office15\\WINWORD.EXE", + "AppIdName": null, + "FileExt": "EXE", + "NetworkPath": null, + "FileSize": 1925280, + "CreationDateTime": "09/23/2013 20:24:21.399667", + "EnvVarLoc": null + }, + { + "VolumeLabel": "USB", + "BaseName": "Mini Patisserie Business Plan.docx", + "WorkingDir": null, + "LocalPath": "F:\\Mini Patisserie Business Plan.docx", + "ModificationDateTime": "10/21/2013 18:44:50.000000", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\114461.Donald.fb3b0dbfee58fac8.automaticDestinations-ms", + "Flags": "Archive;", + "DriveType": "DRIVE_REMOVABLE;", + "AccessDateTime": "10/21/2013 04:00:00.000000", + "DriveSerialNumber": "39c7-1beb", + "AppIdCode": "fb3b0dbfee58fac8", + "LnkTrgData": { + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "F:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": null, + "DistinctTypesHex": "0x32L;0x2fL;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "volume;root_folder;file_entry", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "MINIPA~1.DOC", + "Location": null, + "Comments": null, + "ModificationTime": "10/21/2013 18:44:50.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 2, + "Description": null, + "FileSize": 2026404, + "ExtentionBlocks": [ + { + "LongName": "Mini Patisserie Business Plan.docx", + "ExtentionBlockSize": 118, + "LocalizedName": null, + "SeqNum": 0, + "EntryNum": 251584, + "FileReferenceInt": 251584, + "AccessTime": "10/21/2013 04:00:00.000000", + "CreationTime": "10/21/2013 18:53:02.000000", + "Signature": "0xbeef0004L", + "RefNum": "251584-0" + }, + { + "ExtentionBlockSize": 46, + "Signature": "0xbeef001aL" + } + ] + } + ], + "ExtentionListing": "0xbeef0004L;0xbeef001aL", + "ItemCount": 4, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 35, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 74, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "f5b1e52ba583d2f5", + "DLE_Path": "F:\\Mini Patisserie Business Plan.docx", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "10/21/2013 18:56:06.241952", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "docx", + "NetworkPath": null, + "FileSize": 2026404, + "CreationDateTime": "10/21/2013 18:53:01.700000", + "EnvVarLoc": null + }, + { + "VolumeLabel": "USB", + "BaseName": "HighFiveBusinessPlanV20.docx", + "WorkingDir": null, + "LocalPath": "F:\\HighFiveBusinessPlanV20.docx", + "ModificationDateTime": "10/21/2013 18:40:36.000000", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\114461.Donald.fb3b0dbfee58fac8.automaticDestinations-ms", + "Flags": "Archive;", + "DriveType": "DRIVE_REMOVABLE;", + "AccessDateTime": "10/21/2013 04:00:00.000000", + "DriveSerialNumber": "39c7-1beb", + "AppIdCode": "fb3b0dbfee58fac8", + "LnkTrgData": { + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "F:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": null, + "DistinctTypesHex": "0x32L;0x2fL;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "volume;root_folder;file_entry", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "HIGHFI~1.DOC", + "Location": null, + "Comments": null, + "ModificationTime": "10/21/2013 18:40:36.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 2, + "Description": null, + "FileSize": 82297, + "ExtentionBlocks": [ + { + "LongName": "HighFiveBusinessPlanV20.docx", + "ExtentionBlockSize": 106, + "LocalizedName": null, + "SeqNum": 0, + "EntryNum": 251456, + "FileReferenceInt": 251456, + "AccessTime": "10/21/2013 04:00:00.000000", + "CreationTime": "10/21/2013 18:53:02.000000", + "Signature": "0xbeef0004L", + "RefNum": "251456-0" + }, + { + "ExtentionBlockSize": 46, + "Signature": "0xbeef001aL" + } + ] + } + ], + "ExtentionListing": "0xbeef0004L;0xbeef001aL", + "ItemCount": 4, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 34, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 62, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "84883eb51a16d31a", + "DLE_Path": "F:\\HighFiveBusinessPlanV20.docx", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "10/21/2013 18:55:59.485311", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "docx", + "NetworkPath": null, + "FileSize": 82297, + "CreationDateTime": "10/21/2013 18:53:01.650000", + "EnvVarLoc": null + }, + { + "VolumeLabel": "USB", + "BaseName": "Business_Plan_Mail_Order_Pharmacy.docx", + "WorkingDir": null, + "LocalPath": "F:\\Business_Plan_Mail_Order_Pharmacy.docx", + "ModificationDateTime": "10/21/2013 18:39:20.000000", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\114461.Donald.fb3b0dbfee58fac8.automaticDestinations-ms", + "Flags": "Archive;", + "DriveType": "DRIVE_REMOVABLE;", + "AccessDateTime": "10/21/2013 04:00:00.000000", + "DriveSerialNumber": "39c7-1beb", + "AppIdCode": "fb3b0dbfee58fac8", + "LnkTrgData": { + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "F:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": null, + "DistinctTypesHex": "0x32L;0x2fL;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "volume;root_folder;file_entry", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "BUSINE~2.DOC", + "Location": null, + "Comments": null, + "ModificationTime": "10/21/2013 18:39:20.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 2, + "Description": null, + "FileSize": 504828, + "ExtentionBlocks": [ + { + "LongName": "Business_Plan_Mail_Order_Pharmacy.docx", + "ExtentionBlockSize": 126, + "LocalizedName": null, + "SeqNum": 0, + "EntryNum": 251072, + "FileReferenceInt": 251072, + "AccessTime": "10/21/2013 04:00:00.000000", + "CreationTime": "10/21/2013 18:53:02.000000", + "Signature": "0xbeef0004L", + "RefNum": "251072-0" + }, + { + "ExtentionBlockSize": 46, + "Signature": "0xbeef001aL" + } + ] + } + ], + "ExtentionListing": "0xbeef0004L;0xbeef001aL", + "ItemCount": 4, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 33, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 82, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "2580a703a38af973", + "DLE_Path": "F:\\Business_Plan_Mail_Order_Pharmacy.docx", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "10/21/2013 18:55:29.821942", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "docx", + "NetworkPath": null, + "FileSize": 504828, + "CreationDateTime": "10/21/2013 18:53:01.000000", + "EnvVarLoc": null + }, + { + "VolumeLabel": "USB", + "BaseName": "Business Plan for a Startup Business_0.doc", + "WorkingDir": null, + "LocalPath": "F:\\Business Plan for a Startup Business_0.doc", + "ModificationDateTime": "10/13/2013 12:45:02.000000", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\114461.Donald.fb3b0dbfee58fac8.automaticDestinations-ms", + "Flags": "Archive;", + "DriveType": "DRIVE_REMOVABLE;", + "AccessDateTime": "10/21/2013 04:00:00.000000", + "DriveSerialNumber": "39c7-1beb", + "AppIdCode": "fb3b0dbfee58fac8", + "LnkTrgData": { + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "F:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": null, + "DistinctTypesHex": "0x32L;0x2fL;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "volume;root_folder;file_entry", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "BUSINE~1.DOC", + "Location": null, + "Comments": null, + "ModificationTime": "10/13/2013 12:45:02.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 2, + "Description": null, + "FileSize": 235520, + "ExtentionBlocks": [ + { + "LongName": "Business Plan for a Startup Business_0.doc", + "ExtentionBlockSize": 134, + "LocalizedName": null, + "SeqNum": 0, + "EntryNum": 250944, + "FileReferenceInt": 250944, + "AccessTime": "10/21/2013 04:00:00.000000", + "CreationTime": "10/21/2013 18:53:02.000000", + "Signature": "0xbeef0004L", + "RefNum": "250944-0" + }, + { + "ExtentionBlockSize": 44, + "Signature": "0xbeef001aL" + } + ] + } + ], + "ExtentionListing": "0xbeef0004L;0xbeef001aL", + "ItemCount": 4, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 32, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 90, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "4a7fe048b1b1599f", + "DLE_Path": "F:\\Business Plan for a Startup Business_0.doc", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "10/21/2013 18:55:26.851566", + "DLE_Unknown3": 1073741824, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "doc", + "NetworkPath": null, + "FileSize": 235520, + "CreationDateTime": "10/21/2013 18:53:00.900000", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "Mini Patisserie Business Plan.docx", + "WorkingDir": null, + "LocalPath": "C:\\Users\\Donald\\Dropbox\\Mini Patisserie Business Plan.docx", + "ModificationDateTime": "10/21/2013 18:44:49.258750", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\114461.Donald.fb3b0dbfee58fac8.automaticDestinations-ms", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "08/08/2013 19:17:42.568554", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "fb3b0dbfee58fac8", + "LnkTrgData": { + "ParentLongName": "Dropbox", + "DistinctTypesHex": "0x0L;0x32L;0x1fL", + "ParentSeqNum": 4, + "DistinctTypesStr": "item;root_folder;file_entry", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "LongName": "Dropbox", + "ExtentionBlockSize": 64, + "LocalizedName": null, + "SeqNum": 4, + "EntryNum": 48220, + "FileReferenceInt": 1125899906890844, + "AccessTime": "08/08/2013 19:17:00.000000", + "CreationTime": "08/08/2013 19:17:00.000000", + "Signature": "0xbeef0004L", + "RefNum": "48220-4" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "MINIPA~1.DOC", + "Location": null, + "Comments": null, + "ModificationTime": "10/21/2013 18:44:50.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 2, + "Description": null, + "FileSize": 2026404, + "ExtentionBlocks": [ + { + "LongName": "Mini Patisserie Business Plan.docx", + "ExtentionBlockSize": 118, + "LocalizedName": null, + "SeqNum": 12, + "EntryNum": 48251, + "FileReferenceInt": 3377699720576123, + "AccessTime": "08/08/2013 19:17:44.000000", + "CreationTime": "10/21/2013 18:44:46.000000", + "Signature": "0xbeef0004L", + "RefNum": "48251-12" + }, + { + "ExtentionBlockSize": 46, + "Signature": "0xbeef001aL" + } + ] + } + ], + "ExtentionListing": "0xbeef0025L;0xbeef0004L;0xbeef0004L;0xbeef001aL", + "ItemCount": 4, + "ParentRefStr": "48220-4", + "ParentEntryNum": 48220, + "RootFolder": [ + { + "ShellFolderId": "59031a47-3f72-44a7-89c5-5595fe6b30ee", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "ExtentionBlockSize": 30, + "Signature": "0xbeef0025L" + } + ] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 31, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "92abc06b11f16f499067ec5c94ffa9f5", + "DLE_PathSize": 116, + "DLE_DroidVolId": "92abc06b11f16f499067ec5c94ffa9f5", + "DLE_DroidFileId": "b9fa8fdc6b3ae311be8a24fd52566ede", + "DLE_Unknown1Hash": "cfb67808bf7a1f28", + "DLE_Path": "C:\\Users\\Donald\\Dropbox\\Mini Patisserie Business Plan.docx", + "DLE_BirthDroidFileId": "b9fa8fdc6b3ae311be8a24fd52566ede", + "DLE_LastModificationDatetime": "10/21/2013 18:46:46.233197", + "DLE_Unknown3": 1077936128, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "bifrost\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "docx", + "NetworkPath": "\\\\BIFROST\\Users\\Donald\\Dropbox\\Mini Patisserie Business Plan.docx", + "FileSize": 2026404, + "CreationDateTime": "10/21/2013 18:44:45.783504", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "WINWORD.EXE", + "WorkingDir": null, + "LocalPath": "C:\\Program Files\\Microsoft Office 15\\root\\office15\\WINWORD.EXE", + "ModificationDateTime": "09/23/2013 20:28:41.621819", + "CmdArgs": "https://asgardventurecapital.sharepoint.com/Shared%20Documents/Business%20Plans/In%20Review%20-%20NOT%20FOR%20RELEASE/Mini%20Patisserie%20Business%20Plan.docx", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\114461.Donald.fb3b0dbfee58fac8.automaticDestinations-ms", + "Flags": "Sparse File;Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "09/23/2013 20:28:41.309315", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "fb3b0dbfee58fac8", + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 6, + "ParentRefStr": "5225-6", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~1", + "Location": null, + "Comments": null, + "ModificationTime": "10/18/2013 00:28:36.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files", + "ExtentionBlockSize": 116, + "LocalizedName": "@shell32.dll,-21781", + "SeqNum": 6, + "EntryNum": 197634, + "FileReferenceInt": 1688849860461570, + "AccessTime": "10/18/2013 00:28:36.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "197634-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "MICROS~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:24:20.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Microsoft Office 15", + "ExtentionBlockSize": 88, + "LocalizedName": null, + "SeqNum": 15, + "EntryNum": 4229, + "FileReferenceInt": 4222124650664069, + "AccessTime": "09/23/2013 20:24:20.000000", + "CreationTime": "09/23/2013 20:23:56.000000", + "Signature": "0xbeef0004L", + "RefNum": "4229-15" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "root", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:24:22.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "root", + "ExtentionBlockSize": 58, + "LocalizedName": null, + "SeqNum": 9, + "EntryNum": 5190, + "FileReferenceInt": 2533274790401094, + "AccessTime": "09/23/2013 20:24:22.000000", + "CreationTime": "09/23/2013 20:24:08.000000", + "Signature": "0xbeef0004L", + "RefNum": "5190-9" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "office15", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:40:10.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "office15", + "ExtentionBlockSize": 66, + "LocalizedName": null, + "SeqNum": 6, + "EntryNum": 5225, + "FileReferenceInt": 1688849860269161, + "AccessTime": "09/23/2013 20:40:10.000000", + "CreationTime": "09/23/2013 20:24:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "5225-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "WINWORD.EXE", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:28:42.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 1925280, + "ExtentionBlocks": [ + { + "LongName": "WINWORD.EXE", + "ExtentionBlockSize": 72, + "LocalizedName": null, + "SeqNum": 10, + "EntryNum": 7453, + "FileReferenceInt": 2814749767114013, + "AccessTime": "09/23/2013 20:28:42.000000", + "CreationTime": "09/23/2013 20:24:22.000000", + "Signature": "0xbeef0004L", + "RefNum": "7453-10" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "office15", + "ParentEntryNum": 5225, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 8, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "https://asgardventurecapital.sharepoint.com/Shared Documents/Business Plans/In Review - NOT FOR RELEASE/Mini Patisserie Business Plan.docx", + "DestInfo": { + "DLE_EntryNum": 30, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 32, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "7b136d5a31b2396f", + "DLE_Path": "bbb92dbf17f83084", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "10/21/2013 18:44:21.682746", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%ProgramFiles%\\Microsoft Office 15\\Root\\Office15\\WINWORD.EXE", + "AppIdName": null, + "FileExt": "EXE", + "NetworkPath": null, + "FileSize": 1925280, + "CreationDateTime": "09/23/2013 20:24:21.399667", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "WINWORD.EXE", + "WorkingDir": null, + "LocalPath": "C:\\Program Files\\Microsoft Office 15\\root\\office15\\WINWORD.EXE", + "ModificationDateTime": "09/23/2013 20:28:41.621819", + "CmdArgs": "https://asgardventurecapital.sharepoint.com/Shared%20Documents/Business%20Plans/In%20Review%20-%20NOT%20FOR%20RELEASE/HighFiveBusinessPlanV20.docx", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\114461.Donald.fb3b0dbfee58fac8.automaticDestinations-ms", + "Flags": "Sparse File;Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "09/23/2013 20:28:41.309315", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "fb3b0dbfee58fac8", + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 6, + "ParentRefStr": "5225-6", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~1", + "Location": null, + "Comments": null, + "ModificationTime": "10/18/2013 00:28:36.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files", + "ExtentionBlockSize": 116, + "LocalizedName": "@shell32.dll,-21781", + "SeqNum": 6, + "EntryNum": 197634, + "FileReferenceInt": 1688849860461570, + "AccessTime": "10/18/2013 00:28:36.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "197634-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "MICROS~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:24:20.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Microsoft Office 15", + "ExtentionBlockSize": 88, + "LocalizedName": null, + "SeqNum": 15, + "EntryNum": 4229, + "FileReferenceInt": 4222124650664069, + "AccessTime": "09/23/2013 20:24:20.000000", + "CreationTime": "09/23/2013 20:23:56.000000", + "Signature": "0xbeef0004L", + "RefNum": "4229-15" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "root", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:24:22.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "root", + "ExtentionBlockSize": 58, + "LocalizedName": null, + "SeqNum": 9, + "EntryNum": 5190, + "FileReferenceInt": 2533274790401094, + "AccessTime": "09/23/2013 20:24:22.000000", + "CreationTime": "09/23/2013 20:24:08.000000", + "Signature": "0xbeef0004L", + "RefNum": "5190-9" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "office15", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:40:10.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "office15", + "ExtentionBlockSize": 66, + "LocalizedName": null, + "SeqNum": 6, + "EntryNum": 5225, + "FileReferenceInt": 1688849860269161, + "AccessTime": "09/23/2013 20:40:10.000000", + "CreationTime": "09/23/2013 20:24:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "5225-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "WINWORD.EXE", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:28:42.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 1925280, + "ExtentionBlocks": [ + { + "LongName": "WINWORD.EXE", + "ExtentionBlockSize": 72, + "LocalizedName": null, + "SeqNum": 10, + "EntryNum": 7453, + "FileReferenceInt": 2814749767114013, + "AccessTime": "09/23/2013 20:28:42.000000", + "CreationTime": "09/23/2013 20:24:22.000000", + "Signature": "0xbeef0004L", + "RefNum": "7453-10" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "office15", + "ParentEntryNum": 5225, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 8, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "https://asgardventurecapital.sharepoint.com/Shared Documents/Business Plans/In Review - NOT FOR RELEASE/HighFiveBusinessPlanV20.docx", + "DestInfo": { + "DLE_EntryNum": 28, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 32, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "d2c8125c3042c1f0", + "DLE_Path": "874dca898b5d58ec", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "10/21/2013 18:40:11.850853", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%ProgramFiles%\\Microsoft Office 15\\Root\\Office15\\WINWORD.EXE", + "AppIdName": null, + "FileExt": "EXE", + "NetworkPath": null, + "FileSize": 1925280, + "CreationDateTime": "09/23/2013 20:24:21.399667", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "WINWORD.EXE", + "WorkingDir": null, + "LocalPath": "C:\\Program Files\\Microsoft Office 15\\root\\office15\\WINWORD.EXE", + "ModificationDateTime": "09/23/2013 20:28:41.621819", + "CmdArgs": "https://asgardventurecapital.sharepoint.com/Shared%20Documents/Business%20Plans/In%20Review%20-%20NOT%20FOR%20RELEASE/Business_Plan_Mail_Order_Pharmacy2.docx", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\114461.Donald.fb3b0dbfee58fac8.automaticDestinations-ms", + "Flags": "Sparse File;Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "09/23/2013 20:28:41.309315", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "fb3b0dbfee58fac8", + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 6, + "ParentRefStr": "5225-6", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~1", + "Location": null, + "Comments": null, + "ModificationTime": "10/13/2013 09:39:12.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files", + "ExtentionBlockSize": 116, + "LocalizedName": "@shell32.dll,-21781", + "SeqNum": 6, + "EntryNum": 197634, + "FileReferenceInt": 1688849860461570, + "AccessTime": "10/13/2013 09:39:12.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "197634-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "MICROS~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:24:20.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Microsoft Office 15", + "ExtentionBlockSize": 88, + "LocalizedName": null, + "SeqNum": 15, + "EntryNum": 4229, + "FileReferenceInt": 4222124650664069, + "AccessTime": "09/23/2013 20:24:20.000000", + "CreationTime": "09/23/2013 20:23:56.000000", + "Signature": "0xbeef0004L", + "RefNum": "4229-15" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "root", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:24:22.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "root", + "ExtentionBlockSize": 58, + "LocalizedName": null, + "SeqNum": 9, + "EntryNum": 5190, + "FileReferenceInt": 2533274790401094, + "AccessTime": "09/23/2013 20:24:22.000000", + "CreationTime": "09/23/2013 20:24:08.000000", + "Signature": "0xbeef0004L", + "RefNum": "5190-9" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "office15", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:40:10.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "office15", + "ExtentionBlockSize": 66, + "LocalizedName": null, + "SeqNum": 6, + "EntryNum": 5225, + "FileReferenceInt": 1688849860269161, + "AccessTime": "09/23/2013 20:40:10.000000", + "CreationTime": "09/23/2013 20:24:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "5225-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "WINWORD.EXE", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:28:42.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 1925280, + "ExtentionBlocks": [ + { + "LongName": "WINWORD.EXE", + "ExtentionBlockSize": 72, + "LocalizedName": null, + "SeqNum": 10, + "EntryNum": 7453, + "FileReferenceInt": 2814749767114013, + "AccessTime": "09/23/2013 20:28:42.000000", + "CreationTime": "09/23/2013 20:24:22.000000", + "Signature": "0xbeef0004L", + "RefNum": "7453-10" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "office15", + "ParentEntryNum": 5225, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 8, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "https://asgardventurecapital.sharepoint.com/Shared Documents/Business Plans/In Review - NOT FOR RELEASE/Business_Plan_Mail_Order_Pharmacy2.docx", + "DestInfo": { + "DLE_EntryNum": 14, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 32, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "7ce23e2f520079fd", + "DLE_Path": "ff6765f71dca5a9c", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "10/21/2013 18:39:34.735537", + "DLE_Unknown3": 1073741824, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%ProgramFiles%\\Microsoft Office 15\\Root\\Office15\\WINWORD.EXE", + "AppIdName": null, + "FileExt": "EXE", + "NetworkPath": null, + "FileSize": 1925280, + "CreationDateTime": "09/23/2013 20:24:21.399667", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "Business_Plan_Mail_Order_Pharmacy.docx", + "WorkingDir": null, + "LocalPath": "C:\\Users\\Donald\\Dropbox\\Business_Plan_Mail_Order_Pharmacy.docx", + "ModificationDateTime": "10/21/2013 18:39:18.375599", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\114461.Donald.fb3b0dbfee58fac8.automaticDestinations-ms", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "08/08/2013 19:17:42.584180", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "fb3b0dbfee58fac8", + "LnkTrgData": { + "ParentLongName": "Dropbox", + "DistinctTypesHex": "0x0L;0x32L;0x1fL", + "ParentSeqNum": 4, + "DistinctTypesStr": "item;root_folder;file_entry", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "LongName": "Dropbox", + "ExtentionBlockSize": 64, + "LocalizedName": null, + "SeqNum": 4, + "EntryNum": 48220, + "FileReferenceInt": 1125899906890844, + "AccessTime": "08/08/2013 19:17:00.000000", + "CreationTime": "08/08/2013 19:17:00.000000", + "Signature": "0xbeef0004L", + "RefNum": "48220-4" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "BUSINE~3.DOC", + "Location": null, + "Comments": null, + "ModificationTime": "10/21/2013 18:39:20.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 2, + "Description": null, + "FileSize": 504828, + "ExtentionBlocks": [ + { + "LongName": "Business_Plan_Mail_Order_Pharmacy.docx", + "ExtentionBlockSize": 126, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 48259, + "FileReferenceInt": 844424930180227, + "AccessTime": "08/08/2013 19:17:44.000000", + "CreationTime": "10/21/2013 18:39:18.000000", + "Signature": "0xbeef0004L", + "RefNum": "48259-3" + }, + { + "ExtentionBlockSize": 46, + "Signature": "0xbeef001aL" + } + ] + } + ], + "ExtentionListing": "0xbeef0025L;0xbeef0004L;0xbeef0004L;0xbeef001aL", + "ItemCount": 4, + "ParentRefStr": "48220-4", + "ParentEntryNum": 48220, + "RootFolder": [ + { + "ShellFolderId": "59031a47-3f72-44a7-89c5-5595fe6b30ee", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "ExtentionBlockSize": 30, + "Signature": "0xbeef0025L" + } + ] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 26, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "92abc06b11f16f499067ec5c94ffa9f5", + "DLE_PathSize": 124, + "DLE_DroidVolId": "92abc06b11f16f499067ec5c94ffa9f5", + "DLE_DroidFileId": "6ffa8fdc6b3ae311be8a24fd52566ede", + "DLE_Unknown1Hash": "c08318bf902a52d3", + "DLE_Path": "C:\\Users\\Donald\\Dropbox\\Business_Plan_Mail_Order_Pharmacy.docx", + "DLE_BirthDroidFileId": "6ffa8fdc6b3ae311be8a24fd52566ede", + "DLE_LastModificationDatetime": "10/21/2013 18:39:17.505506", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "bifrost\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "docx", + "NetworkPath": "\\\\BIFROST\\Users\\Donald\\Dropbox\\Business_Plan_Mail_Order_Pharmacy.docx", + "FileSize": 504828, + "CreationDateTime": "10/21/2013 18:39:17.443467", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "WINWORD.EXE", + "WorkingDir": null, + "LocalPath": "C:\\Program Files\\Microsoft Office 15\\root\\office15\\WINWORD.EXE", + "ModificationDateTime": "09/23/2013 20:28:41.621819", + "CmdArgs": "https://asgardventurecapital.sharepoint.com/Shared%20Documents/Business%20Plans/In%20Review%20-%20NOT%20FOR%20RELEASE/Business_Plan_Mail_Order_Pharmacy.docx", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\114461.Donald.fb3b0dbfee58fac8.automaticDestinations-ms", + "Flags": "Sparse File;Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "09/23/2013 20:28:41.309315", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "fb3b0dbfee58fac8", + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 6, + "ParentRefStr": "5225-6", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~1", + "Location": null, + "Comments": null, + "ModificationTime": "10/05/2013 20:35:38.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files", + "ExtentionBlockSize": 116, + "LocalizedName": "@shell32.dll,-21781", + "SeqNum": 6, + "EntryNum": 197634, + "FileReferenceInt": 1688849860461570, + "AccessTime": "10/05/2013 20:35:38.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "197634-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "MICROS~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:24:20.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Microsoft Office 15", + "ExtentionBlockSize": 88, + "LocalizedName": null, + "SeqNum": 15, + "EntryNum": 4229, + "FileReferenceInt": 4222124650664069, + "AccessTime": "09/23/2013 20:24:20.000000", + "CreationTime": "09/23/2013 20:23:56.000000", + "Signature": "0xbeef0004L", + "RefNum": "4229-15" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "root", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:24:22.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "root", + "ExtentionBlockSize": 58, + "LocalizedName": null, + "SeqNum": 9, + "EntryNum": 5190, + "FileReferenceInt": 2533274790401094, + "AccessTime": "09/23/2013 20:24:22.000000", + "CreationTime": "09/23/2013 20:24:08.000000", + "Signature": "0xbeef0004L", + "RefNum": "5190-9" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "office15", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:40:10.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "office15", + "ExtentionBlockSize": 66, + "LocalizedName": null, + "SeqNum": 6, + "EntryNum": 5225, + "FileReferenceInt": 1688849860269161, + "AccessTime": "09/23/2013 20:40:10.000000", + "CreationTime": "09/23/2013 20:24:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "5225-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "WINWORD.EXE", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:28:42.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 1925280, + "ExtentionBlocks": [ + { + "LongName": "WINWORD.EXE", + "ExtentionBlockSize": 72, + "LocalizedName": null, + "SeqNum": 10, + "EntryNum": 7453, + "FileReferenceInt": 2814749767114013, + "AccessTime": "09/23/2013 20:28:42.000000", + "CreationTime": "09/23/2013 20:24:22.000000", + "Signature": "0xbeef0004L", + "RefNum": "7453-10" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "office15", + "ParentEntryNum": 5225, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 8, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "https://asgardventurecapital.sharepoint.com/Shared Documents/Business Plans/In Review - NOT FOR RELEASE/Business_Plan_Mail_Order_Pharmacy.docx", + "DestInfo": { + "DLE_EntryNum": 13, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 32, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "7902fd3c0e701362", + "DLE_Path": "59c82c4ee11a0da0", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "10/21/2013 18:38:58.871091", + "DLE_Unknown3": 1082130432, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%ProgramFiles%\\Microsoft Office 15\\Root\\Office15\\WINWORD.EXE", + "AppIdName": null, + "FileExt": "EXE", + "NetworkPath": null, + "FileSize": 1925280, + "CreationDateTime": "09/23/2013 20:24:21.399667", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "WINWORD.EXE", + "WorkingDir": null, + "LocalPath": "C:\\Program Files\\Microsoft Office 15\\root\\office15\\WINWORD.EXE", + "ModificationDateTime": "09/23/2013 20:28:41.621819", + "CmdArgs": "https://d.docs.live.net/7f095149027848ed/Documents/Blue%20Harvest%20Business%20Plan.docx", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\114461.Donald.fb3b0dbfee58fac8.automaticDestinations-ms", + "Flags": "Sparse File;Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "09/23/2013 20:28:41.309315", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "fb3b0dbfee58fac8", + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 6, + "ParentRefStr": "5225-6", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:23:56.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files", + "ExtentionBlockSize": 116, + "LocalizedName": "@shell32.dll,-21781", + "SeqNum": 6, + "EntryNum": 197634, + "FileReferenceInt": 1688849860461570, + "AccessTime": "09/23/2013 20:23:56.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "197634-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "MICROS~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:24:20.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Microsoft Office 15", + "ExtentionBlockSize": 88, + "LocalizedName": null, + "SeqNum": 15, + "EntryNum": 4229, + "FileReferenceInt": 4222124650664069, + "AccessTime": "09/23/2013 20:24:20.000000", + "CreationTime": "09/23/2013 20:23:56.000000", + "Signature": "0xbeef0004L", + "RefNum": "4229-15" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "root", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:24:22.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "root", + "ExtentionBlockSize": 58, + "LocalizedName": null, + "SeqNum": 9, + "EntryNum": 5190, + "FileReferenceInt": 2533274790401094, + "AccessTime": "09/23/2013 20:24:22.000000", + "CreationTime": "09/23/2013 20:24:08.000000", + "Signature": "0xbeef0004L", + "RefNum": "5190-9" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "office15", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:40:10.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "office15", + "ExtentionBlockSize": 66, + "LocalizedName": null, + "SeqNum": 6, + "EntryNum": 5225, + "FileReferenceInt": 1688849860269161, + "AccessTime": "09/23/2013 20:40:10.000000", + "CreationTime": "09/23/2013 20:24:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "5225-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "WINWORD.EXE", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:28:42.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 1925280, + "ExtentionBlocks": [ + { + "LongName": "WINWORD.EXE", + "ExtentionBlockSize": 72, + "LocalizedName": null, + "SeqNum": 10, + "EntryNum": 7453, + "FileReferenceInt": 2814749767114013, + "AccessTime": "09/23/2013 20:28:42.000000", + "CreationTime": "09/23/2013 20:24:22.000000", + "Signature": "0xbeef0004L", + "RefNum": "7453-10" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "office15", + "ParentEntryNum": 5225, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 8, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "https://d.docs.live.net/7f095149027848ed/Documents/Blue Harvest Business Plan.docx", + "DestInfo": { + "DLE_EntryNum": 1, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 32, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "498350922b4dab63", + "DLE_Path": "28c11c7fb11f9db8", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "10/21/2013 18:31:57.418503", + "DLE_Unknown3": 1084227584, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%ProgramFiles%\\Microsoft Office 15\\root\\office15\\WINWORD.EXE", + "AppIdName": null, + "FileExt": "EXE", + "NetworkPath": null, + "FileSize": 1925280, + "CreationDateTime": "09/23/2013 20:24:21.399667", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "WINWORD.EXE", + "WorkingDir": null, + "LocalPath": "C:\\Program Files\\Microsoft Office 15\\root\\office15\\WINWORD.EXE", + "ModificationDateTime": "09/23/2013 20:28:41.621819", + "CmdArgs": "https://asgardventurecapital.sharepoint.com/Shared%20Documents/Confidential%20Analysis%20Data/Blue%20Harvest%20Business%20Plan.docx", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\114461.Donald.fb3b0dbfee58fac8.automaticDestinations-ms", + "Flags": "Sparse File;Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "09/23/2013 20:28:41.309315", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "fb3b0dbfee58fac8", + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 6, + "ParentRefStr": "5225-6", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:23:56.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files", + "ExtentionBlockSize": 116, + "LocalizedName": "@shell32.dll,-21781", + "SeqNum": 6, + "EntryNum": 197634, + "FileReferenceInt": 1688849860461570, + "AccessTime": "09/23/2013 20:23:56.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "197634-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "MICROS~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:24:20.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Microsoft Office 15", + "ExtentionBlockSize": 88, + "LocalizedName": null, + "SeqNum": 15, + "EntryNum": 4229, + "FileReferenceInt": 4222124650664069, + "AccessTime": "09/23/2013 20:24:20.000000", + "CreationTime": "09/23/2013 20:23:56.000000", + "Signature": "0xbeef0004L", + "RefNum": "4229-15" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "root", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:24:22.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "root", + "ExtentionBlockSize": 58, + "LocalizedName": null, + "SeqNum": 9, + "EntryNum": 5190, + "FileReferenceInt": 2533274790401094, + "AccessTime": "09/23/2013 20:24:22.000000", + "CreationTime": "09/23/2013 20:24:08.000000", + "Signature": "0xbeef0004L", + "RefNum": "5190-9" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "office15", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:40:10.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "office15", + "ExtentionBlockSize": 66, + "LocalizedName": null, + "SeqNum": 6, + "EntryNum": 5225, + "FileReferenceInt": 1688849860269161, + "AccessTime": "09/23/2013 20:40:10.000000", + "CreationTime": "09/23/2013 20:24:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "5225-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "WINWORD.EXE", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:28:42.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 1925280, + "ExtentionBlocks": [ + { + "LongName": "WINWORD.EXE", + "ExtentionBlockSize": 72, + "LocalizedName": null, + "SeqNum": 10, + "EntryNum": 7453, + "FileReferenceInt": 2814749767114013, + "AccessTime": "09/23/2013 20:28:42.000000", + "CreationTime": "09/23/2013 20:24:22.000000", + "Signature": "0xbeef0004L", + "RefNum": "7453-10" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "office15", + "ParentEntryNum": 5225, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 8, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "https://asgardventurecapital.sharepoint.com/Shared Documents/Confidential Analysis Data/Blue Harvest Business Plan.docx", + "DestInfo": { + "DLE_EntryNum": 2, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 32, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "b3ce48e2f68b8c1c", + "DLE_Path": "e231edf5f02d1ba6", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "10/21/2013 18:31:37.405243", + "DLE_Unknown3": 1084227584, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%ProgramFiles%\\Microsoft Office 15\\root\\office15\\WINWORD.EXE", + "AppIdName": null, + "FileExt": "EXE", + "NetworkPath": null, + "FileSize": 1925280, + "CreationDateTime": "09/23/2013 20:24:21.399667", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "WINWORD.EXE", + "WorkingDir": null, + "LocalPath": "C:\\Program Files\\Microsoft Office 15\\root\\office15\\WINWORD.EXE", + "ModificationDateTime": "09/23/2013 20:28:41.621819", + "CmdArgs": "https://asgardventurecapital.sharepoint.com/Shared%20Documents/Business%20Plans/IR4%20Business%20Plan-Final.docx", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\114461.Donald.fb3b0dbfee58fac8.automaticDestinations-ms", + "Flags": "Sparse File;Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "09/23/2013 20:28:41.309315", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "fb3b0dbfee58fac8", + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 6, + "ParentRefStr": "5225-6", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~1", + "Location": null, + "Comments": null, + "ModificationTime": "10/18/2013 00:28:36.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files", + "ExtentionBlockSize": 116, + "LocalizedName": "@shell32.dll,-21781", + "SeqNum": 6, + "EntryNum": 197634, + "FileReferenceInt": 1688849860461570, + "AccessTime": "10/18/2013 00:28:36.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "197634-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "MICROS~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:24:20.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Microsoft Office 15", + "ExtentionBlockSize": 88, + "LocalizedName": null, + "SeqNum": 15, + "EntryNum": 4229, + "FileReferenceInt": 4222124650664069, + "AccessTime": "09/23/2013 20:24:20.000000", + "CreationTime": "09/23/2013 20:23:56.000000", + "Signature": "0xbeef0004L", + "RefNum": "4229-15" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "root", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:24:22.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "root", + "ExtentionBlockSize": 58, + "LocalizedName": null, + "SeqNum": 9, + "EntryNum": 5190, + "FileReferenceInt": 2533274790401094, + "AccessTime": "09/23/2013 20:24:22.000000", + "CreationTime": "09/23/2013 20:24:08.000000", + "Signature": "0xbeef0004L", + "RefNum": "5190-9" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "office15", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:40:10.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "office15", + "ExtentionBlockSize": 66, + "LocalizedName": null, + "SeqNum": 6, + "EntryNum": 5225, + "FileReferenceInt": 1688849860269161, + "AccessTime": "09/23/2013 20:40:10.000000", + "CreationTime": "09/23/2013 20:24:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "5225-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "WINWORD.EXE", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:28:42.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 1925280, + "ExtentionBlocks": [ + { + "LongName": "WINWORD.EXE", + "ExtentionBlockSize": 72, + "LocalizedName": null, + "SeqNum": 10, + "EntryNum": 7453, + "FileReferenceInt": 2814749767114013, + "AccessTime": "09/23/2013 20:28:42.000000", + "CreationTime": "09/23/2013 20:24:22.000000", + "Signature": "0xbeef0004L", + "RefNum": "7453-10" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "office15", + "ParentEntryNum": 5225, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 8, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "https://asgardventurecapital.sharepoint.com/Shared Documents/Business Plans/IR4 Business Plan-Final.docx", + "DestInfo": { + "DLE_EntryNum": 23, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 32, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "0a55a1a306633373", + "DLE_Path": "9c01343b6806114f", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "10/21/2013 18:29:05.152496", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%ProgramFiles%\\Microsoft Office 15\\Root\\Office15\\WINWORD.EXE", + "AppIdName": null, + "FileExt": "EXE", + "NetworkPath": null, + "FileSize": 1925280, + "CreationDateTime": "09/23/2013 20:24:21.399667", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "Nokia Strategy.docx", + "WorkingDir": null, + "LocalPath": "C:\\Users\\Donald\\Documents\\Nokia Strategy.docx", + "ModificationDateTime": "10/21/2013 18:01:07.385983", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\114461.Donald.fb3b0dbfee58fac8.automaticDestinations-ms", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "10/21/2013 18:03:17.090120", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "fb3b0dbfee58fac8", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x0L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ExtentionListing": "", + "ItemCount": 5, + "ParentRefStr": null, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "031e4825-7b94-4dc3-b131-e946b44c8dd5", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 22, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "92abc06b11f16f499067ec5c94ffa9f5", + "DLE_PathSize": 90, + "DLE_DroidVolId": "92abc06b11f16f499067ec5c94ffa9f5", + "DLE_DroidFileId": "dcf88fdc6b3ae311be8a24fd52566ede", + "DLE_Unknown1Hash": "5c69928b469250ba", + "DLE_Path": "C:\\Users\\Donald\\Documents\\Nokia Strategy.docx", + "DLE_BirthDroidFileId": "dcf88fdc6b3ae311be8a24fd52566ede", + "DLE_LastModificationDatetime": "10/21/2013 18:03:57.857730", + "DLE_Unknown3": 1073741824, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "bifrost\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "docx", + "NetworkPath": "\\\\BIFROST\\Users\\Donald\\Documents\\Nokia Strategy.docx", + "FileSize": 117646, + "CreationDateTime": "10/21/2013 18:01:07.385983", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "WINWORD.EXE", + "WorkingDir": null, + "LocalPath": "C:\\Program Files\\Microsoft Office 15\\root\\office15\\WINWORD.EXE", + "ModificationDateTime": "09/23/2013 20:28:41.621819", + "CmdArgs": "https://d.docs.live.net/7f095149027848ed/Documents/Business_Plan_Mail_Order_Pharmacy.docx", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\114461.Donald.fb3b0dbfee58fac8.automaticDestinations-ms", + "Flags": "Sparse File;Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "09/23/2013 20:28:41.309315", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "fb3b0dbfee58fac8", + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 6, + "ParentRefStr": "5225-6", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~1", + "Location": null, + "Comments": null, + "ModificationTime": "10/18/2013 00:28:36.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files", + "ExtentionBlockSize": 116, + "LocalizedName": "@shell32.dll,-21781", + "SeqNum": 6, + "EntryNum": 197634, + "FileReferenceInt": 1688849860461570, + "AccessTime": "10/18/2013 00:28:36.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "197634-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "MICROS~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:24:20.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Microsoft Office 15", + "ExtentionBlockSize": 88, + "LocalizedName": null, + "SeqNum": 15, + "EntryNum": 4229, + "FileReferenceInt": 4222124650664069, + "AccessTime": "09/23/2013 20:24:20.000000", + "CreationTime": "09/23/2013 20:23:56.000000", + "Signature": "0xbeef0004L", + "RefNum": "4229-15" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "root", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:24:22.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "root", + "ExtentionBlockSize": 58, + "LocalizedName": null, + "SeqNum": 9, + "EntryNum": 5190, + "FileReferenceInt": 2533274790401094, + "AccessTime": "09/23/2013 20:24:22.000000", + "CreationTime": "09/23/2013 20:24:08.000000", + "Signature": "0xbeef0004L", + "RefNum": "5190-9" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "office15", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:40:10.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "office15", + "ExtentionBlockSize": 66, + "LocalizedName": null, + "SeqNum": 6, + "EntryNum": 5225, + "FileReferenceInt": 1688849860269161, + "AccessTime": "09/23/2013 20:40:10.000000", + "CreationTime": "09/23/2013 20:24:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "5225-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "WINWORD.EXE", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:28:42.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 1925280, + "ExtentionBlocks": [ + { + "LongName": "WINWORD.EXE", + "ExtentionBlockSize": 72, + "LocalizedName": null, + "SeqNum": 10, + "EntryNum": 7453, + "FileReferenceInt": 2814749767114013, + "AccessTime": "09/23/2013 20:28:42.000000", + "CreationTime": "09/23/2013 20:24:22.000000", + "Signature": "0xbeef0004L", + "RefNum": "7453-10" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "office15", + "ParentEntryNum": 5225, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 8, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "https://d.docs.live.net/7f095149027848ed/Documents/Business_Plan_Mail_Order_Pharmacy.docx", + "DestInfo": { + "DLE_EntryNum": 21, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 32, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "41f7fa1f939acd73", + "DLE_Path": "f176e62d6f7d86ba", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "10/18/2013 02:20:40.930350", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%ProgramFiles%\\Microsoft Office 15\\Root\\Office15\\WINWORD.EXE", + "AppIdName": null, + "FileExt": "EXE", + "NetworkPath": null, + "FileSize": 1925280, + "CreationDateTime": "09/23/2013 20:24:21.399667", + "EnvVarLoc": null + }, + { + "VolumeLabel": "BLAKE FILES", + "BaseName": "BusinessPlan.docx", + "WorkingDir": null, + "LocalPath": "E:\\BetterWidgets Business Plan\\BusinessPlan.docx", + "ModificationDateTime": "10/17/2013 21:07:06.000000", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\114461.Donald.fb3b0dbfee58fac8.automaticDestinations-ms", + "Flags": "Archive;", + "DriveType": "DRIVE_REMOVABLE;", + "AccessDateTime": "10/17/2013 04:00:00.000000", + "DriveSerialNumber": "944e-9b06", + "AppIdCode": "fb3b0dbfee58fac8", + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 0, + "ParentRefStr": "255072-0", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "BETTER~1", + "Location": null, + "Comments": null, + "ModificationTime": "10/17/2013 21:06:46.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "BetterWidgets Business Plan", + "ExtentionBlockSize": 104, + "LocalizedName": null, + "SeqNum": 0, + "EntryNum": 255072, + "FileReferenceInt": 255072, + "AccessTime": "10/17/2013 04:00:00.000000", + "CreationTime": "10/17/2013 21:06:46.000000", + "Signature": "0xbeef0004L", + "RefNum": "255072-0" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "BUSINE~1.DOC", + "Location": null, + "Comments": null, + "ModificationTime": "10/17/2013 21:07:06.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 2, + "Description": null, + "FileSize": 25561, + "ExtentionBlocks": [ + { + "LongName": "BusinessPlan.docx", + "ExtentionBlockSize": 84, + "LocalizedName": null, + "SeqNum": 0, + "EntryNum": 282368, + "FileReferenceInt": 282368, + "AccessTime": "10/17/2013 04:00:00.000000", + "CreationTime": "10/17/2013 21:07:04.000000", + "Signature": "0xbeef0004L", + "RefNum": "282368-0" + }, + { + "ExtentionBlockSize": 46, + "Signature": "0xbeef001aL" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "E:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "BetterWidgets Business Plan", + "ParentEntryNum": 255072, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef001aL", + "ItemCount": 5, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 18, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 96, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "608a8fe7d1057e77", + "DLE_Path": "E:\\BetterWidgets Business Plan\\BusinessPlan.docx", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "10/17/2013 21:07:03.283217", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "docx", + "NetworkPath": null, + "FileSize": 25561, + "CreationDateTime": "10/17/2013 21:07:03.220000", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "WINWORD.EXE", + "WorkingDir": null, + "LocalPath": "C:\\Program Files\\Microsoft Office 15\\root\\office15\\WINWORD.EXE", + "ModificationDateTime": "09/23/2013 20:28:41.621819", + "CmdArgs": "https://d.docs.live.net/7f095149027848ed/Documents/Skype%20Transfer%20Files/BusinessPlan.doc", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\114461.Donald.fb3b0dbfee58fac8.automaticDestinations-ms", + "Flags": "Sparse File;Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "09/23/2013 20:28:41.309315", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "fb3b0dbfee58fac8", + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 6, + "ParentRefStr": "5225-6", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~1", + "Location": null, + "Comments": null, + "ModificationTime": "10/13/2013 09:39:12.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files", + "ExtentionBlockSize": 116, + "LocalizedName": "@shell32.dll,-21781", + "SeqNum": 6, + "EntryNum": 197634, + "FileReferenceInt": 1688849860461570, + "AccessTime": "10/13/2013 09:39:12.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "197634-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "MICROS~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:24:20.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Microsoft Office 15", + "ExtentionBlockSize": 88, + "LocalizedName": null, + "SeqNum": 15, + "EntryNum": 4229, + "FileReferenceInt": 4222124650664069, + "AccessTime": "09/23/2013 20:24:20.000000", + "CreationTime": "09/23/2013 20:23:56.000000", + "Signature": "0xbeef0004L", + "RefNum": "4229-15" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "root", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:24:22.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "root", + "ExtentionBlockSize": 58, + "LocalizedName": null, + "SeqNum": 9, + "EntryNum": 5190, + "FileReferenceInt": 2533274790401094, + "AccessTime": "09/23/2013 20:24:22.000000", + "CreationTime": "09/23/2013 20:24:08.000000", + "Signature": "0xbeef0004L", + "RefNum": "5190-9" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "office15", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:40:10.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "office15", + "ExtentionBlockSize": 66, + "LocalizedName": null, + "SeqNum": 6, + "EntryNum": 5225, + "FileReferenceInt": 1688849860269161, + "AccessTime": "09/23/2013 20:40:10.000000", + "CreationTime": "09/23/2013 20:24:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "5225-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "WINWORD.EXE", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:28:42.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 1925280, + "ExtentionBlocks": [ + { + "LongName": "WINWORD.EXE", + "ExtentionBlockSize": 72, + "LocalizedName": null, + "SeqNum": 10, + "EntryNum": 7453, + "FileReferenceInt": 2814749767114013, + "AccessTime": "09/23/2013 20:28:42.000000", + "CreationTime": "09/23/2013 20:24:22.000000", + "Signature": "0xbeef0004L", + "RefNum": "7453-10" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "office15", + "ParentEntryNum": 5225, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 8, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "https://d.docs.live.net/7f095149027848ed/Documents/Skype Transfer Files/BusinessPlan.doc", + "DestInfo": { + "DLE_EntryNum": 16, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 32, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "46ecaffe5dff17b2", + "DLE_Path": "f61225b32c508ec5", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "10/17/2013 21:06:30.755552", + "DLE_Unknown3": 1077936128, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%ProgramFiles%\\Microsoft Office 15\\Root\\Office15\\WINWORD.EXE", + "AppIdName": null, + "FileExt": "EXE", + "NetworkPath": null, + "FileSize": 1925280, + "CreationDateTime": "09/23/2013 20:24:21.399667", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "Normal.dotm", + "WorkingDir": null, + "LocalPath": "C:\\Users\\Donald\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm", + "ModificationDateTime": "10/09/2013 15:51:46.491771", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\114461.Donald.fb3b0dbfee58fac8.automaticDestinations-ms", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "10/09/2013 15:51:46.448742", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "fb3b0dbfee58fac8", + "LnkTrgData": { + "ParentLongName": "Templates", + "DistinctTypesHex": "0x0L;0x31L;0x32L;0x1fL", + "ParentSeqNum": 3, + "DistinctTypesStr": "item;root_folder;file_entry", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "LongName": "AppData", + "ExtentionBlockSize": 64, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 232350, + "FileReferenceInt": 844424930364318, + "AccessTime": "09/23/2013 19:18:00.000000", + "CreationTime": "09/23/2013 19:17:32.000000", + "Signature": "0xbeef0004L", + "RefNum": "232350-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Roaming", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 19:47:22.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Roaming", + "ExtentionBlockSize": 64, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 232353, + "FileReferenceInt": 844424930364321, + "AccessTime": "09/23/2013 19:47:22.000000", + "CreationTime": "09/23/2013 19:17:32.000000", + "Signature": "0xbeef0004L", + "RefNum": "232353-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "MICROS~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:41:52.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Microsoft", + "ExtentionBlockSize": 68, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 232356, + "FileReferenceInt": 844424930364324, + "AccessTime": "09/23/2013 20:41:52.000000", + "CreationTime": "09/23/2013 19:17:32.000000", + "Signature": "0xbeef0004L", + "RefNum": "232356-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "TEMPLA~1", + "Location": null, + "Comments": null, + "ModificationTime": "10/09/2013 15:51:48.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Templates", + "ExtentionBlockSize": 68, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 130530, + "FileReferenceInt": 844424930262498, + "AccessTime": "10/09/2013 15:51:48.000000", + "CreationTime": "08/12/2013 01:32:34.000000", + "Signature": "0xbeef0004L", + "RefNum": "130530-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "NORMAL~1.DOT", + "Location": null, + "Comments": null, + "ModificationTime": "10/09/2013 15:51:48.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 2, + "Description": null, + "FileSize": 19416, + "ExtentionBlocks": [ + { + "LongName": "Normal.dotm", + "ExtentionBlockSize": 72, + "LocalizedName": null, + "SeqNum": 175, + "EntryNum": 414, + "FileReferenceInt": 49258120924365214, + "AccessTime": "10/09/2013 15:51:48.000000", + "CreationTime": "08/12/2013 01:32:42.000000", + "Signature": "0xbeef0004L", + "RefNum": "414-175" + }, + { + "ExtentionBlockSize": 70, + "Signature": "0xbeef001aL" + } + ] + } + ], + "ExtentionListing": "0xbeef0025L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef001aL", + "ItemCount": 7, + "ParentRefStr": "130530-3", + "ParentEntryNum": 130530, + "RootFolder": [ + { + "ShellFolderId": "59031a47-3f72-44a7-89c5-5595fe6b30ee", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "ExtentionBlockSize": 30, + "Signature": "0xbeef0025L" + } + ] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 10, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "92abc06b11f16f499067ec5c94ffa9f5", + "DLE_PathSize": 126, + "DLE_DroidVolId": "92abc06b11f16f499067ec5c94ffa9f5", + "DLE_DroidFileId": "aebc73d3a032e311be8684c15d8d3bd3", + "DLE_Unknown1Hash": "b62d2cc221b44c44", + "DLE_Path": "C:\\Users\\Donald\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm", + "DLE_BirthDroidFileId": "aebc73d3a032e311be8684c15d8d3bd3", + "DLE_LastModificationDatetime": "10/17/2013 19:19:37.340969", + "DLE_Unknown3": 1077936128, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "bifrost\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "dotm", + "NetworkPath": "\\\\BIFROST\\Users\\Donald\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm", + "FileSize": 19416, + "CreationDateTime": "08/12/2013 01:32:40.412051", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": "Business Plan for a Startup Business_0.doc", + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "10/13/2013 12:45:02.000000", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\114461.Donald.fb3b0dbfee58fac8.automaticDestinations-ms", + "Flags": "Archive;", + "DriveType": "DRIVE_UNKNOWN;", + "AccessDateTime": "10/17/2013 16:53:50.916042", + "DriveSerialNumber": "0000-0000", + "AppIdCode": "fb3b0dbfee58fac8", + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 17, + "ParentRefStr": "44735-17", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Templates", + "Location": null, + "Comments": null, + "ModificationTime": "10/17/2013 16:53:56.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 4096, + "ExtentionBlocks": [ + { + "LongName": "Templates", + "ExtentionBlockSize": 68, + "LocalizedName": null, + "SeqNum": 17, + "EntryNum": 44735, + "FileReferenceInt": 4785074604125887, + "AccessTime": "10/17/2013 16:53:56.000000", + "CreationTime": "10/17/2013 16:53:52.000000", + "Signature": "0xbeef0004L", + "RefNum": "44735-17" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "Business Plan for a Startup Business_0.doc", + "Location": null, + "Comments": null, + "ModificationTime": "10/13/2013 12:45:02.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 2, + "Description": null, + "FileSize": 235520, + "ExtentionBlocks": [ + { + "LongName": "Business Plan for a Startup Business_0.doc", + "ExtentionBlockSize": 134, + "LocalizedName": null, + "SeqNum": 21, + "EntryNum": 44767, + "FileReferenceInt": 5910974510968543, + "AccessTime": "10/17/2013 16:53:52.000000", + "CreationTime": "10/17/2013 16:53:52.000000", + "Signature": "0xbeef0004L", + "RefNum": "44767-21" + }, + { + "ExtentionBlockSize": 44, + "Signature": "0xbeef001aL" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "P:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "Templates", + "ParentEntryNum": 44735, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef001aL", + "ItemCount": 5, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 15, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "0c439b5510b9924a8098dc78480e7f56", + "DLE_PathSize": 110, + "DLE_DroidVolId": "0c439b5510b9924a8098dc78480e7f56", + "DLE_DroidFileId": "63d62f25c635e311be80000af7048353", + "DLE_Unknown1Hash": "de7d37d72ed038df", + "DLE_Path": "P:\\Templates\\Business Plan for a Startup Business_0.doc", + "DLE_BirthDroidFileId": "63d62f25c635e311be80000af7048353", + "DLE_LastModificationDatetime": "10/17/2013 19:19:37.088722", + "DLE_Unknown3": 1073741824, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "valhalla\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "doc", + "NetworkPath": "\\\\valhalla\\Public\\Templates\\Business Plan for a Startup Business_0.doc", + "FileSize": 235520, + "CreationDateTime": "10/17/2013 16:53:50.916042", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "WINWORD.EXE", + "WorkingDir": null, + "LocalPath": "C:\\Program Files\\Microsoft Office 15\\root\\office15\\WINWORD.EXE", + "ModificationDateTime": "09/23/2013 20:28:41.621819", + "CmdArgs": "https://asgardventurecapital-my.sharepoint.com/personal/dblake_asgard-venture-capital_com/Documents/Shared%20with%20Everyone/Cafe-Paradiso-business-plan.docx", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\114461.Donald.fb3b0dbfee58fac8.automaticDestinations-ms", + "Flags": "Sparse File;Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "09/23/2013 20:28:41.309315", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "fb3b0dbfee58fac8", + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 6, + "ParentRefStr": "5225-6", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~1", + "Location": null, + "Comments": null, + "ModificationTime": "10/05/2013 20:35:38.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files", + "ExtentionBlockSize": 116, + "LocalizedName": "@shell32.dll,-21781", + "SeqNum": 6, + "EntryNum": 197634, + "FileReferenceInt": 1688849860461570, + "AccessTime": "10/05/2013 20:35:38.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "197634-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "MICROS~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:24:20.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Microsoft Office 15", + "ExtentionBlockSize": 88, + "LocalizedName": null, + "SeqNum": 15, + "EntryNum": 4229, + "FileReferenceInt": 4222124650664069, + "AccessTime": "09/23/2013 20:24:20.000000", + "CreationTime": "09/23/2013 20:23:56.000000", + "Signature": "0xbeef0004L", + "RefNum": "4229-15" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "root", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:24:22.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "root", + "ExtentionBlockSize": 58, + "LocalizedName": null, + "SeqNum": 9, + "EntryNum": 5190, + "FileReferenceInt": 2533274790401094, + "AccessTime": "09/23/2013 20:24:22.000000", + "CreationTime": "09/23/2013 20:24:08.000000", + "Signature": "0xbeef0004L", + "RefNum": "5190-9" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "office15", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:40:10.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "office15", + "ExtentionBlockSize": 66, + "LocalizedName": null, + "SeqNum": 6, + "EntryNum": 5225, + "FileReferenceInt": 1688849860269161, + "AccessTime": "09/23/2013 20:40:10.000000", + "CreationTime": "09/23/2013 20:24:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "5225-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "WINWORD.EXE", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:28:42.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 1925280, + "ExtentionBlocks": [ + { + "LongName": "WINWORD.EXE", + "ExtentionBlockSize": 72, + "LocalizedName": null, + "SeqNum": 10, + "EntryNum": 7453, + "FileReferenceInt": 2814749767114013, + "AccessTime": "09/23/2013 20:28:42.000000", + "CreationTime": "09/23/2013 20:24:22.000000", + "Signature": "0xbeef0004L", + "RefNum": "7453-10" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "office15", + "ParentEntryNum": 5225, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 8, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "https://asgardventurecapital-my.sharepoint.com/personal/dblake_asgard-venture-capital_com/Documents/Shared with Everyone/Cafe-Paradiso-business-plan.docx", + "DestInfo": { + "DLE_EntryNum": 9, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 32, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "54f6b27dc38fb2b8", + "DLE_Path": "6fad4e576c7d0e85", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "10/07/2013 08:36:38.318776", + "DLE_Unknown3": 1073741824, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%ProgramFiles%\\Microsoft Office 15\\Root\\Office15\\WINWORD.EXE", + "AppIdName": null, + "FileExt": "EXE", + "NetworkPath": null, + "FileSize": 1925280, + "CreationDateTime": "09/23/2013 20:24:21.399667", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "WINWORD.EXE", + "WorkingDir": null, + "LocalPath": "C:\\Program Files\\Microsoft Office 15\\root\\office15\\WINWORD.EXE", + "ModificationDateTime": "09/23/2013 20:28:41.621819", + "CmdArgs": "https://asgardventurecapital-my.sharepoint.com/personal/dblake_asgard-venture-capital_com/Documents/Cafe-Paradiso-business-plan.docx", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\114461.Donald.fb3b0dbfee58fac8.automaticDestinations-ms", + "Flags": "Sparse File;Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "09/23/2013 20:28:41.309315", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "fb3b0dbfee58fac8", + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 6, + "ParentRefStr": "5225-6", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~1", + "Location": null, + "Comments": null, + "ModificationTime": "10/05/2013 20:35:38.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files", + "ExtentionBlockSize": 116, + "LocalizedName": "@shell32.dll,-21781", + "SeqNum": 6, + "EntryNum": 197634, + "FileReferenceInt": 1688849860461570, + "AccessTime": "10/05/2013 20:35:38.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "197634-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "MICROS~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:24:20.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Microsoft Office 15", + "ExtentionBlockSize": 88, + "LocalizedName": null, + "SeqNum": 15, + "EntryNum": 4229, + "FileReferenceInt": 4222124650664069, + "AccessTime": "09/23/2013 20:24:20.000000", + "CreationTime": "09/23/2013 20:23:56.000000", + "Signature": "0xbeef0004L", + "RefNum": "4229-15" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "root", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:24:22.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "root", + "ExtentionBlockSize": 58, + "LocalizedName": null, + "SeqNum": 9, + "EntryNum": 5190, + "FileReferenceInt": 2533274790401094, + "AccessTime": "09/23/2013 20:24:22.000000", + "CreationTime": "09/23/2013 20:24:08.000000", + "Signature": "0xbeef0004L", + "RefNum": "5190-9" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "office15", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:40:10.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "office15", + "ExtentionBlockSize": 66, + "LocalizedName": null, + "SeqNum": 6, + "EntryNum": 5225, + "FileReferenceInt": 1688849860269161, + "AccessTime": "09/23/2013 20:40:10.000000", + "CreationTime": "09/23/2013 20:24:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "5225-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "WINWORD.EXE", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:28:42.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 1925280, + "ExtentionBlocks": [ + { + "LongName": "WINWORD.EXE", + "ExtentionBlockSize": 72, + "LocalizedName": null, + "SeqNum": 10, + "EntryNum": 7453, + "FileReferenceInt": 2814749767114013, + "AccessTime": "09/23/2013 20:28:42.000000", + "CreationTime": "09/23/2013 20:24:22.000000", + "Signature": "0xbeef0004L", + "RefNum": "7453-10" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "office15", + "ParentEntryNum": 5225, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 8, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "https://asgardventurecapital-my.sharepoint.com/personal/dblake_asgard-venture-capital_com/Documents/Cafe-Paradiso-business-plan.docx", + "DestInfo": { + "DLE_EntryNum": 8, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 32, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "d15c1513bb1349f6", + "DLE_Path": "d824bcc3f1318c49", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "10/07/2013 08:33:35.912452", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%ProgramFiles%\\Microsoft Office 15\\Root\\Office15\\WINWORD.EXE", + "AppIdName": null, + "FileExt": "EXE", + "NetworkPath": null, + "FileSize": 1925280, + "CreationDateTime": "09/23/2013 20:24:21.399667", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "Experience_the_Lenovo_Ideapad_Yoga(1).mov", + "WorkingDir": null, + "LocalPath": "C:\\Users\\Public\\Videos\\Experience_the_Lenovo_Ideapad_Yoga(1).mov", + "ModificationDateTime": "08/21/2012 04:17:48.000000", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\125647.Donald.4cb9c5750d51c07f.automaticDestinations-ms", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "06/02/2013 03:47:15.541288", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "4cb9c5750d51c07f", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x0L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ExtentionListing": "", + "ItemCount": 5, + "ParentRefStr": null, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "031e4825-7b94-4dc3-b131-e946b44c8dd5", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 1, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "92abc06b11f16f499067ec5c94ffa9f5", + "DLE_PathSize": 128, + "DLE_DroidVolId": "92abc06b11f16f499067ec5c94ffa9f5", + "DLE_DroidFileId": "aba6d765fc02e311be7b24fd52566ede", + "DLE_Unknown1Hash": "29c1cb0e1a12cb1f", + "DLE_Path": "C:\\Users\\Public\\Videos\\Experience_the_Lenovo_Ideapad_Yoga(1).mov", + "DLE_BirthDroidFileId": "aba6d765fc02e311be7b24fd52566ede", + "DLE_LastModificationDatetime": "08/12/2013 03:40:17.153824", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "bifrost\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "mov", + "NetworkPath": null, + "FileSize": 107221744, + "CreationDateTime": "06/02/2013 03:47:15.541288", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\130109.Donald.963d367dc16ff261.automaticDestinations-ms", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": "963d367dc16ff261", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x61L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x61L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "ExtentionBlockSize": 86, + "Signature": "0xbeef001aL" + } + ] + } + ], + "ExtentionListing": "0xbeef001aL", + "ItemCount": 3, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "871c5380-42a0-1069-a2ea-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 1, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 34, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "0dfaccb13f67f365", + "DLE_Path": "wlpeople:viewme,,", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "09/01/2013 17:21:12.463130", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\168039.Donald.5d696d521de238c3.automaticDestinations-ms", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": "5d696d521de238c3", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x61L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x61L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "ExtentionBlockSize": 34, + "Signature": "0xbeef001aL" + } + ] + } + ], + "ExtentionListing": "0xbeef001aL", + "ItemCount": 3, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "871c5380-42a0-1069-a2ea-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 10, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 102, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "3b8d21b280786af1", + "DLE_Path": "http://24.234.116.34/common_ip_cgi/hn_seachange.cgi", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "09/21/2013 17:01:52.349938", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\168039.Donald.5d696d521de238c3.automaticDestinations-ms", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": "5d696d521de238c3", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x61L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x61L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 2, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "ExtentionBlockSize": 34, + "Signature": "0xbeef001aL" + }, + { + "ExtentionBlockSize": 34, + "Signature": "0xbeef001aL" + } + ] + } + ], + "ExtentionListing": "0xbeef001aL;0xbeef001aL", + "ItemCount": 3, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "871c5380-42a0-1069-a2ea-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 8, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 114, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "278cbfedbbd25136", + "DLE_Path": "http://go.microsoft.com/fwlink/?LinkID=219472&clcid=0x409", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "09/19/2013 20:00:16.503498", + "DLE_Unknown3": 1082130432, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\168039.Donald.5d696d521de238c3.automaticDestinations-ms", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": "5d696d521de238c3", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x61L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x61L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "ExtentionBlockSize": 34, + "Signature": "0xbeef001aL" + } + ] + } + ], + "ExtentionListing": "0xbeef001aL", + "ItemCount": 3, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "871c5380-42a0-1069-a2ea-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 9, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 104, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "01edb3f9480e933a", + "DLE_Path": "http://24.234.111.114/common_ip_cgi/hn_seachange.cgi", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "09/12/2013 06:45:40.344800", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\168039.Donald.5d696d521de238c3.automaticDestinations-ms", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": "5d696d521de238c3", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x61L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x61L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "ExtentionBlockSize": 34, + "Signature": "0xbeef001aL" + } + ] + } + ], + "ExtentionListing": "0xbeef001aL", + "ItemCount": 3, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "871c5380-42a0-1069-a2ea-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 7, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 344, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "03954b33b539d747", + "DLE_Path": "http://nmd.washiad2.dulleva.wayport.net/index.adp?MacAddr=24%3aFD%3a52%3a56%3a47%3aD2&IpAddr=10%2e30%2e28%2e135&vsgpId=&vsgId=80430&UserAgent=&ProxyHost=&TunnelIfId=6340096", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "09/11/2013 23:30:36.716781", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\168039.Donald.5d696d521de238c3.automaticDestinations-ms", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": "5d696d521de238c3", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x61L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x61L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "ExtentionBlockSize": 34, + "Signature": "0xbeef001aL" + } + ] + } + ], + "ExtentionListing": "0xbeef001aL", + "ItemCount": 3, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "871c5380-42a0-1069-a2ea-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 6, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 148, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "2df0f167013dca42", + "DLE_Path": "https://www.facebook.com/confirmcontact.php?c=239539&gfid=AQAiLDTpb-8LHLWv", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "09/11/2013 16:31:19.685471", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\168039.Donald.5d696d521de238c3.automaticDestinations-ms", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": "5d696d521de238c3", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x61L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x61L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "ExtentionBlockSize": 34, + "Signature": "0xbeef001aL" + } + ] + } + ], + "ExtentionListing": "0xbeef001aL", + "ItemCount": 3, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "871c5380-42a0-1069-a2ea-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 5, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 344, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "e8d342f6344cc9f7", + "DLE_Path": "http://nmd.landrysmscc.dca.wayport.net/index.adp?MacAddr=24%3aFD%3a52%3a56%3a47%3aD2&IpAddr=192%2e168%2e5%2e89&vsgpId=&vsgId=965336&UserAgent=&ProxyHost=&TunnelIfId=6363033", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "09/06/2013 02:37:12.523494", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\168039.Donald.5d696d521de238c3.automaticDestinations-ms", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": "5d696d521de238c3", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x61L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x61L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "ExtentionBlockSize": 34, + "Signature": "0xbeef001aL" + } + ] + } + ], + "ExtentionListing": "0xbeef001aL", + "ItemCount": 3, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "871c5380-42a0-1069-a2ea-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 4, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 346, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "890b5d7375b9aafd", + "DLE_Path": "http://nmd.landrysmscc.dca.wayport.net/index.adp?MacAddr=24%3aFD%3a52%3a56%3a47%3aD2&IpAddr=192%2e168%2e8%2e100&vsgpId=&vsgId=965336&UserAgent=&ProxyHost=&TunnelIfId=6363033", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "09/06/2013 02:36:17.738439", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\168039.Donald.5d696d521de238c3.automaticDestinations-ms", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": "5d696d521de238c3", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x61L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x61L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "ExtentionBlockSize": 34, + "Signature": "0xbeef001aL" + } + ] + } + ], + "ExtentionListing": "0xbeef001aL", + "ItemCount": 3, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "871c5380-42a0-1069-a2ea-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 3, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 200, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "eccd7cd77a28d5f0", + "DLE_Path": "http://www.linkedin.com/e/bgaybo-hl8hyebx-1w/nth/false/eml_nus_home_top/?hs=false&tok=3HHatrYeuOz5U1", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "09/06/2013 02:34:22.358967", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\168039.Donald.5d696d521de238c3.automaticDestinations-ms", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": "5d696d521de238c3", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x61L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x61L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "ExtentionBlockSize": 34, + "Signature": "0xbeef001aL" + } + ] + } + ], + "ExtentionListing": "0xbeef001aL", + "ItemCount": 3, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "871c5380-42a0-1069-a2ea-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 2, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 196, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "1dc65649a7cf539e", + "DLE_Path": "https://www.amazon.com/gp/kindle/kcp/links?deviceType=A3C2X3KG4GJCOD&eid=meow&method=CreateAccount", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "09/02/2013 20:13:15.665250", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\168039.Donald.5d696d521de238c3.automaticDestinations-ms", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": "5d696d521de238c3", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x61L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x61L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "ExtentionBlockSize": 34, + "Signature": "0xbeef001aL" + } + ] + } + ], + "ExtentionListing": "0xbeef001aL", + "ItemCount": 3, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "871c5380-42a0-1069-a2ea-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 1, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 164, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "4601bb6348d87a39", + "DLE_Path": "http://www.complex.com/sports/2013/06/the-15-most-boring-athletes-in-sports-today/", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "09/02/2013 20:12:42.846316", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "fy08-form-10k.pdf", + "WorkingDir": null, + "LocalPath": "C:\\Users\\Donald\\Downloads\\fy08-form-10k.pdf", + "ModificationDateTime": "09/03/2013 02:13:52.121615", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\177625.Donald.8c13ec8fe80df7ec.automaticDestinations-ms", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "09/03/2013 02:13:52.079075", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "8c13ec8fe80df7ec", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x0L;0x32L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder;file_entry", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "FY08-F~1.PDF", + "Location": null, + "Comments": null, + "ModificationTime": "09/03/2013 02:13:54.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 2, + "Description": null, + "FileSize": 387852, + "ExtentionBlocks": [ + { + "LongName": "fy08-form-10k.pdf", + "ExtentionBlockSize": 80, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 177624, + "FileReferenceInt": 844424930309592, + "AccessTime": "09/03/2013 02:13:54.000000", + "CreationTime": "09/03/2013 02:13:54.000000", + "Signature": "0xbeef0004L", + "RefNum": "177624-3" + }, + { + "ExtentionBlockSize": 86, + "Signature": "0xbeef001aL" + } + ] + } + ], + "ExtentionListing": "0xbeef0004L;0xbeef001aL", + "ItemCount": 4, + "ParentRefStr": null, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "59031a47-3f72-44a7-89c5-5595fe6b30ee", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 1, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "92abc06b11f16f499067ec5c94ffa9f5", + "DLE_PathSize": 86, + "DLE_DroidVolId": "92abc06b11f16f499067ec5c94ffa9f5", + "DLE_DroidFileId": "b19765a09a11e311be7d24fd52566ede", + "DLE_Unknown1Hash": "65185822b33fe98d", + "DLE_Path": "C:\\Users\\Donald\\Downloads\\fy08-form-10k.pdf", + "DLE_BirthDroidFileId": "b19765a09a11e311be7d24fd52566ede", + "DLE_LastModificationDatetime": "09/03/2013 02:13:56.578027", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "bifrost\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "pdf", + "NetworkPath": null, + "FileSize": 387852, + "CreationDateTime": "09/03/2013 02:13:52.079075", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "SEC-NFLX-1193125-12-53009.pdf", + "WorkingDir": null, + "LocalPath": "C:\\Users\\Donald\\Documents\\NETFLIX SEC Filings\\SEC-NFLX-1193125-12-53009.pdf", + "ModificationDateTime": "09/01/2013 16:53:08.294901", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\184418.Donald.ff103e2cc310d0d.automaticDestinations-ms", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "09/01/2013 16:53:05.023355", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x0L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ExtentionListing": "", + "ItemCount": 6, + "ParentRefStr": null, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "031e4825-7b94-4dc3-b131-e946b44c8dd5", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 2, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "92abc06b11f16f499067ec5c94ffa9f5", + "DLE_PathSize": 150, + "DLE_DroidVolId": "92abc06b11f16f499067ec5c94ffa9f5", + "DLE_DroidFileId": "639a34878615e311be7d24fd52566ede", + "DLE_Unknown1Hash": "6a61c423c79f8bc0", + "DLE_Path": "C:\\Users\\Donald\\Documents\\NETFLIX SEC Filings\\SEC-NFLX-1193125-12-53009.pdf", + "DLE_BirthDroidFileId": "639a34878615e311be7d24fd52566ede", + "DLE_LastModificationDatetime": "10/03/2013 12:09:01.678890", + "DLE_Unknown3": 1073741824, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "bifrost\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "pdf", + "NetworkPath": null, + "FileSize": 817273, + "CreationDateTime": "09/01/2013 16:53:07.982816", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "Netflix 3Q13 Conference Call Announcement 09 30 13.pdf", + "WorkingDir": null, + "LocalPath": "C:\\Users\\Donald\\SkyDrive\\Documents\\Netflix 3Q13 Conference Call Announcement 09 30 13.pdf", + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\184418.Donald.ff103e2cc310d0d.automaticDestinations-ms", + "Flags": "", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "ParentLongName": "Documents", + "DistinctTypesHex": "0x32L;0x31L;0x1fL", + "ParentSeqNum": 3, + "DistinctTypesStr": "root_folder;file_entry", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "DOCUME~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 19:49:02.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Documents", + "ExtentionBlockSize": 68, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 127282, + "FileReferenceInt": 844424930259250, + "AccessTime": "09/23/2013 19:49:02.000000", + "CreationTime": "08/12/2013 01:11:04.000000", + "Signature": "0xbeef0004L", + "RefNum": "127282-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "Netflix 3Q13 Conference Call Announcement 09 30 13.pdf", + "Location": null, + "Comments": null, + "ModificationTime": "1601-01-01 00:00:00", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 2, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "FileReferenceInt": null, + "SeqNum": null, + "Signature": "0xbeef0004L", + "RefNum": null, + "EntryNum": null, + "LongName": "Netflix 3Q13 Conference Call Announcement 09 30 13.pdf", + "ExtentionBlockSize": 158, + "LocalizedName": null + }, + { + "ExtentionBlockSize": 54, + "Signature": "0xbeef001aL" + } + ] + } + ], + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef001aL", + "ItemCount": 4, + "ParentRefStr": "127282-3", + "ParentEntryNum": 127282, + "RootFolder": [ + { + "ShellFolderId": "8e74d236-7f35-4720-b138-1fed0b85ea75", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 4, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 178, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "ec670d0569566bc3", + "DLE_Path": "C:\\Users\\Donald\\SkyDrive\\Documents\\Netflix 3Q13 Conference Call Announcement 09 30 13.pdf", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "10/01/2013 02:12:55.504637", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "pdf", + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "fy08-form-10k.pdf", + "WorkingDir": null, + "LocalPath": "C:\\Users\\Donald\\Downloads\\fy08-form-10k.pdf", + "ModificationDateTime": "09/03/2013 02:13:52.121615", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\184418.Donald.ff103e2cc310d0d.automaticDestinations-ms", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "09/03/2013 02:13:52.079075", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x0L;0x32L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder;file_entry", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "FY08-F~1.PDF", + "Location": null, + "Comments": null, + "ModificationTime": "09/03/2013 02:13:54.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 2, + "Description": null, + "FileSize": 387852, + "ExtentionBlocks": [ + { + "LongName": "fy08-form-10k.pdf", + "ExtentionBlockSize": 80, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 177624, + "FileReferenceInt": 844424930309592, + "AccessTime": "09/03/2013 02:13:54.000000", + "CreationTime": "09/03/2013 02:13:54.000000", + "Signature": "0xbeef0004L", + "RefNum": "177624-3" + }, + { + "ExtentionBlockSize": 54, + "Signature": "0xbeef001aL" + } + ] + } + ], + "ExtentionListing": "0xbeef0004L;0xbeef001aL", + "ItemCount": 4, + "ParentRefStr": null, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "59031a47-3f72-44a7-89c5-5595fe6b30ee", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 3, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "92abc06b11f16f499067ec5c94ffa9f5", + "DLE_PathSize": 86, + "DLE_DroidVolId": "92abc06b11f16f499067ec5c94ffa9f5", + "DLE_DroidFileId": "b19765a09a11e311be7d24fd52566ede", + "DLE_Unknown1Hash": "3790047657fc80de", + "DLE_Path": "C:\\Users\\Donald\\Downloads\\fy08-form-10k.pdf", + "DLE_BirthDroidFileId": "b19765a09a11e311be7d24fd52566ede", + "DLE_LastModificationDatetime": "09/21/2013 18:33:10.666535", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "bifrost\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "pdf", + "NetworkPath": null, + "FileSize": 387852, + "CreationDateTime": "09/03/2013 02:13:52.079075", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "SEC-NFLX-1065280-13-8.pdf", + "WorkingDir": null, + "LocalPath": "C:\\Users\\Donald\\Documents\\NETFLIX SEC Filings\\SEC-NFLX-1065280-13-8.pdf", + "ModificationDateTime": "09/01/2013 16:43:12.085785", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\184418.Donald.ff103e2cc310d0d.automaticDestinations-ms", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "09/01/2013 16:42:51.084632", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x0L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ExtentionListing": "", + "ItemCount": 6, + "ParentRefStr": null, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "031e4825-7b94-4dc3-b131-e946b44c8dd5", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 1, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "92abc06b11f16f499067ec5c94ffa9f5", + "DLE_PathSize": 142, + "DLE_DroidVolId": "92abc06b11f16f499067ec5c94ffa9f5", + "DLE_DroidFileId": "5c9a34878615e311be7d24fd52566ede", + "DLE_Unknown1Hash": "b5a3f265a367248f", + "DLE_Path": "C:\\Users\\Donald\\Documents\\NETFLIX SEC Filings\\SEC-NFLX-1065280-13-8.pdf", + "DLE_BirthDroidFileId": "5c9a34878615e311be7d24fd52566ede", + "DLE_LastModificationDatetime": "09/10/2013 17:42:30.327671", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "bifrost\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "pdf", + "NetworkPath": null, + "FileSize": 800922, + "CreationDateTime": "09/01/2013 16:43:11.792509", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "NFL Fantasy Football.one", + "WorkingDir": null, + "LocalPath": "C:\\Users\\Donald\\Documents\\Fantasy Football\\NFL Fantasy Football.one", + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\20408.Donald.1bc9bbbe61f14501.automaticDestinations-ms", + "Flags": "", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "1bc9bbbe61f14501", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x0L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ExtentionListing": "", + "ItemCount": 6, + "ParentRefStr": null, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "031e4825-7b94-4dc3-b131-e946b44c8dd5", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 2, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 134, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "1fff759dc9450347", + "DLE_Path": "C:\\Users\\Donald\\Documents\\Fantasy Football\\NFL Fantasy Football.one", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "10/18/2013 00:25:14.056017", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "one", + "NetworkPath": "\\\\BIFROST\\Users\\Donald\\Documents\\Fantasy Football\\NFL Fantasy Football.one", + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\20408.Donald.1bc9bbbe61f14501.automaticDestinations-ms", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": "1bc9bbbe61f14501", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x61L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x61L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "ExtentionBlockSize": 42, + "Signature": "0xbeef001aL" + } + ] + } + ], + "ExtentionListing": "0xbeef001aL", + "ItemCount": 3, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "871c5380-42a0-1069-a2ea-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 1, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 156, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "4b8e4481c01d3be5", + "DLE_Path": "onenote:https://d.docs.live.net/b994855d637fa42a/Documents/StartUp%20Templates", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "10/17/2013 21:18:26.804640", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "chrome.exe", + "WorkingDir": null, + "LocalPath": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", + "ModificationDateTime": "10/09/2013 00:02:45.911328", + "CmdArgs": " http://nfl.com/", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\20589.Donald.5d696d521de238c3.customDestinations-ms", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "10/18/2013 12:08:01.077878", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "5d696d521de238c3", + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 4, + "ParentRefStr": "116035-4", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~2", + "Location": null, + "Comments": null, + "ModificationTime": "10/19/2013 20:05:50.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files (x86)", + "ExtentionBlockSize": 128, + "LocalizedName": "@shell32.dll,-21817", + "SeqNum": 3, + "EntryNum": 200140, + "FileReferenceInt": 844424930332108, + "AccessTime": "10/19/2013 20:05:50.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "200140-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Google", + "Location": null, + "Comments": null, + "ModificationTime": "08/12/2013 00:53:08.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Google", + "ExtentionBlockSize": 62, + "LocalizedName": null, + "SeqNum": 9, + "EntryNum": 115147, + "FileReferenceInt": 2533274790511051, + "AccessTime": "08/12/2013 00:53:08.000000", + "CreationTime": "08/12/2013 00:52:36.000000", + "Signature": "0xbeef0004L", + "RefNum": "115147-9" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Chrome", + "Location": null, + "Comments": null, + "ModificationTime": "10/19/2013 01:52:28.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Chrome", + "ExtentionBlockSize": 62, + "LocalizedName": null, + "SeqNum": 4, + "EntryNum": 115732, + "FileReferenceInt": 1125899906958356, + "AccessTime": "10/19/2013 01:52:28.000000", + "CreationTime": "08/12/2013 00:53:08.000000", + "Signature": "0xbeef0004L", + "RefNum": "115732-4" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "APPLIC~1", + "Location": null, + "Comments": null, + "ModificationTime": "10/19/2013 01:52:26.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Application", + "ExtentionBlockSize": 72, + "LocalizedName": null, + "SeqNum": 4, + "EntryNum": 116035, + "FileReferenceInt": 1125899906958659, + "AccessTime": "10/19/2013 01:52:26.000000", + "CreationTime": "08/12/2013 00:53:20.000000", + "Signature": "0xbeef0004L", + "RefNum": "116035-4" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "chrome.exe", + "Location": null, + "Comments": null, + "ModificationTime": "10/09/2013 00:02:46.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 844752, + "ExtentionBlocks": [ + { + "LongName": "chrome.exe", + "ExtentionBlockSize": 70, + "LocalizedName": null, + "SeqNum": 11, + "EntryNum": 4980, + "FileReferenceInt": 3096224743822196, + "AccessTime": "10/18/2013 12:08:02.000000", + "CreationTime": "08/12/2013 00:53:20.000000", + "Signature": "0xbeef0004L", + "RefNum": "4980-11" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "Application", + "ParentEntryNum": 116035, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 8, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%USERPROFILE%\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIcons\\FE3B.tmp", + "AppIdName": null, + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 844752, + "CreationDateTime": "08/12/2013 00:53:19.096107", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "chrome.exe", + "WorkingDir": null, + "LocalPath": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", + "ModificationDateTime": "10/09/2013 00:02:45.911328", + "CmdArgs": " http://www.msn.com/?pc=UP97&ocid=UP97DHP", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\20589.Donald.5d696d521de238c3.customDestinations-ms", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "10/18/2013 12:08:01.077878", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "5d696d521de238c3", + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 4, + "ParentRefStr": "116035-4", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~2", + "Location": null, + "Comments": null, + "ModificationTime": "10/19/2013 20:05:50.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files (x86)", + "ExtentionBlockSize": 128, + "LocalizedName": "@shell32.dll,-21817", + "SeqNum": 3, + "EntryNum": 200140, + "FileReferenceInt": 844424930332108, + "AccessTime": "10/19/2013 20:05:50.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "200140-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Google", + "Location": null, + "Comments": null, + "ModificationTime": "08/12/2013 00:53:08.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Google", + "ExtentionBlockSize": 62, + "LocalizedName": null, + "SeqNum": 9, + "EntryNum": 115147, + "FileReferenceInt": 2533274790511051, + "AccessTime": "08/12/2013 00:53:08.000000", + "CreationTime": "08/12/2013 00:52:36.000000", + "Signature": "0xbeef0004L", + "RefNum": "115147-9" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Chrome", + "Location": null, + "Comments": null, + "ModificationTime": "10/19/2013 01:52:28.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Chrome", + "ExtentionBlockSize": 62, + "LocalizedName": null, + "SeqNum": 4, + "EntryNum": 115732, + "FileReferenceInt": 1125899906958356, + "AccessTime": "10/19/2013 01:52:28.000000", + "CreationTime": "08/12/2013 00:53:08.000000", + "Signature": "0xbeef0004L", + "RefNum": "115732-4" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "APPLIC~1", + "Location": null, + "Comments": null, + "ModificationTime": "10/19/2013 01:52:26.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Application", + "ExtentionBlockSize": 72, + "LocalizedName": null, + "SeqNum": 4, + "EntryNum": 116035, + "FileReferenceInt": 1125899906958659, + "AccessTime": "10/19/2013 01:52:26.000000", + "CreationTime": "08/12/2013 00:53:20.000000", + "Signature": "0xbeef0004L", + "RefNum": "116035-4" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "chrome.exe", + "Location": null, + "Comments": null, + "ModificationTime": "10/09/2013 00:02:46.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 844752, + "ExtentionBlocks": [ + { + "LongName": "chrome.exe", + "ExtentionBlockSize": 70, + "LocalizedName": null, + "SeqNum": 11, + "EntryNum": 4980, + "FileReferenceInt": 3096224743822196, + "AccessTime": "10/18/2013 12:08:02.000000", + "CreationTime": "08/12/2013 00:53:20.000000", + "Signature": "0xbeef0004L", + "RefNum": "4980-11" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "Application", + "ParentEntryNum": 116035, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 8, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%USERPROFILE%\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIcons\\FE6C.tmp", + "AppIdName": null, + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 844752, + "CreationDateTime": "08/12/2013 00:53:19.096107", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "chrome.exe", + "WorkingDir": null, + "LocalPath": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", + "ModificationDateTime": "10/09/2013 00:02:45.911328", + "CmdArgs": " http://www.drudgereport.com/", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\20589.Donald.5d696d521de238c3.customDestinations-ms", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "10/18/2013 12:08:01.077878", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "5d696d521de238c3", + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 4, + "ParentRefStr": "116035-4", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~2", + "Location": null, + "Comments": null, + "ModificationTime": "10/19/2013 20:05:50.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files (x86)", + "ExtentionBlockSize": 128, + "LocalizedName": "@shell32.dll,-21817", + "SeqNum": 3, + "EntryNum": 200140, + "FileReferenceInt": 844424930332108, + "AccessTime": "10/19/2013 20:05:50.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "200140-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Google", + "Location": null, + "Comments": null, + "ModificationTime": "08/12/2013 00:53:08.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Google", + "ExtentionBlockSize": 62, + "LocalizedName": null, + "SeqNum": 9, + "EntryNum": 115147, + "FileReferenceInt": 2533274790511051, + "AccessTime": "08/12/2013 00:53:08.000000", + "CreationTime": "08/12/2013 00:52:36.000000", + "Signature": "0xbeef0004L", + "RefNum": "115147-9" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Chrome", + "Location": null, + "Comments": null, + "ModificationTime": "10/19/2013 01:52:28.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Chrome", + "ExtentionBlockSize": 62, + "LocalizedName": null, + "SeqNum": 4, + "EntryNum": 115732, + "FileReferenceInt": 1125899906958356, + "AccessTime": "10/19/2013 01:52:28.000000", + "CreationTime": "08/12/2013 00:53:08.000000", + "Signature": "0xbeef0004L", + "RefNum": "115732-4" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "APPLIC~1", + "Location": null, + "Comments": null, + "ModificationTime": "10/19/2013 01:52:26.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Application", + "ExtentionBlockSize": 72, + "LocalizedName": null, + "SeqNum": 4, + "EntryNum": 116035, + "FileReferenceInt": 1125899906958659, + "AccessTime": "10/19/2013 01:52:26.000000", + "CreationTime": "08/12/2013 00:53:20.000000", + "Signature": "0xbeef0004L", + "RefNum": "116035-4" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "chrome.exe", + "Location": null, + "Comments": null, + "ModificationTime": "10/09/2013 00:02:46.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 844752, + "ExtentionBlocks": [ + { + "LongName": "chrome.exe", + "ExtentionBlockSize": 70, + "LocalizedName": null, + "SeqNum": 11, + "EntryNum": 4980, + "FileReferenceInt": 3096224743822196, + "AccessTime": "10/18/2013 12:08:02.000000", + "CreationTime": "08/12/2013 00:53:20.000000", + "Signature": "0xbeef0004L", + "RefNum": "4980-11" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "Application", + "ParentEntryNum": 116035, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 8, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 844752, + "CreationDateTime": "08/12/2013 00:53:19.096107", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "chrome.exe", + "WorkingDir": null, + "LocalPath": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", + "ModificationDateTime": "10/09/2013 00:02:45.911328", + "CmdArgs": " http://www.lenovo.com/us/en/", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\20589.Donald.5d696d521de238c3.customDestinations-ms", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "10/18/2013 12:08:01.077878", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "5d696d521de238c3", + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 4, + "ParentRefStr": "116035-4", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~2", + "Location": null, + "Comments": null, + "ModificationTime": "10/19/2013 20:05:50.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files (x86)", + "ExtentionBlockSize": 128, + "LocalizedName": "@shell32.dll,-21817", + "SeqNum": 3, + "EntryNum": 200140, + "FileReferenceInt": 844424930332108, + "AccessTime": "10/19/2013 20:05:50.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "200140-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Google", + "Location": null, + "Comments": null, + "ModificationTime": "08/12/2013 00:53:08.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Google", + "ExtentionBlockSize": 62, + "LocalizedName": null, + "SeqNum": 9, + "EntryNum": 115147, + "FileReferenceInt": 2533274790511051, + "AccessTime": "08/12/2013 00:53:08.000000", + "CreationTime": "08/12/2013 00:52:36.000000", + "Signature": "0xbeef0004L", + "RefNum": "115147-9" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Chrome", + "Location": null, + "Comments": null, + "ModificationTime": "10/19/2013 01:52:28.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Chrome", + "ExtentionBlockSize": 62, + "LocalizedName": null, + "SeqNum": 4, + "EntryNum": 115732, + "FileReferenceInt": 1125899906958356, + "AccessTime": "10/19/2013 01:52:28.000000", + "CreationTime": "08/12/2013 00:53:08.000000", + "Signature": "0xbeef0004L", + "RefNum": "115732-4" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "APPLIC~1", + "Location": null, + "Comments": null, + "ModificationTime": "10/19/2013 01:52:26.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Application", + "ExtentionBlockSize": 72, + "LocalizedName": null, + "SeqNum": 4, + "EntryNum": 116035, + "FileReferenceInt": 1125899906958659, + "AccessTime": "10/19/2013 01:52:26.000000", + "CreationTime": "08/12/2013 00:53:20.000000", + "Signature": "0xbeef0004L", + "RefNum": "116035-4" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "chrome.exe", + "Location": null, + "Comments": null, + "ModificationTime": "10/09/2013 00:02:46.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 844752, + "ExtentionBlocks": [ + { + "LongName": "chrome.exe", + "ExtentionBlockSize": 70, + "LocalizedName": null, + "SeqNum": 11, + "EntryNum": 4980, + "FileReferenceInt": 3096224743822196, + "AccessTime": "10/18/2013 12:08:02.000000", + "CreationTime": "08/12/2013 00:53:20.000000", + "Signature": "0xbeef0004L", + "RefNum": "4980-11" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "Application", + "ParentEntryNum": 116035, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 8, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%USERPROFILE%\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIcons\\FE8F.tmp", + "AppIdName": null, + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 844752, + "CreationDateTime": "08/12/2013 00:53:19.096107", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "chrome.exe", + "WorkingDir": null, + "LocalPath": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", + "ModificationDateTime": "10/09/2013 00:02:45.911328", + "CmdArgs": " http://facebook.com/", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\20589.Donald.5d696d521de238c3.customDestinations-ms", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "10/18/2013 12:08:01.077878", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "5d696d521de238c3", + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 4, + "ParentRefStr": "116035-4", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~2", + "Location": null, + "Comments": null, + "ModificationTime": "10/19/2013 20:05:50.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files (x86)", + "ExtentionBlockSize": 128, + "LocalizedName": "@shell32.dll,-21817", + "SeqNum": 3, + "EntryNum": 200140, + "FileReferenceInt": 844424930332108, + "AccessTime": "10/19/2013 20:05:50.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "200140-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Google", + "Location": null, + "Comments": null, + "ModificationTime": "08/12/2013 00:53:08.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Google", + "ExtentionBlockSize": 62, + "LocalizedName": null, + "SeqNum": 9, + "EntryNum": 115147, + "FileReferenceInt": 2533274790511051, + "AccessTime": "08/12/2013 00:53:08.000000", + "CreationTime": "08/12/2013 00:52:36.000000", + "Signature": "0xbeef0004L", + "RefNum": "115147-9" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Chrome", + "Location": null, + "Comments": null, + "ModificationTime": "10/19/2013 01:52:28.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Chrome", + "ExtentionBlockSize": 62, + "LocalizedName": null, + "SeqNum": 4, + "EntryNum": 115732, + "FileReferenceInt": 1125899906958356, + "AccessTime": "10/19/2013 01:52:28.000000", + "CreationTime": "08/12/2013 00:53:08.000000", + "Signature": "0xbeef0004L", + "RefNum": "115732-4" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "APPLIC~1", + "Location": null, + "Comments": null, + "ModificationTime": "10/19/2013 01:52:26.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Application", + "ExtentionBlockSize": 72, + "LocalizedName": null, + "SeqNum": 4, + "EntryNum": 116035, + "FileReferenceInt": 1125899906958659, + "AccessTime": "10/19/2013 01:52:26.000000", + "CreationTime": "08/12/2013 00:53:20.000000", + "Signature": "0xbeef0004L", + "RefNum": "116035-4" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "chrome.exe", + "Location": null, + "Comments": null, + "ModificationTime": "10/09/2013 00:02:46.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 844752, + "ExtentionBlocks": [ + { + "LongName": "chrome.exe", + "ExtentionBlockSize": 70, + "LocalizedName": null, + "SeqNum": 11, + "EntryNum": 4980, + "FileReferenceInt": 3096224743822196, + "AccessTime": "10/18/2013 12:08:02.000000", + "CreationTime": "08/12/2013 00:53:20.000000", + "Signature": "0xbeef0004L", + "RefNum": "4980-11" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "Application", + "ParentEntryNum": 116035, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 8, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%USERPROFILE%\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIcons\\FEC0.tmp", + "AppIdName": null, + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 844752, + "CreationDateTime": "08/12/2013 00:53:19.096107", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "chrome.exe", + "WorkingDir": null, + "LocalPath": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", + "ModificationDateTime": "10/09/2013 00:02:45.911328", + "CmdArgs": " http://gmail.com/", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\20589.Donald.5d696d521de238c3.customDestinations-ms", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "10/18/2013 12:08:01.077878", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "5d696d521de238c3", + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 4, + "ParentRefStr": "116035-4", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~2", + "Location": null, + "Comments": null, + "ModificationTime": "10/19/2013 20:05:50.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files (x86)", + "ExtentionBlockSize": 128, + "LocalizedName": "@shell32.dll,-21817", + "SeqNum": 3, + "EntryNum": 200140, + "FileReferenceInt": 844424930332108, + "AccessTime": "10/19/2013 20:05:50.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "200140-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Google", + "Location": null, + "Comments": null, + "ModificationTime": "08/12/2013 00:53:08.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Google", + "ExtentionBlockSize": 62, + "LocalizedName": null, + "SeqNum": 9, + "EntryNum": 115147, + "FileReferenceInt": 2533274790511051, + "AccessTime": "08/12/2013 00:53:08.000000", + "CreationTime": "08/12/2013 00:52:36.000000", + "Signature": "0xbeef0004L", + "RefNum": "115147-9" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Chrome", + "Location": null, + "Comments": null, + "ModificationTime": "10/19/2013 01:52:28.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Chrome", + "ExtentionBlockSize": 62, + "LocalizedName": null, + "SeqNum": 4, + "EntryNum": 115732, + "FileReferenceInt": 1125899906958356, + "AccessTime": "10/19/2013 01:52:28.000000", + "CreationTime": "08/12/2013 00:53:08.000000", + "Signature": "0xbeef0004L", + "RefNum": "115732-4" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "APPLIC~1", + "Location": null, + "Comments": null, + "ModificationTime": "10/19/2013 01:52:26.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Application", + "ExtentionBlockSize": 72, + "LocalizedName": null, + "SeqNum": 4, + "EntryNum": 116035, + "FileReferenceInt": 1125899906958659, + "AccessTime": "10/19/2013 01:52:26.000000", + "CreationTime": "08/12/2013 00:53:20.000000", + "Signature": "0xbeef0004L", + "RefNum": "116035-4" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "chrome.exe", + "Location": null, + "Comments": null, + "ModificationTime": "10/09/2013 00:02:46.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 844752, + "ExtentionBlocks": [ + { + "LongName": "chrome.exe", + "ExtentionBlockSize": 70, + "LocalizedName": null, + "SeqNum": 11, + "EntryNum": 4980, + "FileReferenceInt": 3096224743822196, + "AccessTime": "10/18/2013 12:08:02.000000", + "CreationTime": "08/12/2013 00:53:20.000000", + "Signature": "0xbeef0004L", + "RefNum": "4980-11" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "Application", + "ParentEntryNum": 116035, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 8, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%USERPROFILE%\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIcons\\FEF2.tmp", + "AppIdName": null, + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 844752, + "CreationDateTime": "08/12/2013 00:53:19.096107", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "chrome.exe", + "WorkingDir": null, + "LocalPath": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", + "ModificationDateTime": "10/09/2013 00:02:45.911328", + "CmdArgs": " http://opinionjournal.com/", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\20589.Donald.5d696d521de238c3.customDestinations-ms", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "10/18/2013 12:08:01.077878", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "5d696d521de238c3", + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 4, + "ParentRefStr": "116035-4", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~2", + "Location": null, + "Comments": null, + "ModificationTime": "10/19/2013 20:05:50.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files (x86)", + "ExtentionBlockSize": 128, + "LocalizedName": "@shell32.dll,-21817", + "SeqNum": 3, + "EntryNum": 200140, + "FileReferenceInt": 844424930332108, + "AccessTime": "10/19/2013 20:05:50.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "200140-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Google", + "Location": null, + "Comments": null, + "ModificationTime": "08/12/2013 00:53:08.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Google", + "ExtentionBlockSize": 62, + "LocalizedName": null, + "SeqNum": 9, + "EntryNum": 115147, + "FileReferenceInt": 2533274790511051, + "AccessTime": "08/12/2013 00:53:08.000000", + "CreationTime": "08/12/2013 00:52:36.000000", + "Signature": "0xbeef0004L", + "RefNum": "115147-9" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Chrome", + "Location": null, + "Comments": null, + "ModificationTime": "10/19/2013 01:52:28.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Chrome", + "ExtentionBlockSize": 62, + "LocalizedName": null, + "SeqNum": 4, + "EntryNum": 115732, + "FileReferenceInt": 1125899906958356, + "AccessTime": "10/19/2013 01:52:28.000000", + "CreationTime": "08/12/2013 00:53:08.000000", + "Signature": "0xbeef0004L", + "RefNum": "115732-4" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "APPLIC~1", + "Location": null, + "Comments": null, + "ModificationTime": "10/19/2013 01:52:26.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Application", + "ExtentionBlockSize": 72, + "LocalizedName": null, + "SeqNum": 4, + "EntryNum": 116035, + "FileReferenceInt": 1125899906958659, + "AccessTime": "10/19/2013 01:52:26.000000", + "CreationTime": "08/12/2013 00:53:20.000000", + "Signature": "0xbeef0004L", + "RefNum": "116035-4" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "chrome.exe", + "Location": null, + "Comments": null, + "ModificationTime": "10/09/2013 00:02:46.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 844752, + "ExtentionBlocks": [ + { + "LongName": "chrome.exe", + "ExtentionBlockSize": 70, + "LocalizedName": null, + "SeqNum": 11, + "EntryNum": 4980, + "FileReferenceInt": 3096224743822196, + "AccessTime": "10/18/2013 12:08:02.000000", + "CreationTime": "08/12/2013 00:53:20.000000", + "Signature": "0xbeef0004L", + "RefNum": "4980-11" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "Application", + "ParentEntryNum": 116035, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 8, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%USERPROFILE%\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIcons\\FF14.tmp", + "AppIdName": null, + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 844752, + "CreationDateTime": "08/12/2013 00:53:19.096107", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "chrome.exe", + "WorkingDir": null, + "LocalPath": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", + "ModificationDateTime": "10/09/2013 00:02:45.911328", + "CmdArgs": " http://portal.microsoftonline.com/", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\20589.Donald.5d696d521de238c3.customDestinations-ms", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "10/18/2013 12:08:01.077878", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "5d696d521de238c3", + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 4, + "ParentRefStr": "116035-4", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~2", + "Location": null, + "Comments": null, + "ModificationTime": "10/19/2013 20:05:50.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files (x86)", + "ExtentionBlockSize": 128, + "LocalizedName": "@shell32.dll,-21817", + "SeqNum": 3, + "EntryNum": 200140, + "FileReferenceInt": 844424930332108, + "AccessTime": "10/19/2013 20:05:50.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "200140-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Google", + "Location": null, + "Comments": null, + "ModificationTime": "08/12/2013 00:53:08.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Google", + "ExtentionBlockSize": 62, + "LocalizedName": null, + "SeqNum": 9, + "EntryNum": 115147, + "FileReferenceInt": 2533274790511051, + "AccessTime": "08/12/2013 00:53:08.000000", + "CreationTime": "08/12/2013 00:52:36.000000", + "Signature": "0xbeef0004L", + "RefNum": "115147-9" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Chrome", + "Location": null, + "Comments": null, + "ModificationTime": "10/19/2013 01:52:28.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Chrome", + "ExtentionBlockSize": 62, + "LocalizedName": null, + "SeqNum": 4, + "EntryNum": 115732, + "FileReferenceInt": 1125899906958356, + "AccessTime": "10/19/2013 01:52:28.000000", + "CreationTime": "08/12/2013 00:53:08.000000", + "Signature": "0xbeef0004L", + "RefNum": "115732-4" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "APPLIC~1", + "Location": null, + "Comments": null, + "ModificationTime": "10/19/2013 01:52:26.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Application", + "ExtentionBlockSize": 72, + "LocalizedName": null, + "SeqNum": 4, + "EntryNum": 116035, + "FileReferenceInt": 1125899906958659, + "AccessTime": "10/19/2013 01:52:26.000000", + "CreationTime": "08/12/2013 00:53:20.000000", + "Signature": "0xbeef0004L", + "RefNum": "116035-4" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "chrome.exe", + "Location": null, + "Comments": null, + "ModificationTime": "10/09/2013 00:02:46.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 844752, + "ExtentionBlocks": [ + { + "LongName": "chrome.exe", + "ExtentionBlockSize": 70, + "LocalizedName": null, + "SeqNum": 11, + "EntryNum": 4980, + "FileReferenceInt": 3096224743822196, + "AccessTime": "10/18/2013 12:08:02.000000", + "CreationTime": "08/12/2013 00:53:20.000000", + "Signature": "0xbeef0004L", + "RefNum": "4980-11" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "Application", + "ParentEntryNum": 116035, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 8, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%USERPROFILE%\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIcons\\FF35.tmp", + "AppIdName": null, + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 844752, + "CreationDateTime": "08/12/2013 00:53:19.096107", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "chrome.exe", + "WorkingDir": null, + "LocalPath": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", + "ModificationDateTime": "10/09/2013 00:02:45.911328", + "CmdArgs": " http://plus.google.cm/", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\20589.Donald.5d696d521de238c3.customDestinations-ms", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "10/18/2013 12:08:01.077878", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "5d696d521de238c3", + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 4, + "ParentRefStr": "116035-4", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~2", + "Location": null, + "Comments": null, + "ModificationTime": "10/19/2013 20:05:50.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files (x86)", + "ExtentionBlockSize": 128, + "LocalizedName": "@shell32.dll,-21817", + "SeqNum": 3, + "EntryNum": 200140, + "FileReferenceInt": 844424930332108, + "AccessTime": "10/19/2013 20:05:50.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "200140-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Google", + "Location": null, + "Comments": null, + "ModificationTime": "08/12/2013 00:53:08.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Google", + "ExtentionBlockSize": 62, + "LocalizedName": null, + "SeqNum": 9, + "EntryNum": 115147, + "FileReferenceInt": 2533274790511051, + "AccessTime": "08/12/2013 00:53:08.000000", + "CreationTime": "08/12/2013 00:52:36.000000", + "Signature": "0xbeef0004L", + "RefNum": "115147-9" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Chrome", + "Location": null, + "Comments": null, + "ModificationTime": "10/19/2013 01:52:28.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Chrome", + "ExtentionBlockSize": 62, + "LocalizedName": null, + "SeqNum": 4, + "EntryNum": 115732, + "FileReferenceInt": 1125899906958356, + "AccessTime": "10/19/2013 01:52:28.000000", + "CreationTime": "08/12/2013 00:53:08.000000", + "Signature": "0xbeef0004L", + "RefNum": "115732-4" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "APPLIC~1", + "Location": null, + "Comments": null, + "ModificationTime": "10/19/2013 01:52:26.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Application", + "ExtentionBlockSize": 72, + "LocalizedName": null, + "SeqNum": 4, + "EntryNum": 116035, + "FileReferenceInt": 1125899906958659, + "AccessTime": "10/19/2013 01:52:26.000000", + "CreationTime": "08/12/2013 00:53:20.000000", + "Signature": "0xbeef0004L", + "RefNum": "116035-4" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "chrome.exe", + "Location": null, + "Comments": null, + "ModificationTime": "10/09/2013 00:02:46.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 844752, + "ExtentionBlocks": [ + { + "LongName": "chrome.exe", + "ExtentionBlockSize": 70, + "LocalizedName": null, + "SeqNum": 11, + "EntryNum": 4980, + "FileReferenceInt": 3096224743822196, + "AccessTime": "10/18/2013 12:08:02.000000", + "CreationTime": "08/12/2013 00:53:20.000000", + "Signature": "0xbeef0004L", + "RefNum": "4980-11" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "Application", + "ParentEntryNum": 116035, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 8, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 844752, + "CreationDateTime": "08/12/2013 00:53:19.096107", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "chrome.exe", + "WorkingDir": null, + "LocalPath": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", + "ModificationDateTime": "10/09/2013 00:02:45.911328", + "CmdArgs": " http://fantasy.nfl.com/league/2140953/team/7/gamecenter?week=7", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\20589.Donald.5d696d521de238c3.customDestinations-ms", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "10/18/2013 12:08:01.077878", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "5d696d521de238c3", + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 4, + "ParentRefStr": "116035-4", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~2", + "Location": null, + "Comments": null, + "ModificationTime": "10/19/2013 20:05:50.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files (x86)", + "ExtentionBlockSize": 128, + "LocalizedName": "@shell32.dll,-21817", + "SeqNum": 3, + "EntryNum": 200140, + "FileReferenceInt": 844424930332108, + "AccessTime": "10/19/2013 20:05:50.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "200140-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Google", + "Location": null, + "Comments": null, + "ModificationTime": "08/12/2013 00:53:08.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Google", + "ExtentionBlockSize": 62, + "LocalizedName": null, + "SeqNum": 9, + "EntryNum": 115147, + "FileReferenceInt": 2533274790511051, + "AccessTime": "08/12/2013 00:53:08.000000", + "CreationTime": "08/12/2013 00:52:36.000000", + "Signature": "0xbeef0004L", + "RefNum": "115147-9" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Chrome", + "Location": null, + "Comments": null, + "ModificationTime": "10/19/2013 01:52:28.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Chrome", + "ExtentionBlockSize": 62, + "LocalizedName": null, + "SeqNum": 4, + "EntryNum": 115732, + "FileReferenceInt": 1125899906958356, + "AccessTime": "10/19/2013 01:52:28.000000", + "CreationTime": "08/12/2013 00:53:08.000000", + "Signature": "0xbeef0004L", + "RefNum": "115732-4" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "APPLIC~1", + "Location": null, + "Comments": null, + "ModificationTime": "10/19/2013 01:52:26.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Application", + "ExtentionBlockSize": 72, + "LocalizedName": null, + "SeqNum": 4, + "EntryNum": 116035, + "FileReferenceInt": 1125899906958659, + "AccessTime": "10/19/2013 01:52:26.000000", + "CreationTime": "08/12/2013 00:53:20.000000", + "Signature": "0xbeef0004L", + "RefNum": "116035-4" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "chrome.exe", + "Location": null, + "Comments": null, + "ModificationTime": "10/09/2013 00:02:46.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 844752, + "ExtentionBlocks": [ + { + "LongName": "chrome.exe", + "ExtentionBlockSize": 70, + "LocalizedName": null, + "SeqNum": 11, + "EntryNum": 4980, + "FileReferenceInt": 3096224743822196, + "AccessTime": "10/18/2013 12:08:02.000000", + "CreationTime": "08/12/2013 00:53:20.000000", + "Signature": "0xbeef0004L", + "RefNum": "4980-11" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "Application", + "ParentEntryNum": 116035, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 8, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%USERPROFILE%\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIcons\\26.tmp", + "AppIdName": null, + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 844752, + "CreationDateTime": "08/12/2013 00:53:19.096107", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "chrome.exe", + "WorkingDir": null, + "LocalPath": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", + "ModificationDateTime": "10/09/2013 00:02:45.911328", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\20589.Donald.5d696d521de238c3.customDestinations-ms", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "10/18/2013 12:08:01.077878", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "5d696d521de238c3", + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 4, + "ParentRefStr": "116035-4", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~2", + "Location": null, + "Comments": null, + "ModificationTime": "10/19/2013 20:05:50.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files (x86)", + "ExtentionBlockSize": 128, + "LocalizedName": "@shell32.dll,-21817", + "SeqNum": 3, + "EntryNum": 200140, + "FileReferenceInt": 844424930332108, + "AccessTime": "10/19/2013 20:05:50.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "200140-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Google", + "Location": null, + "Comments": null, + "ModificationTime": "08/12/2013 00:53:08.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Google", + "ExtentionBlockSize": 62, + "LocalizedName": null, + "SeqNum": 9, + "EntryNum": 115147, + "FileReferenceInt": 2533274790511051, + "AccessTime": "08/12/2013 00:53:08.000000", + "CreationTime": "08/12/2013 00:52:36.000000", + "Signature": "0xbeef0004L", + "RefNum": "115147-9" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Chrome", + "Location": null, + "Comments": null, + "ModificationTime": "10/19/2013 01:52:28.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Chrome", + "ExtentionBlockSize": 62, + "LocalizedName": null, + "SeqNum": 4, + "EntryNum": 115732, + "FileReferenceInt": 1125899906958356, + "AccessTime": "10/19/2013 01:52:28.000000", + "CreationTime": "08/12/2013 00:53:08.000000", + "Signature": "0xbeef0004L", + "RefNum": "115732-4" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "APPLIC~1", + "Location": null, + "Comments": null, + "ModificationTime": "10/19/2013 01:52:26.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Application", + "ExtentionBlockSize": 72, + "LocalizedName": null, + "SeqNum": 4, + "EntryNum": 116035, + "FileReferenceInt": 1125899906958659, + "AccessTime": "10/19/2013 01:52:26.000000", + "CreationTime": "08/12/2013 00:53:20.000000", + "Signature": "0xbeef0004L", + "RefNum": "116035-4" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "chrome.exe", + "Location": null, + "Comments": null, + "ModificationTime": "10/09/2013 00:02:46.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 844752, + "ExtentionBlocks": [ + { + "LongName": "chrome.exe", + "ExtentionBlockSize": 70, + "LocalizedName": null, + "SeqNum": 11, + "EntryNum": 4980, + "FileReferenceInt": 3096224743822196, + "AccessTime": "10/18/2013 12:08:02.000000", + "CreationTime": "08/12/2013 00:53:20.000000", + "Signature": "0xbeef0004L", + "RefNum": "4980-11" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "Application", + "ParentEntryNum": 116035, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 8, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%ProgramFiles%\\Google\\Chrome\\Application\\chrome.exe", + "AppIdName": null, + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 844752, + "CreationDateTime": "08/12/2013 00:53:19.096107", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "chrome.exe", + "WorkingDir": null, + "LocalPath": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", + "ModificationDateTime": "10/09/2013 00:02:45.911328", + "CmdArgs": " --incognito", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\20589.Donald.5d696d521de238c3.customDestinations-ms", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "10/18/2013 12:08:01.077878", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "5d696d521de238c3", + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 4, + "ParentRefStr": "116035-4", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~2", + "Location": null, + "Comments": null, + "ModificationTime": "10/19/2013 20:05:50.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files (x86)", + "ExtentionBlockSize": 128, + "LocalizedName": "@shell32.dll,-21817", + "SeqNum": 3, + "EntryNum": 200140, + "FileReferenceInt": 844424930332108, + "AccessTime": "10/19/2013 20:05:50.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "200140-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Google", + "Location": null, + "Comments": null, + "ModificationTime": "08/12/2013 00:53:08.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Google", + "ExtentionBlockSize": 62, + "LocalizedName": null, + "SeqNum": 9, + "EntryNum": 115147, + "FileReferenceInt": 2533274790511051, + "AccessTime": "08/12/2013 00:53:08.000000", + "CreationTime": "08/12/2013 00:52:36.000000", + "Signature": "0xbeef0004L", + "RefNum": "115147-9" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Chrome", + "Location": null, + "Comments": null, + "ModificationTime": "10/19/2013 01:52:28.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Chrome", + "ExtentionBlockSize": 62, + "LocalizedName": null, + "SeqNum": 4, + "EntryNum": 115732, + "FileReferenceInt": 1125899906958356, + "AccessTime": "10/19/2013 01:52:28.000000", + "CreationTime": "08/12/2013 00:53:08.000000", + "Signature": "0xbeef0004L", + "RefNum": "115732-4" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "APPLIC~1", + "Location": null, + "Comments": null, + "ModificationTime": "10/19/2013 01:52:26.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Application", + "ExtentionBlockSize": 72, + "LocalizedName": null, + "SeqNum": 4, + "EntryNum": 116035, + "FileReferenceInt": 1125899906958659, + "AccessTime": "10/19/2013 01:52:26.000000", + "CreationTime": "08/12/2013 00:53:20.000000", + "Signature": "0xbeef0004L", + "RefNum": "116035-4" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "chrome.exe", + "Location": null, + "Comments": null, + "ModificationTime": "10/09/2013 00:02:46.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 844752, + "ExtentionBlocks": [ + { + "LongName": "chrome.exe", + "ExtentionBlockSize": 70, + "LocalizedName": null, + "SeqNum": 11, + "EntryNum": 4980, + "FileReferenceInt": 3096224743822196, + "AccessTime": "10/18/2013 12:08:02.000000", + "CreationTime": "08/12/2013 00:53:20.000000", + "Signature": "0xbeef0004L", + "RefNum": "4980-11" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "Application", + "ParentEntryNum": 116035, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 8, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%ProgramFiles%\\Google\\Chrome\\Application\\chrome.exe", + "AppIdName": null, + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 844752, + "CreationDateTime": "08/12/2013 00:53:19.096107", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "Slashdot (15).website", + "WorkingDir": null, + "LocalPath": "C:\\Users\\Donald\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Slashdot (15).website", + "ModificationDateTime": "10/19/2013 01:56:19.362754", + "CmdArgs": "-private", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\21946.Donald.336746633fc88d0.customDestinations-ms", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "10/19/2013 01:55:12.200159", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "ParentLongName": "Start Menu", + "DistinctTypesHex": "0x0L;0x31L;0x32L;0x1fL", + "ParentSeqNum": 3, + "DistinctTypesStr": "item;root_folder;file_entry", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "LongName": "AppData", + "ExtentionBlockSize": 64, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 232350, + "FileReferenceInt": 844424930364318, + "AccessTime": "09/23/2013 19:18:00.000000", + "CreationTime": "09/23/2013 19:17:32.000000", + "Signature": "0xbeef0004L", + "RefNum": "232350-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Roaming", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 19:47:22.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Roaming", + "ExtentionBlockSize": 64, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 232353, + "FileReferenceInt": 844424930364321, + "AccessTime": "09/23/2013 19:47:22.000000", + "CreationTime": "09/23/2013 19:17:32.000000", + "Signature": "0xbeef0004L", + "RefNum": "232353-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "MICROS~1", + "Location": null, + "Comments": null, + "ModificationTime": "10/18/2013 18:41:16.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Microsoft", + "ExtentionBlockSize": 68, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 232356, + "FileReferenceInt": 844424930364324, + "AccessTime": "10/18/2013 18:41:16.000000", + "CreationTime": "09/23/2013 19:17:32.000000", + "Signature": "0xbeef0004L", + "RefNum": "232356-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Windows", + "Location": null, + "Comments": null, + "ModificationTime": "10/13/2013 08:57:36.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Windows", + "ExtentionBlockSize": 64, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 232357, + "FileReferenceInt": 844424930364325, + "AccessTime": "10/13/2013 08:57:36.000000", + "CreationTime": "09/23/2013 19:17:32.000000", + "Signature": "0xbeef0004L", + "RefNum": "232357-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "STARTM~1", + "Location": null, + "Comments": null, + "ModificationTime": "10/19/2013 01:55:14.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Start Menu", + "ExtentionBlockSize": 110, + "LocalizedName": "@shell32.dll,-21786", + "SeqNum": 3, + "EntryNum": 232365, + "FileReferenceInt": 844424930364333, + "AccessTime": "10/19/2013 01:55:14.000000", + "CreationTime": "09/23/2013 19:17:32.000000", + "Signature": "0xbeef0004L", + "RefNum": "232365-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "SLASHD~1.WEB", + "Location": null, + "Comments": null, + "ModificationTime": "10/19/2013 01:56:20.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 452, + "ExtentionBlocks": [ + { + "LongName": "Slashdot (15).website", + "ExtentionBlockSize": 92, + "LocalizedName": null, + "SeqNum": 24, + "EntryNum": 21945, + "FileReferenceInt": 6755399441077689, + "AccessTime": "10/19/2013 01:55:14.000000", + "CreationTime": "10/19/2013 01:55:14.000000", + "Signature": "0xbeef0004L", + "RefNum": "21945-24" + } + ] + } + ], + "ExtentionListing": "0xbeef0025L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 8, + "ParentRefStr": "232365-3", + "ParentEntryNum": 232365, + "RootFolder": [ + { + "ShellFolderId": "59031a47-3f72-44a7-89c5-5595fe6b30ee", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "ExtentionBlockSize": 30, + "Signature": "0xbeef0025L" + } + ] + } + ] + }, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%SystemRoot%\\SYSTEM32\\IEFRAME.dll", + "AppIdName": null, + "FileExt": "website", + "NetworkPath": "\\\\BIFROST\\Users\\Donald\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Slashdot (15).website", + "FileSize": 452, + "CreationDateTime": "10/19/2013 01:55:12.200159", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "iexplore.exe", + "WorkingDir": null, + "LocalPath": "C:\\Program Files\\Internet Explorer\\iexplore.exe", + "ModificationDateTime": "08/22/2013 12:34:04.110966", + "CmdArgs": "-private", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\22137.Donald.28c8b86deab549a1.customDestinations-ms", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "08/22/2013 08:52:25.004329", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "28c8b86deab549a1", + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 6, + "ParentRefStr": "197705-6", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~1", + "Location": null, + "Comments": null, + "ModificationTime": "10/22/2013 16:52:38.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files", + "ExtentionBlockSize": 116, + "LocalizedName": "@shell32.dll,-21781", + "SeqNum": 6, + "EntryNum": 197634, + "FileReferenceInt": 1688849860461570, + "AccessTime": "10/22/2013 16:52:38.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "197634-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "INTERN~1", + "Location": null, + "Comments": null, + "ModificationTime": "10/10/2013 07:46:14.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Internet Explorer", + "ExtentionBlockSize": 84, + "LocalizedName": null, + "SeqNum": 6, + "EntryNum": 197705, + "FileReferenceInt": 1688849860461641, + "AccessTime": "10/10/2013 07:46:14.000000", + "CreationTime": "08/22/2013 15:36:32.000000", + "Signature": "0xbeef0004L", + "RefNum": "197705-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "iexplore.exe", + "Location": null, + "Comments": null, + "ModificationTime": "08/22/2013 12:34:06.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 804464, + "ExtentionBlocks": [ + { + "LongName": "iexplore.exe", + "ExtentionBlockSize": 74, + "LocalizedName": null, + "SeqNum": 1, + "EntryNum": 217849, + "FileReferenceInt": 281474976928505, + "AccessTime": "08/22/2013 08:52:26.000000", + "CreationTime": "08/22/2013 08:52:26.000000", + "Signature": "0xbeef0004L", + "RefNum": "217849-1" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "Internet Explorer", + "ParentEntryNum": 197705, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 6, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%SystemRoot%\\SYSTEM32\\IEFRAME.dll", + "AppIdName": "Internet Explorer 8 / 9 / 10 (32-bit)", + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 804464, + "CreationDateTime": "08/22/2013 08:52:25.004329", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "iexplore.exe", + "WorkingDir": null, + "LocalPath": "C:\\Program Files\\Internet Explorer\\iexplore.exe", + "ModificationDateTime": "08/22/2013 12:34:04.110966", + "CmdArgs": "-newtab", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\22137.Donald.28c8b86deab549a1.customDestinations-ms", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "08/22/2013 08:52:25.004329", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "28c8b86deab549a1", + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 6, + "ParentRefStr": "197705-6", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~1", + "Location": null, + "Comments": null, + "ModificationTime": "10/22/2013 16:52:38.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files", + "ExtentionBlockSize": 116, + "LocalizedName": "@shell32.dll,-21781", + "SeqNum": 6, + "EntryNum": 197634, + "FileReferenceInt": 1688849860461570, + "AccessTime": "10/22/2013 16:52:38.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "197634-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "INTERN~1", + "Location": null, + "Comments": null, + "ModificationTime": "10/10/2013 07:46:14.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Internet Explorer", + "ExtentionBlockSize": 84, + "LocalizedName": null, + "SeqNum": 6, + "EntryNum": 197705, + "FileReferenceInt": 1688849860461641, + "AccessTime": "10/10/2013 07:46:14.000000", + "CreationTime": "08/22/2013 15:36:32.000000", + "Signature": "0xbeef0004L", + "RefNum": "197705-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "iexplore.exe", + "Location": null, + "Comments": null, + "ModificationTime": "08/22/2013 12:34:06.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 804464, + "ExtentionBlocks": [ + { + "LongName": "iexplore.exe", + "ExtentionBlockSize": 74, + "LocalizedName": null, + "SeqNum": 1, + "EntryNum": 217849, + "FileReferenceInt": 281474976928505, + "AccessTime": "08/22/2013 08:52:26.000000", + "CreationTime": "08/22/2013 08:52:26.000000", + "Signature": "0xbeef0004L", + "RefNum": "217849-1" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "Internet Explorer", + "ParentEntryNum": 197705, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 6, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%SystemRoot%\\SYSTEM32\\IEFRAME.dll", + "AppIdName": "Internet Explorer 8 / 9 / 10 (32-bit)", + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 804464, + "CreationDateTime": "08/22/2013 08:52:25.004329", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "iexplore.exe", + "WorkingDir": null, + "LocalPath": "C:\\Program Files\\Internet Explorer\\iexplore.exe", + "ModificationDateTime": "08/22/2013 12:34:04.110966", + "CmdArgs": "-restore", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\22137.Donald.28c8b86deab549a1.customDestinations-ms", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "08/22/2013 08:52:25.004329", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "28c8b86deab549a1", + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 6, + "ParentRefStr": "197705-6", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~1", + "Location": null, + "Comments": null, + "ModificationTime": "10/22/2013 16:52:38.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files", + "ExtentionBlockSize": 116, + "LocalizedName": "@shell32.dll,-21781", + "SeqNum": 6, + "EntryNum": 197634, + "FileReferenceInt": 1688849860461570, + "AccessTime": "10/22/2013 16:52:38.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "197634-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "INTERN~1", + "Location": null, + "Comments": null, + "ModificationTime": "10/10/2013 07:46:14.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Internet Explorer", + "ExtentionBlockSize": 84, + "LocalizedName": null, + "SeqNum": 6, + "EntryNum": 197705, + "FileReferenceInt": 1688849860461641, + "AccessTime": "10/10/2013 07:46:14.000000", + "CreationTime": "08/22/2013 15:36:32.000000", + "Signature": "0xbeef0004L", + "RefNum": "197705-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "iexplore.exe", + "Location": null, + "Comments": null, + "ModificationTime": "08/22/2013 12:34:06.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 804464, + "ExtentionBlocks": [ + { + "LongName": "iexplore.exe", + "ExtentionBlockSize": 74, + "LocalizedName": null, + "SeqNum": 1, + "EntryNum": 217849, + "FileReferenceInt": 281474976928505, + "AccessTime": "08/22/2013 08:52:26.000000", + "CreationTime": "08/22/2013 08:52:26.000000", + "Signature": "0xbeef0004L", + "RefNum": "217849-1" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "Internet Explorer", + "ParentEntryNum": 197705, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 6, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%SystemRoot%\\SYSTEM32\\IEFRAME.dll", + "AppIdName": "Internet Explorer 8 / 9 / 10 (32-bit)", + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 804464, + "CreationDateTime": "08/22/2013 08:52:25.004329", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\22137.Donald.28c8b86deab549a1.customDestinations-ms", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": "28c8b86deab549a1", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x61L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x61L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "ExtentionBlockSize": 30, + "Signature": "0xbeef001aL" + } + ] + } + ], + "ExtentionListing": "0xbeef001aL", + "ItemCount": 3, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "871c5380-42a0-1069-a2ea-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Internet Explorer 8 / 9 / 10 (32-bit)", + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\22137.Donald.28c8b86deab549a1.customDestinations-ms", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": "28c8b86deab549a1", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x61L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x61L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "ExtentionBlockSize": 28, + "Signature": "0xbeef001aL" + } + ] + } + ], + "ExtentionListing": "0xbeef001aL", + "ItemCount": 3, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "871c5380-42a0-1069-a2ea-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Internet Explorer 8 / 9 / 10 (32-bit)", + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\22137.Donald.28c8b86deab549a1.customDestinations-ms", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": "28c8b86deab549a1", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x61L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x61L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "ExtentionBlockSize": 30, + "Signature": "0xbeef001aL" + } + ] + } + ], + "ExtentionListing": "0xbeef001aL", + "ItemCount": 3, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "871c5380-42a0-1069-a2ea-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Internet Explorer 8 / 9 / 10 (32-bit)", + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\22137.Donald.28c8b86deab549a1.customDestinations-ms", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": "28c8b86deab549a1", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x61L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x61L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "ExtentionBlockSize": 28, + "Signature": "0xbeef001aL" + } + ] + } + ], + "ExtentionListing": "0xbeef001aL", + "ItemCount": 3, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "871c5380-42a0-1069-a2ea-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Internet Explorer 8 / 9 / 10 (32-bit)", + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\22137.Donald.28c8b86deab549a1.customDestinations-ms", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": "28c8b86deab549a1", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x61L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x61L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "ExtentionBlockSize": 28, + "Signature": "0xbeef001aL" + } + ] + } + ], + "ExtentionListing": "0xbeef001aL", + "ItemCount": 3, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "871c5380-42a0-1069-a2ea-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Internet Explorer 8 / 9 / 10 (32-bit)", + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\22137.Donald.28c8b86deab549a1.customDestinations-ms", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": "28c8b86deab549a1", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x61L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x61L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "ExtentionBlockSize": 28, + "Signature": "0xbeef001aL" + } + ] + } + ], + "ExtentionListing": "0xbeef001aL", + "ItemCount": 3, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "871c5380-42a0-1069-a2ea-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Internet Explorer 8 / 9 / 10 (32-bit)", + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\22137.Donald.28c8b86deab549a1.customDestinations-ms", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": "28c8b86deab549a1", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x61L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x61L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "ExtentionBlockSize": 30, + "Signature": "0xbeef001aL" + } + ] + } + ], + "ExtentionListing": "0xbeef001aL", + "ItemCount": 3, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "871c5380-42a0-1069-a2ea-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Internet Explorer 8 / 9 / 10 (32-bit)", + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\22137.Donald.28c8b86deab549a1.customDestinations-ms", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": "28c8b86deab549a1", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x61L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x61L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "ExtentionBlockSize": 28, + "Signature": "0xbeef001aL" + } + ] + } + ], + "ExtentionListing": "0xbeef001aL", + "ItemCount": 3, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "871c5380-42a0-1069-a2ea-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Internet Explorer 8 / 9 / 10 (32-bit)", + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\22137.Donald.28c8b86deab549a1.customDestinations-ms", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": "28c8b86deab549a1", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x61L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x61L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "ExtentionBlockSize": 30, + "Signature": "0xbeef001aL" + } + ] + } + ], + "ExtentionListing": "0xbeef001aL", + "ItemCount": 3, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "871c5380-42a0-1069-a2ea-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Internet Explorer 8 / 9 / 10 (32-bit)", + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "firefox.exe", + "WorkingDir": null, + "LocalPath": "C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe", + "ModificationDateTime": "10/01/2013 14:52:50.626922", + "CmdArgs": "-new-tab about:blank", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\22141.Donald.969252ce11249fdd.customDestinations-ms", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "10/01/2013 14:52:50.622920", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "969252ce11249fdd", + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 3, + "ParentRefStr": "3545-3", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~2", + "Location": null, + "Comments": null, + "ModificationTime": "10/19/2013 20:05:50.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files (x86)", + "ExtentionBlockSize": 128, + "LocalizedName": "@shell32.dll,-21817", + "SeqNum": 3, + "EntryNum": 200140, + "FileReferenceInt": 844424930332108, + "AccessTime": "10/19/2013 20:05:50.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "200140-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "MOZILL~1", + "Location": null, + "Comments": null, + "ModificationTime": "10/01/2013 14:52:52.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Mozilla Firefox", + "ExtentionBlockSize": 80, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 3545, + "FileReferenceInt": 844424930135513, + "AccessTime": "10/01/2013 14:52:52.000000", + "CreationTime": "10/01/2013 14:52:46.000000", + "Signature": "0xbeef0004L", + "RefNum": "3545-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "firefox.exe", + "Location": null, + "Comments": null, + "ModificationTime": "10/01/2013 14:52:52.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 274840, + "ExtentionBlocks": [ + { + "LongName": "firefox.exe", + "ExtentionBlockSize": 72, + "LocalizedName": null, + "SeqNum": 2, + "EntryNum": 6405, + "FileReferenceInt": 562949953427717, + "AccessTime": "10/01/2013 14:52:52.000000", + "CreationTime": "10/01/2013 14:52:46.000000", + "Signature": "0xbeef0004L", + "RefNum": "6405-2" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "Mozilla Firefox", + "ParentEntryNum": 3545, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 6, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "Open a new browser tab.", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%ProgramFiles%\\Mozilla Firefox\\firefox.exe", + "AppIdName": null, + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 274840, + "CreationDateTime": "10/01/2013 14:52:45.053158", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "firefox.exe", + "WorkingDir": null, + "LocalPath": "C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe", + "ModificationDateTime": "10/01/2013 14:52:50.626922", + "CmdArgs": "-browser", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\22141.Donald.969252ce11249fdd.customDestinations-ms", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "10/01/2013 14:52:50.622920", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "969252ce11249fdd", + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 3, + "ParentRefStr": "3545-3", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~2", + "Location": null, + "Comments": null, + "ModificationTime": "10/19/2013 20:05:50.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files (x86)", + "ExtentionBlockSize": 128, + "LocalizedName": "@shell32.dll,-21817", + "SeqNum": 3, + "EntryNum": 200140, + "FileReferenceInt": 844424930332108, + "AccessTime": "10/19/2013 20:05:50.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "200140-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "MOZILL~1", + "Location": null, + "Comments": null, + "ModificationTime": "10/01/2013 14:52:52.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Mozilla Firefox", + "ExtentionBlockSize": 80, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 3545, + "FileReferenceInt": 844424930135513, + "AccessTime": "10/01/2013 14:52:52.000000", + "CreationTime": "10/01/2013 14:52:46.000000", + "Signature": "0xbeef0004L", + "RefNum": "3545-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "firefox.exe", + "Location": null, + "Comments": null, + "ModificationTime": "10/01/2013 14:52:52.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 274840, + "ExtentionBlocks": [ + { + "LongName": "firefox.exe", + "ExtentionBlockSize": 72, + "LocalizedName": null, + "SeqNum": 2, + "EntryNum": 6405, + "FileReferenceInt": 562949953427717, + "AccessTime": "10/01/2013 14:52:52.000000", + "CreationTime": "10/01/2013 14:52:46.000000", + "Signature": "0xbeef0004L", + "RefNum": "6405-2" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "Mozilla Firefox", + "ParentEntryNum": 3545, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 6, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "Open a new browser window.", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%ProgramFiles%\\Mozilla Firefox\\firefox.exe", + "AppIdName": null, + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 274840, + "CreationDateTime": "10/01/2013 14:52:45.053158", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "firefox.exe", + "WorkingDir": null, + "LocalPath": "C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe", + "ModificationDateTime": "10/01/2013 14:52:50.626922", + "CmdArgs": "-private-window", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\22141.Donald.969252ce11249fdd.customDestinations-ms", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "10/01/2013 14:52:50.622920", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "969252ce11249fdd", + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 3, + "ParentRefStr": "3545-3", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~2", + "Location": null, + "Comments": null, + "ModificationTime": "10/19/2013 20:05:50.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files (x86)", + "ExtentionBlockSize": 128, + "LocalizedName": "@shell32.dll,-21817", + "SeqNum": 3, + "EntryNum": 200140, + "FileReferenceInt": 844424930332108, + "AccessTime": "10/19/2013 20:05:50.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "200140-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "MOZILL~1", + "Location": null, + "Comments": null, + "ModificationTime": "10/01/2013 14:52:52.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Mozilla Firefox", + "ExtentionBlockSize": 80, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 3545, + "FileReferenceInt": 844424930135513, + "AccessTime": "10/01/2013 14:52:52.000000", + "CreationTime": "10/01/2013 14:52:46.000000", + "Signature": "0xbeef0004L", + "RefNum": "3545-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "firefox.exe", + "Location": null, + "Comments": null, + "ModificationTime": "10/01/2013 14:52:52.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 274840, + "ExtentionBlocks": [ + { + "LongName": "firefox.exe", + "ExtentionBlockSize": 72, + "LocalizedName": null, + "SeqNum": 2, + "EntryNum": 6405, + "FileReferenceInt": 562949953427717, + "AccessTime": "10/01/2013 14:52:52.000000", + "CreationTime": "10/01/2013 14:52:46.000000", + "Signature": "0xbeef0004L", + "RefNum": "6405-2" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "Mozilla Firefox", + "ParentEntryNum": 3545, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 6, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "Open a new window in private browsing mode.", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%ProgramFiles%\\Mozilla Firefox\\firefox.exe", + "AppIdName": null, + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 274840, + "CreationDateTime": "10/01/2013 14:52:45.053158", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "firefox.exe", + "WorkingDir": null, + "LocalPath": "C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe", + "ModificationDateTime": "10/01/2013 14:52:50.626922", + "CmdArgs": "http://lenovo13.us.msn.com/?pc=UP97&ocid=UP97DHP", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\22141.Donald.969252ce11249fdd.customDestinations-ms", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "10/01/2013 14:52:50.622920", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "969252ce11249fdd", + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 3, + "ParentRefStr": "3545-3", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~2", + "Location": null, + "Comments": null, + "ModificationTime": "10/19/2013 20:05:50.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files (x86)", + "ExtentionBlockSize": 128, + "LocalizedName": "@shell32.dll,-21817", + "SeqNum": 3, + "EntryNum": 200140, + "FileReferenceInt": 844424930332108, + "AccessTime": "10/19/2013 20:05:50.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "200140-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "MOZILL~1", + "Location": null, + "Comments": null, + "ModificationTime": "10/01/2013 14:52:52.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Mozilla Firefox", + "ExtentionBlockSize": 80, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 3545, + "FileReferenceInt": 844424930135513, + "AccessTime": "10/01/2013 14:52:52.000000", + "CreationTime": "10/01/2013 14:52:46.000000", + "Signature": "0xbeef0004L", + "RefNum": "3545-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "firefox.exe", + "Location": null, + "Comments": null, + "ModificationTime": "10/01/2013 14:52:52.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 274840, + "ExtentionBlocks": [ + { + "LongName": "firefox.exe", + "ExtentionBlockSize": 72, + "LocalizedName": null, + "SeqNum": 2, + "EntryNum": 6405, + "FileReferenceInt": 562949953427717, + "AccessTime": "10/01/2013 14:52:52.000000", + "CreationTime": "10/01/2013 14:52:46.000000", + "Signature": "0xbeef0004L", + "RefNum": "6405-2" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "Mozilla Firefox", + "ParentEntryNum": 3545, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 6, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "MSN.com", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%USERPROFILE%\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\29bmrorb.default\\jumpListCache\\Oqi4PEvmeCofDIeoF+grSg==.ico", + "AppIdName": null, + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 274840, + "CreationDateTime": "10/01/2013 14:52:45.053158", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "firefox.exe", + "WorkingDir": null, + "LocalPath": "C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe", + "ModificationDateTime": "10/01/2013 14:52:50.626922", + "CmdArgs": "http://www.cnn.com/?refresh=1", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\22141.Donald.969252ce11249fdd.customDestinations-ms", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "10/01/2013 14:52:50.622920", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "969252ce11249fdd", + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 3, + "ParentRefStr": "3545-3", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~2", + "Location": null, + "Comments": null, + "ModificationTime": "10/19/2013 20:05:50.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files (x86)", + "ExtentionBlockSize": 128, + "LocalizedName": "@shell32.dll,-21817", + "SeqNum": 3, + "EntryNum": 200140, + "FileReferenceInt": 844424930332108, + "AccessTime": "10/19/2013 20:05:50.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "200140-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "MOZILL~1", + "Location": null, + "Comments": null, + "ModificationTime": "10/01/2013 14:52:52.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Mozilla Firefox", + "ExtentionBlockSize": 80, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 3545, + "FileReferenceInt": 844424930135513, + "AccessTime": "10/01/2013 14:52:52.000000", + "CreationTime": "10/01/2013 14:52:46.000000", + "Signature": "0xbeef0004L", + "RefNum": "3545-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "firefox.exe", + "Location": null, + "Comments": null, + "ModificationTime": "10/01/2013 14:52:52.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 274840, + "ExtentionBlocks": [ + { + "LongName": "firefox.exe", + "ExtentionBlockSize": 72, + "LocalizedName": null, + "SeqNum": 2, + "EntryNum": 6405, + "FileReferenceInt": 562949953427717, + "AccessTime": "10/01/2013 14:52:52.000000", + "CreationTime": "10/01/2013 14:52:46.000000", + "Signature": "0xbeef0004L", + "RefNum": "6405-2" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "Mozilla Firefox", + "ParentEntryNum": 3545, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 6, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "CNN.com - Breaking News, U.S., World, Weather, Entertainment & Video News", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%USERPROFILE%\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\29bmrorb.default\\jumpListCache\\Fn4je6S1sySgNb6q9N5Bpw==.ico", + "AppIdName": null, + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 274840, + "CreationDateTime": "10/01/2013 14:52:45.053158", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "firefox.exe", + "WorkingDir": null, + "LocalPath": "C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe", + "ModificationDateTime": "10/01/2013 14:52:50.626922", + "CmdArgs": "http://www.nfl.com/", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\22141.Donald.969252ce11249fdd.customDestinations-ms", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "10/01/2013 14:52:50.622920", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "969252ce11249fdd", + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 3, + "ParentRefStr": "3545-3", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~2", + "Location": null, + "Comments": null, + "ModificationTime": "10/19/2013 20:05:50.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files (x86)", + "ExtentionBlockSize": 128, + "LocalizedName": "@shell32.dll,-21817", + "SeqNum": 3, + "EntryNum": 200140, + "FileReferenceInt": 844424930332108, + "AccessTime": "10/19/2013 20:05:50.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "200140-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "MOZILL~1", + "Location": null, + "Comments": null, + "ModificationTime": "10/01/2013 14:52:52.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Mozilla Firefox", + "ExtentionBlockSize": 80, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 3545, + "FileReferenceInt": 844424930135513, + "AccessTime": "10/01/2013 14:52:52.000000", + "CreationTime": "10/01/2013 14:52:46.000000", + "Signature": "0xbeef0004L", + "RefNum": "3545-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "firefox.exe", + "Location": null, + "Comments": null, + "ModificationTime": "10/01/2013 14:52:52.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 274840, + "ExtentionBlocks": [ + { + "LongName": "firefox.exe", + "ExtentionBlockSize": 72, + "LocalizedName": null, + "SeqNum": 2, + "EntryNum": 6405, + "FileReferenceInt": 562949953427717, + "AccessTime": "10/01/2013 14:52:52.000000", + "CreationTime": "10/01/2013 14:52:46.000000", + "Signature": "0xbeef0004L", + "RefNum": "6405-2" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "Mozilla Firefox", + "ParentEntryNum": 3545, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 6, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "NFL.com - Official Site of the National Football League", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%USERPROFILE%\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\29bmrorb.default\\jumpListCache\\DndC1DhIUf7fXw7dC+GJLw==.ico", + "AppIdName": null, + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 274840, + "CreationDateTime": "10/01/2013 14:52:45.053158", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "firefox.exe", + "WorkingDir": null, + "LocalPath": "C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe", + "ModificationDateTime": "10/01/2013 14:52:50.626922", + "CmdArgs": "https://www.facebook.com/", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\22141.Donald.969252ce11249fdd.customDestinations-ms", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "10/01/2013 14:52:50.622920", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "969252ce11249fdd", + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 3, + "ParentRefStr": "3545-3", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~2", + "Location": null, + "Comments": null, + "ModificationTime": "10/19/2013 20:05:50.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files (x86)", + "ExtentionBlockSize": 128, + "LocalizedName": "@shell32.dll,-21817", + "SeqNum": 3, + "EntryNum": 200140, + "FileReferenceInt": 844424930332108, + "AccessTime": "10/19/2013 20:05:50.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "200140-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "MOZILL~1", + "Location": null, + "Comments": null, + "ModificationTime": "10/01/2013 14:52:52.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Mozilla Firefox", + "ExtentionBlockSize": 80, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 3545, + "FileReferenceInt": 844424930135513, + "AccessTime": "10/01/2013 14:52:52.000000", + "CreationTime": "10/01/2013 14:52:46.000000", + "Signature": "0xbeef0004L", + "RefNum": "3545-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "firefox.exe", + "Location": null, + "Comments": null, + "ModificationTime": "10/01/2013 14:52:52.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 274840, + "ExtentionBlocks": [ + { + "LongName": "firefox.exe", + "ExtentionBlockSize": 72, + "LocalizedName": null, + "SeqNum": 2, + "EntryNum": 6405, + "FileReferenceInt": 562949953427717, + "AccessTime": "10/01/2013 14:52:52.000000", + "CreationTime": "10/01/2013 14:52:46.000000", + "Signature": "0xbeef0004L", + "RefNum": "6405-2" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "Mozilla Firefox", + "ParentEntryNum": 3545, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 6, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "Facebook", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%USERPROFILE%\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\29bmrorb.default\\jumpListCache\\4gPpjkxgZzXPVtuEoAL9Ig==.ico", + "AppIdName": null, + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 274840, + "CreationDateTime": "10/01/2013 14:52:45.053158", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "firefox.exe", + "WorkingDir": null, + "LocalPath": "C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe", + "ModificationDateTime": "10/01/2013 14:52:50.626922", + "CmdArgs": "http://fantasy.nfl.com/league/2140953/team/7", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\22141.Donald.969252ce11249fdd.customDestinations-ms", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "10/01/2013 14:52:50.622920", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "969252ce11249fdd", + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 3, + "ParentRefStr": "3545-3", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~2", + "Location": null, + "Comments": null, + "ModificationTime": "10/19/2013 20:05:50.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files (x86)", + "ExtentionBlockSize": 128, + "LocalizedName": "@shell32.dll,-21817", + "SeqNum": 3, + "EntryNum": 200140, + "FileReferenceInt": 844424930332108, + "AccessTime": "10/19/2013 20:05:50.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "200140-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "MOZILL~1", + "Location": null, + "Comments": null, + "ModificationTime": "10/01/2013 14:52:52.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Mozilla Firefox", + "ExtentionBlockSize": 80, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 3545, + "FileReferenceInt": 844424930135513, + "AccessTime": "10/01/2013 14:52:52.000000", + "CreationTime": "10/01/2013 14:52:46.000000", + "Signature": "0xbeef0004L", + "RefNum": "3545-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "firefox.exe", + "Location": null, + "Comments": null, + "ModificationTime": "10/01/2013 14:52:52.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 274840, + "ExtentionBlocks": [ + { + "LongName": "firefox.exe", + "ExtentionBlockSize": 72, + "LocalizedName": null, + "SeqNum": 2, + "EntryNum": 6405, + "FileReferenceInt": 562949953427717, + "AccessTime": "10/01/2013 14:52:52.000000", + "CreationTime": "10/01/2013 14:52:46.000000", + "Signature": "0xbeef0004L", + "RefNum": "6405-2" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "Mozilla Firefox", + "ParentEntryNum": 3545, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 6, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "My Team - Free Fantasy Football | 2013 Fantasy Football - NFL.com", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%USERPROFILE%\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\29bmrorb.default\\jumpListCache\\51zwCCPoxrSXR01oZat_MQ==.ico", + "AppIdName": null, + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 274840, + "CreationDateTime": "10/01/2013 14:52:45.053158", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "firefox.exe", + "WorkingDir": null, + "LocalPath": "C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe", + "ModificationDateTime": "10/01/2013 14:52:50.626922", + "CmdArgs": "http://www.nfl.com/fantasyfootball", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\22141.Donald.969252ce11249fdd.customDestinations-ms", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "10/01/2013 14:52:50.622920", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "969252ce11249fdd", + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 3, + "ParentRefStr": "3545-3", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~2", + "Location": null, + "Comments": null, + "ModificationTime": "10/19/2013 20:05:50.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files (x86)", + "ExtentionBlockSize": 128, + "LocalizedName": "@shell32.dll,-21817", + "SeqNum": 3, + "EntryNum": 200140, + "FileReferenceInt": 844424930332108, + "AccessTime": "10/19/2013 20:05:50.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "200140-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "MOZILL~1", + "Location": null, + "Comments": null, + "ModificationTime": "10/01/2013 14:52:52.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Mozilla Firefox", + "ExtentionBlockSize": 80, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 3545, + "FileReferenceInt": 844424930135513, + "AccessTime": "10/01/2013 14:52:52.000000", + "CreationTime": "10/01/2013 14:52:46.000000", + "Signature": "0xbeef0004L", + "RefNum": "3545-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "firefox.exe", + "Location": null, + "Comments": null, + "ModificationTime": "10/01/2013 14:52:52.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 274840, + "ExtentionBlocks": [ + { + "LongName": "firefox.exe", + "ExtentionBlockSize": 72, + "LocalizedName": null, + "SeqNum": 2, + "EntryNum": 6405, + "FileReferenceInt": 562949953427717, + "AccessTime": "10/01/2013 14:52:52.000000", + "CreationTime": "10/01/2013 14:52:46.000000", + "Signature": "0xbeef0004L", + "RefNum": "6405-2" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "Mozilla Firefox", + "ParentEntryNum": 3545, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 6, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "Fantasy Football | Free Fantasy Football for 2013 Season - NFL.com", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%USERPROFILE%\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\29bmrorb.default\\jumpListCache\\35ved_+GMwcfE5D3uR_ogQ==.ico", + "AppIdName": null, + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 274840, + "CreationDateTime": "10/01/2013 14:52:45.053158", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "firefox.exe", + "WorkingDir": null, + "LocalPath": "C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe", + "ModificationDateTime": "10/01/2013 14:52:50.626922", + "CmdArgs": "http://espn.go.com/", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\22141.Donald.969252ce11249fdd.customDestinations-ms", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "10/01/2013 14:52:50.622920", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "969252ce11249fdd", + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 3, + "ParentRefStr": "3545-3", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~2", + "Location": null, + "Comments": null, + "ModificationTime": "10/19/2013 20:05:50.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files (x86)", + "ExtentionBlockSize": 128, + "LocalizedName": "@shell32.dll,-21817", + "SeqNum": 3, + "EntryNum": 200140, + "FileReferenceInt": 844424930332108, + "AccessTime": "10/19/2013 20:05:50.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "200140-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "MOZILL~1", + "Location": null, + "Comments": null, + "ModificationTime": "10/01/2013 14:52:52.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Mozilla Firefox", + "ExtentionBlockSize": 80, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 3545, + "FileReferenceInt": 844424930135513, + "AccessTime": "10/01/2013 14:52:52.000000", + "CreationTime": "10/01/2013 14:52:46.000000", + "Signature": "0xbeef0004L", + "RefNum": "3545-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "firefox.exe", + "Location": null, + "Comments": null, + "ModificationTime": "10/01/2013 14:52:52.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 274840, + "ExtentionBlocks": [ + { + "LongName": "firefox.exe", + "ExtentionBlockSize": 72, + "LocalizedName": null, + "SeqNum": 2, + "EntryNum": 6405, + "FileReferenceInt": 562949953427717, + "AccessTime": "10/01/2013 14:52:52.000000", + "CreationTime": "10/01/2013 14:52:46.000000", + "Signature": "0xbeef0004L", + "RefNum": "6405-2" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "Mozilla Firefox", + "ParentEntryNum": 3545, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 6, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "ESPN: The Worldwide Leader In Sports", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%USERPROFILE%\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\29bmrorb.default\\jumpListCache\\j7vZiAxuI02FLnjLDrLqZg==.ico", + "AppIdName": null, + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 274840, + "CreationDateTime": "10/01/2013 14:52:45.053158", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "iTunes.exe", + "WorkingDir": null, + "LocalPath": "C:\\Program Files (x86)\\iTunes\\iTunes.exe", + "ModificationDateTime": "10/01/2013 06:23:14.000000", + "CmdArgs": "/GotoStoreHomePage", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\27905.Donald.83b03b46dcd30a0e.customDestinations-ms", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "10/05/2013 20:35:36.709993", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "83b03b46dcd30a0e", + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 11, + "ParentRefStr": "8341-11", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~2", + "Location": null, + "Comments": null, + "ModificationTime": "10/17/2013 20:57:08.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files (x86)", + "ExtentionBlockSize": 128, + "LocalizedName": "@shell32.dll,-21817", + "SeqNum": 3, + "EntryNum": 200140, + "FileReferenceInt": 844424930332108, + "AccessTime": "10/17/2013 20:57:08.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "200140-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "iTunes", + "Location": null, + "Comments": null, + "ModificationTime": "10/05/2013 20:35:52.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "iTunes", + "ExtentionBlockSize": 62, + "LocalizedName": null, + "SeqNum": 11, + "EntryNum": 8341, + "FileReferenceInt": 3096224743825557, + "AccessTime": "10/05/2013 20:35:52.000000", + "CreationTime": "10/05/2013 20:35:36.000000", + "Signature": "0xbeef0004L", + "RefNum": "8341-11" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "iTunes.exe", + "Location": null, + "Comments": null, + "ModificationTime": "10/01/2013 06:23:14.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 9789256, + "ExtentionBlocks": [ + { + "LongName": "iTunes.exe", + "ExtentionBlockSize": 70, + "LocalizedName": null, + "SeqNum": 283, + "EntryNum": 9600, + "FileReferenceInt": 79657418409125248, + "AccessTime": "10/05/2013 20:35:38.000000", + "CreationTime": "10/01/2013 06:23:14.000000", + "Signature": "0xbeef0004L", + "RefNum": "9600-283" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "iTunes", + "ParentEntryNum": 8341, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 6, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%ProgramFiles%\\iTunes\\iTunes.exe", + "AppIdName": "iTunes 9.0.0.70 / 9.2.1.5 / 10.4.1.10 (begin custom 'Tasks' JL capability)", + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 9789256, + "CreationDateTime": "10/01/2013 06:23:14.000000", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "iTunes.exe", + "WorkingDir": null, + "LocalPath": "C:\\Program Files (x86)\\iTunes\\iTunes.exe", + "ModificationDateTime": "10/01/2013 06:23:14.000000", + "CmdArgs": "/ShuffleMusic", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\27905.Donald.83b03b46dcd30a0e.customDestinations-ms", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "10/05/2013 20:35:36.709993", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "83b03b46dcd30a0e", + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 11, + "ParentRefStr": "8341-11", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~2", + "Location": null, + "Comments": null, + "ModificationTime": "10/17/2013 20:57:08.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files (x86)", + "ExtentionBlockSize": 128, + "LocalizedName": "@shell32.dll,-21817", + "SeqNum": 3, + "EntryNum": 200140, + "FileReferenceInt": 844424930332108, + "AccessTime": "10/17/2013 20:57:08.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "200140-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "iTunes", + "Location": null, + "Comments": null, + "ModificationTime": "10/05/2013 20:35:52.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "iTunes", + "ExtentionBlockSize": 62, + "LocalizedName": null, + "SeqNum": 11, + "EntryNum": 8341, + "FileReferenceInt": 3096224743825557, + "AccessTime": "10/05/2013 20:35:52.000000", + "CreationTime": "10/05/2013 20:35:36.000000", + "Signature": "0xbeef0004L", + "RefNum": "8341-11" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "iTunes.exe", + "Location": null, + "Comments": null, + "ModificationTime": "10/01/2013 06:23:14.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 9789256, + "ExtentionBlocks": [ + { + "LongName": "iTunes.exe", + "ExtentionBlockSize": 70, + "LocalizedName": null, + "SeqNum": 283, + "EntryNum": 9600, + "FileReferenceInt": 79657418409125248, + "AccessTime": "10/05/2013 20:35:38.000000", + "CreationTime": "10/01/2013 06:23:14.000000", + "Signature": "0xbeef0004L", + "RefNum": "9600-283" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "iTunes", + "ParentEntryNum": 8341, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 6, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%ProgramFiles%\\iTunes\\iTunes.exe", + "AppIdName": "iTunes 9.0.0.70 / 9.2.1.5 / 10.4.1.10 (begin custom 'Tasks' JL capability)", + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 9789256, + "CreationDateTime": "10/01/2013 06:23:14.000000", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "Skype.exe", + "WorkingDir": null, + "LocalPath": "C:\\Program Files (x86)\\Skype\\Phone\\Skype.exe", + "ModificationDateTime": "07/25/2013 12:58:22.000000", + "CmdArgs": "/pid:5284 /signout", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\3025.Donald.521a29e5d22c13b4.customDestinations-ms", + "Flags": "Read-Only;Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "08/31/2013 20:34:03.599720", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "521a29e5d22c13b4", + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 11, + "ParentRefStr": "150153-11", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~2", + "Location": null, + "Comments": null, + "ModificationTime": "10/19/2013 20:05:50.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files (x86)", + "ExtentionBlockSize": 128, + "LocalizedName": "@shell32.dll,-21817", + "SeqNum": 3, + "EntryNum": 200140, + "FileReferenceInt": 844424930332108, + "AccessTime": "10/19/2013 20:05:50.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "200140-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Skype", + "Location": null, + "Comments": null, + "ModificationTime": "10/10/2013 07:47:04.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Skype", + "ExtentionBlockSize": 60, + "LocalizedName": null, + "SeqNum": 11, + "EntryNum": 150152, + "FileReferenceInt": 3096224743967368, + "AccessTime": "10/10/2013 07:47:04.000000", + "CreationTime": "08/31/2013 20:34:04.000000", + "Signature": "0xbeef0004L", + "RefNum": "150152-11" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Phone", + "Location": null, + "Comments": null, + "ModificationTime": "08/31/2013 20:34:04.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Phone", + "ExtentionBlockSize": 60, + "LocalizedName": null, + "SeqNum": 11, + "EntryNum": 150153, + "FileReferenceInt": 3096224743967369, + "AccessTime": "08/31/2013 20:34:04.000000", + "CreationTime": "08/31/2013 20:34:04.000000", + "Signature": "0xbeef0004L", + "RefNum": "150153-11" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "Skype.exe", + "Location": null, + "Comments": null, + "ModificationTime": "07/25/2013 12:58:22.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 20684656, + "ExtentionBlocks": [ + { + "LongName": "Skype.exe", + "ExtentionBlockSize": 68, + "LocalizedName": null, + "SeqNum": 11, + "EntryNum": 150154, + "FileReferenceInt": 3096224743967370, + "AccessTime": "08/31/2013 20:34:04.000000", + "CreationTime": "07/25/2013 12:58:22.000000", + "Signature": "0xbeef0004L", + "RefNum": "150154-11" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "Phone", + "ParentEntryNum": 150153, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 7, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%ProgramFiles%\\Skype\\Phone\\Skype.exe", + "AppIdName": "Skype 1.4.0.84 / 2.5.0.154 / 3.8.0.139 / 4.2.0.187 / Skype 5.3.0.120 / 5.5.0.115 / 5.5.32.117", + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 20684656, + "CreationDateTime": "07/25/2013 12:58:22.000000", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "Skype.exe", + "WorkingDir": null, + "LocalPath": "C:\\Program Files (x86)\\Skype\\Phone\\Skype.exe", + "ModificationDateTime": "07/25/2013 12:58:22.000000", + "CmdArgs": "/pid:5284 /shutdown", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\3025.Donald.521a29e5d22c13b4.customDestinations-ms", + "Flags": "Read-Only;Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "08/31/2013 20:34:03.599720", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "521a29e5d22c13b4", + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 11, + "ParentRefStr": "150153-11", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~2", + "Location": null, + "Comments": null, + "ModificationTime": "10/19/2013 20:05:50.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files (x86)", + "ExtentionBlockSize": 128, + "LocalizedName": "@shell32.dll,-21817", + "SeqNum": 3, + "EntryNum": 200140, + "FileReferenceInt": 844424930332108, + "AccessTime": "10/19/2013 20:05:50.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "200140-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Skype", + "Location": null, + "Comments": null, + "ModificationTime": "10/10/2013 07:47:04.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Skype", + "ExtentionBlockSize": 60, + "LocalizedName": null, + "SeqNum": 11, + "EntryNum": 150152, + "FileReferenceInt": 3096224743967368, + "AccessTime": "10/10/2013 07:47:04.000000", + "CreationTime": "08/31/2013 20:34:04.000000", + "Signature": "0xbeef0004L", + "RefNum": "150152-11" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Phone", + "Location": null, + "Comments": null, + "ModificationTime": "08/31/2013 20:34:04.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Phone", + "ExtentionBlockSize": 60, + "LocalizedName": null, + "SeqNum": 11, + "EntryNum": 150153, + "FileReferenceInt": 3096224743967369, + "AccessTime": "08/31/2013 20:34:04.000000", + "CreationTime": "08/31/2013 20:34:04.000000", + "Signature": "0xbeef0004L", + "RefNum": "150153-11" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "Skype.exe", + "Location": null, + "Comments": null, + "ModificationTime": "07/25/2013 12:58:22.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 20684656, + "ExtentionBlocks": [ + { + "LongName": "Skype.exe", + "ExtentionBlockSize": 68, + "LocalizedName": null, + "SeqNum": 11, + "EntryNum": 150154, + "FileReferenceInt": 3096224743967370, + "AccessTime": "08/31/2013 20:34:04.000000", + "CreationTime": "07/25/2013 12:58:22.000000", + "Signature": "0xbeef0004L", + "RefNum": "150154-11" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "Phone", + "ParentEntryNum": 150153, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 7, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Skype 1.4.0.84 / 2.5.0.154 / 3.8.0.139 / 4.2.0.187 / Skype 5.3.0.120 / 5.5.0.115 / 5.5.32.117", + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 20684656, + "CreationDateTime": "07/25/2013 12:58:22.000000", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": "Successfully-Apply-Lean-Start-Up-Principles-to-University-Spinouts-PM399.ppt", + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "10/21/2013 19:47:27.830156", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\4239.Donald.d00655d2aa12ff6d.automaticDestinations-ms", + "Flags": "Archive;", + "DriveType": "DRIVE_UNKNOWN;", + "AccessDateTime": "10/21/2013 19:47:24.902387", + "DriveSerialNumber": "0000-0000", + "AppIdCode": "d00655d2aa12ff6d", + "LnkTrgData": null, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 3, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "1e389934d79236429fc979e377f2430a", + "DLE_PathSize": 246, + "DLE_DroidVolId": "1e389934d79236429fc979e377f2430a", + "DLE_DroidFileId": "8e973a5b8b39e311be82000af7048353", + "DLE_Unknown1Hash": "5bd81aad07dbdd7a", + "DLE_Path": "\\\\VALHALLA\\Users\\Public\\Documents\\Lean startup\\Successfully-Apply-Lean-Start-Up-Principles-to-University-Spinouts-PM399.ppt", + "DLE_BirthDroidFileId": "8e973a5b8b39e311be82000af7048353", + "DLE_LastModificationDatetime": "10/21/2013 19:53:38.409705", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "valhalla\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "ppt", + "NetworkPath": "\\\\VALHALLA\\USERS\\Public\\Documents\\Lean startup\\Successfully-Apply-Lean-Start-Up-Principles-to-University-Spinouts-PM399.ppt", + "FileSize": 2851840, + "CreationDateTime": "10/21/2013 19:47:24.902387", + "EnvVarLoc": "\\\\VALHALLA\\Users\\Public\\Documents\\Lean startup\\Successfully-Apply-Lean-Start-Up-Principles-to-University-Spinouts-PM399.ppt" + }, + { + "VolumeLabel": null, + "BaseName": "Lean Startups & IP.pptx", + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "10/21/2013 19:47:24.104000", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\4239.Donald.d00655d2aa12ff6d.automaticDestinations-ms", + "Flags": "Archive;", + "DriveType": "DRIVE_UNKNOWN;", + "AccessDateTime": "10/21/2013 19:47:23.512954", + "DriveSerialNumber": "0000-0000", + "AppIdCode": "d00655d2aa12ff6d", + "LnkTrgData": null, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 2, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "1e389934d79236429fc979e377f2430a", + "DLE_PathSize": 140, + "DLE_DroidVolId": "1e389934d79236429fc979e377f2430a", + "DLE_DroidFileId": "8d973a5b8b39e311be82000af7048353", + "DLE_Unknown1Hash": "b30932ea37556148", + "DLE_Path": "\\\\VALHALLA\\Users\\Public\\Documents\\Lean startup\\Lean Startups & IP.pptx", + "DLE_BirthDroidFileId": "8d973a5b8b39e311be82000af7048353", + "DLE_LastModificationDatetime": "10/21/2013 19:53:28.131286", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "valhalla\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "pptx", + "NetworkPath": "\\\\VALHALLA\\USERS\\Public\\Documents\\Lean startup\\Lean Startups & IP.pptx", + "FileSize": 185978, + "CreationDateTime": "10/21/2013 19:47:23.512954", + "EnvVarLoc": "\\\\VALHALLA\\Users\\Public\\Documents\\Lean startup\\Lean Startups & IP.pptx" + }, + { + "VolumeLabel": null, + "BaseName": "Lean Startup.pptx", + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "10/21/2013 19:47:23.491690", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\4239.Donald.d00655d2aa12ff6d.automaticDestinations-ms", + "Flags": "Archive;", + "DriveType": "DRIVE_UNKNOWN;", + "AccessDateTime": "10/21/2013 19:47:06.659935", + "DriveSerialNumber": "0000-0000", + "AppIdCode": "d00655d2aa12ff6d", + "LnkTrgData": null, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 1, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "1e389934d79236429fc979e377f2430a", + "DLE_PathSize": 128, + "DLE_DroidVolId": "1e389934d79236429fc979e377f2430a", + "DLE_DroidFileId": "8a973a5b8b39e311be82000af7048353", + "DLE_Unknown1Hash": "4ff5cf344d550e74", + "DLE_Path": "\\\\VALHALLA\\Users\\Public\\Documents\\Lean startup\\Lean Startup.pptx", + "DLE_BirthDroidFileId": "8a973a5b8b39e311be82000af7048353", + "DLE_LastModificationDatetime": "10/21/2013 19:53:01.534456", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "valhalla\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "pptx", + "NetworkPath": "\\\\VALHALLA\\USERS\\Public\\Documents\\Lean startup\\Lean Startup.pptx", + "FileSize": 5397212, + "CreationDateTime": "10/21/2013 19:47:06.659935", + "EnvVarLoc": "\\\\VALHALLA\\Users\\Public\\Documents\\Lean startup\\Lean Startup.pptx" + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "CCleaner64.exe", + "WorkingDir": null, + "LocalPath": "C:\\Program Files\\CCleaner\\CCleaner64.exe", + "ModificationDateTime": "09/19/2013 16:01:46.000000", + "CmdArgs": "/AUTO", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\48072.Donald.ccc0fa1b9f86f7b3.customDestinations-ms", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "10/13/2013 09:39:11.425297", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "ccc0fa1b9f86f7b3", + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 3, + "ParentRefStr": "22130-3", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~1", + "Location": null, + "Comments": null, + "ModificationTime": "10/18/2013 00:28:36.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files", + "ExtentionBlockSize": 116, + "LocalizedName": "@shell32.dll,-21781", + "SeqNum": 6, + "EntryNum": 197634, + "FileReferenceInt": 1688849860461570, + "AccessTime": "10/18/2013 00:28:36.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "197634-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "CCleaner", + "Location": null, + "Comments": null, + "ModificationTime": "10/13/2013 09:39:12.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "CCleaner", + "ExtentionBlockSize": 66, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 22130, + "FileReferenceInt": 844424930154098, + "AccessTime": "10/13/2013 09:39:12.000000", + "CreationTime": "10/13/2013 09:39:12.000000", + "Signature": "0xbeef0004L", + "RefNum": "22130-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "CCLEAN~1.EXE", + "Location": null, + "Comments": null, + "ModificationTime": "09/19/2013 16:01:46.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 5470488, + "ExtentionBlocks": [ + { + "LongName": "CCleaner64.exe", + "ExtentionBlockSize": 78, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 22134, + "FileReferenceInt": 844424930154102, + "AccessTime": "10/13/2013 09:39:12.000000", + "CreationTime": "09/19/2013 16:01:46.000000", + "Signature": "0xbeef0004L", + "RefNum": "22134-3" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "CCleaner", + "ParentEntryNum": 22130, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 6, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%ProgramFiles%\\CCleaner\\CCleaner64.exe", + "AppIdName": null, + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 5470488, + "CreationDateTime": "09/19/2013 16:01:46.000000", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\48072.Donald.ccc0fa1b9f86f7b3.customDestinations-ms", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": "ccc0fa1b9f86f7b3", + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "CCleaner64.exe", + "WorkingDir": null, + "LocalPath": "C:\\Program Files\\CCleaner\\CCleaner64.exe", + "ModificationDateTime": "09/19/2013 16:01:46.000000", + "CmdArgs": "/CLEANER", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\48072.Donald.ccc0fa1b9f86f7b3.customDestinations-ms", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "10/13/2013 09:39:11.425297", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "ccc0fa1b9f86f7b3", + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 3, + "ParentRefStr": "22130-3", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~1", + "Location": null, + "Comments": null, + "ModificationTime": "10/18/2013 00:28:36.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files", + "ExtentionBlockSize": 116, + "LocalizedName": "@shell32.dll,-21781", + "SeqNum": 6, + "EntryNum": 197634, + "FileReferenceInt": 1688849860461570, + "AccessTime": "10/18/2013 00:28:36.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "197634-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "CCleaner", + "Location": null, + "Comments": null, + "ModificationTime": "10/13/2013 09:39:12.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "CCleaner", + "ExtentionBlockSize": 66, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 22130, + "FileReferenceInt": 844424930154098, + "AccessTime": "10/13/2013 09:39:12.000000", + "CreationTime": "10/13/2013 09:39:12.000000", + "Signature": "0xbeef0004L", + "RefNum": "22130-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "CCLEAN~1.EXE", + "Location": null, + "Comments": null, + "ModificationTime": "09/19/2013 16:01:46.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 5470488, + "ExtentionBlocks": [ + { + "LongName": "CCleaner64.exe", + "ExtentionBlockSize": 78, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 22134, + "FileReferenceInt": 844424930154102, + "AccessTime": "10/13/2013 09:39:12.000000", + "CreationTime": "09/19/2013 16:01:46.000000", + "Signature": "0xbeef0004L", + "RefNum": "22134-3" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "CCleaner", + "ParentEntryNum": 22130, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 6, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%ProgramFiles%\\CCleaner\\CCleaner64.exe", + "AppIdName": null, + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 5470488, + "CreationDateTime": "09/19/2013 16:01:46.000000", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "CCleaner64.exe", + "WorkingDir": null, + "LocalPath": "C:\\Program Files\\CCleaner\\CCleaner64.exe", + "ModificationDateTime": "09/19/2013 16:01:46.000000", + "CmdArgs": "/REGISTRY", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\48072.Donald.ccc0fa1b9f86f7b3.customDestinations-ms", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "10/13/2013 09:39:11.425297", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "ccc0fa1b9f86f7b3", + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 3, + "ParentRefStr": "22130-3", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~1", + "Location": null, + "Comments": null, + "ModificationTime": "10/18/2013 00:28:36.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files", + "ExtentionBlockSize": 116, + "LocalizedName": "@shell32.dll,-21781", + "SeqNum": 6, + "EntryNum": 197634, + "FileReferenceInt": 1688849860461570, + "AccessTime": "10/18/2013 00:28:36.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "197634-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "CCleaner", + "Location": null, + "Comments": null, + "ModificationTime": "10/13/2013 09:39:12.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "CCleaner", + "ExtentionBlockSize": 66, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 22130, + "FileReferenceInt": 844424930154098, + "AccessTime": "10/13/2013 09:39:12.000000", + "CreationTime": "10/13/2013 09:39:12.000000", + "Signature": "0xbeef0004L", + "RefNum": "22130-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "CCLEAN~1.EXE", + "Location": null, + "Comments": null, + "ModificationTime": "09/19/2013 16:01:46.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 5470488, + "ExtentionBlocks": [ + { + "LongName": "CCleaner64.exe", + "ExtentionBlockSize": 78, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 22134, + "FileReferenceInt": 844424930154102, + "AccessTime": "10/13/2013 09:39:12.000000", + "CreationTime": "09/19/2013 16:01:46.000000", + "Signature": "0xbeef0004L", + "RefNum": "22134-3" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "CCleaner", + "ParentEntryNum": 22130, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 6, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%ProgramFiles%\\CCleaner\\CCleaner64.exe", + "AppIdName": null, + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 5470488, + "CreationDateTime": "09/19/2013 16:01:46.000000", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "CCleaner64.exe", + "WorkingDir": null, + "LocalPath": "C:\\Program Files\\CCleaner\\CCleaner64.exe", + "ModificationDateTime": "09/19/2013 16:01:46.000000", + "CmdArgs": "/TOOLS", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\48072.Donald.ccc0fa1b9f86f7b3.customDestinations-ms", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "10/13/2013 09:39:11.425297", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "ccc0fa1b9f86f7b3", + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 3, + "ParentRefStr": "22130-3", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~1", + "Location": null, + "Comments": null, + "ModificationTime": "10/18/2013 00:28:36.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files", + "ExtentionBlockSize": 116, + "LocalizedName": "@shell32.dll,-21781", + "SeqNum": 6, + "EntryNum": 197634, + "FileReferenceInt": 1688849860461570, + "AccessTime": "10/18/2013 00:28:36.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "197634-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "CCleaner", + "Location": null, + "Comments": null, + "ModificationTime": "10/13/2013 09:39:12.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "CCleaner", + "ExtentionBlockSize": 66, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 22130, + "FileReferenceInt": 844424930154098, + "AccessTime": "10/13/2013 09:39:12.000000", + "CreationTime": "10/13/2013 09:39:12.000000", + "Signature": "0xbeef0004L", + "RefNum": "22130-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "CCLEAN~1.EXE", + "Location": null, + "Comments": null, + "ModificationTime": "09/19/2013 16:01:46.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 5470488, + "ExtentionBlocks": [ + { + "LongName": "CCleaner64.exe", + "ExtentionBlockSize": 78, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 22134, + "FileReferenceInt": 844424930154102, + "AccessTime": "10/13/2013 09:39:12.000000", + "CreationTime": "09/19/2013 16:01:46.000000", + "Signature": "0xbeef0004L", + "RefNum": "22134-3" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "CCleaner", + "ParentEntryNum": 22130, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 6, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%ProgramFiles%\\CCleaner\\CCleaner64.exe", + "AppIdName": null, + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 5470488, + "CreationDateTime": "09/19/2013 16:01:46.000000", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "CCleaner64.exe", + "WorkingDir": null, + "LocalPath": "C:\\Program Files\\CCleaner\\CCleaner64.exe", + "ModificationDateTime": "09/19/2013 16:01:46.000000", + "CmdArgs": "/OPTIONS", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\48072.Donald.ccc0fa1b9f86f7b3.customDestinations-ms", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "10/13/2013 09:39:11.425297", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "ccc0fa1b9f86f7b3", + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 3, + "ParentRefStr": "22130-3", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~1", + "Location": null, + "Comments": null, + "ModificationTime": "10/18/2013 00:28:36.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files", + "ExtentionBlockSize": 116, + "LocalizedName": "@shell32.dll,-21781", + "SeqNum": 6, + "EntryNum": 197634, + "FileReferenceInt": 1688849860461570, + "AccessTime": "10/18/2013 00:28:36.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "197634-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "CCleaner", + "Location": null, + "Comments": null, + "ModificationTime": "10/13/2013 09:39:12.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "CCleaner", + "ExtentionBlockSize": 66, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 22130, + "FileReferenceInt": 844424930154098, + "AccessTime": "10/13/2013 09:39:12.000000", + "CreationTime": "10/13/2013 09:39:12.000000", + "Signature": "0xbeef0004L", + "RefNum": "22130-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "CCLEAN~1.EXE", + "Location": null, + "Comments": null, + "ModificationTime": "09/19/2013 16:01:46.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 5470488, + "ExtentionBlocks": [ + { + "LongName": "CCleaner64.exe", + "ExtentionBlockSize": 78, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 22134, + "FileReferenceInt": 844424930154102, + "AccessTime": "10/13/2013 09:39:12.000000", + "CreationTime": "09/19/2013 16:01:46.000000", + "Signature": "0xbeef0004L", + "RefNum": "22134-3" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "CCleaner", + "ParentEntryNum": 22130, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 6, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%ProgramFiles%\\CCleaner\\CCleaner64.exe", + "AppIdName": null, + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 5470488, + "CreationDateTime": "09/19/2013 16:01:46.000000", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\48228.Donald.80e8c437ffd2292.automaticDestinations-ms", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x61L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x61L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "ExtentionBlockSize": 44, + "Signature": "0xbeef001aL" + } + ] + } + ], + "ExtentionListing": "0xbeef001aL", + "ItemCount": 3, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "871c5380-42a0-1069-a2ea-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 4, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 304, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "b9dc192d348e776f", + "DLE_Path": "ms-word:ofe|u|https://asgardventurecapital.sharepoint.com/Shared Documents/Business Plans/In Review - NOT FOR RELEASE/Mini Patisserie Business Plan.docx", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "10/21/2013 18:43:44.713945", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\48228.Donald.80e8c437ffd2292.automaticDestinations-ms", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x61L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x61L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "ExtentionBlockSize": 44, + "Signature": "0xbeef001aL" + } + ] + } + ], + "ExtentionListing": "0xbeef001aL", + "ItemCount": 3, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "871c5380-42a0-1069-a2ea-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 3, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 292, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "728dc4c1f70e7fd9", + "DLE_Path": "ms-word:ofe|u|https://asgardventurecapital.sharepoint.com/Shared Documents/Business Plans/In Review - NOT FOR RELEASE/HighFiveBusinessPlanV20.docx", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "10/21/2013 18:40:05.916236", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\48228.Donald.80e8c437ffd2292.automaticDestinations-ms", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x61L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x61L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "ExtentionBlockSize": 44, + "Signature": "0xbeef001aL" + } + ] + } + ], + "ExtentionListing": "0xbeef001aL", + "ItemCount": 3, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "871c5380-42a0-1069-a2ea-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 2, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 314, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "7b7fea662e0355ce", + "DLE_Path": "ms-word:ofe|u|https://asgardventurecapital.sharepoint.com/Shared Documents/Business Plans/In Review - NOT FOR RELEASE/Business_Plan_Mail_Order_Pharmacy2.docx", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "10/21/2013 18:39:29.185720", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\48228.Donald.80e8c437ffd2292.automaticDestinations-ms", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x61L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x61L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "ExtentionBlockSize": 44, + "Signature": "0xbeef001aL" + } + ] + } + ], + "ExtentionListing": "0xbeef001aL", + "ItemCount": 3, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "871c5380-42a0-1069-a2ea-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 1, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 312, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "f84f7c44c7fd3969", + "DLE_Path": "ms-word:ofe|u|https://asgardventurecapital.sharepoint.com/Shared Documents/Business Plans/In Review - NOT FOR RELEASE/Business_Plan_Mail_Order_Pharmacy.docx", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "10/21/2013 18:38:46.160388", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "01 Red Solo Cup (Hip Hop Re-Mix).m4a", + "WorkingDir": null, + "LocalPath": "C:\\Users\\Donald\\Music\\iTunes\\iTunes Media\\Music\\Hip Hop Rednex\\Red Solo Cup (Hip Hop Re-Mix) - Single\\01 Red Solo Cup (Hip Hop Re-Mix).m4a", + "ModificationDateTime": "10/01/2013 02:04:32.118535", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\6691.Donald.ae6df75df512bd06.automaticDestinations-ms", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "10/01/2013 02:04:21.012504", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "ae6df75df512bd06", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x0L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ExtentionListing": "", + "ItemCount": 10, + "ParentRefStr": null, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "031e4825-7b94-4dc3-b131-e946b44c8dd5", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 1, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "92abc06b11f16f499067ec5c94ffa9f5", + "DLE_PathSize": 276, + "DLE_DroidVolId": "92abc06b11f16f499067ec5c94ffa9f5", + "DLE_DroidFileId": "8d82a51e142ce311be8124fd52566ede", + "DLE_Unknown1Hash": "ee1d394d19fbbbb7", + "DLE_Path": "C:\\Users\\Donald\\Music\\iTunes\\iTunes Media\\Music\\Hip Hop Rednex\\Red Solo Cup (Hip Hop Re-Mix) - Single\\01 Red Solo Cup (Hip Hop Re-Mix).m4a", + "DLE_BirthDroidFileId": "8d82a51e142ce311be8124fd52566ede", + "DLE_LastModificationDatetime": "10/03/2013 12:09:34.081294", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "bifrost\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "m4a", + "NetworkPath": "\\\\BIFROST\\Users\\Donald\\Music\\iTunes\\iTunes Media\\Music\\Hip Hop Rednex\\Red Solo Cup (Hip Hop Re-Mix) - Single\\01 Red Solo Cup (Hip Hop Re-Mix).m4a", + "FileSize": 8283501, + "CreationDateTime": "10/01/2013 02:04:21.012504", + "EnvVarLoc": null + }, + { + "VolumeLabel": "FILES", + "BaseName": "9E9BFE4FBDC44D4A9F8491EC7F0ABDFD (1).vcs", + "WorkingDir": null, + "LocalPath": "E:\\9E9BFE4FBDC44D4A9F8491EC7F0ABDFD (1).vcs", + "ModificationDateTime": "10/18/2013 18:42:34.000000", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\912.Donald.6d2bac8f1edf6668.automaticDestinations-ms", + "Flags": "Archive;", + "DriveType": "DRIVE_REMOVABLE;", + "AccessDateTime": "10/18/2013 04:00:00.000000", + "DriveSerialNumber": "dc99-0719", + "AppIdCode": "6d2bac8f1edf6668", + "LnkTrgData": { + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "E:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": null, + "DistinctTypesHex": "0x32L;0x2fL;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "volume;root_folder;file_entry", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "9E9BFE~2.VCS", + "Location": null, + "Comments": null, + "ModificationTime": "10/18/2013 18:42:34.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 2, + "Description": null, + "FileSize": 2576, + "ExtentionBlocks": [ + { + "LongName": "9E9BFE4FBDC44D4A9F8491EC7F0ABDFD (1).vcs", + "ExtentionBlockSize": 130, + "LocalizedName": null, + "SeqNum": 0, + "EntryNum": 15257984, + "FileReferenceInt": 15257984, + "AccessTime": "10/18/2013 04:00:00.000000", + "CreationTime": "10/18/2013 18:43:42.000000", + "Signature": "0xbeef0004L", + "RefNum": "15257984-0" + }, + { + "ExtentionBlockSize": 52, + "Signature": "0xbeef001aL" + } + ] + } + ], + "ExtentionListing": "0xbeef0004L;0xbeef001aL", + "ItemCount": 4, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 1, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 86, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "356fa533a0780e0f", + "DLE_Path": "E:\\9E9BFE4FBDC44D4A9F8491EC7F0ABDFD (1).vcs", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "10/18/2013 18:45:07.105597", + "DLE_Unknown3": 1073741824, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "vcs", + "NetworkPath": null, + "FileSize": 2576, + "CreationDateTime": "10/18/2013 18:43:40.210000", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91238.Donald.f01b4d95cf55d32a.automaticDestinations-ms", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": "f01b4d95cf55d32a", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x0L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ExtentionListing": "", + "ItemCount": 5, + "ParentRefStr": null, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "b28aa736-876b-46da-b3a8-84c5e30ba492", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 19, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 174, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "3a5fb2afcbdd1cc6", + "DLE_Path": "https://asgardventurecapital.sharepoint.com/Shared Documents/Confidential Analysis Data", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "10/21/2013 20:19:54.116002", + "DLE_Unknown3": 1073741824, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Windows Explorer Windows 8.1.", + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91238.Donald.f01b4d95cf55d32a.automaticDestinations-ms", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": "f01b4d95cf55d32a", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x0L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ExtentionListing": "", + "ItemCount": 5, + "ParentRefStr": null, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "b28aa736-876b-46da-b3a8-84c5e30ba492", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 38, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 150, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "a7ed15739d827123", + "DLE_Path": "https://asgardventurecapital.sharepoint.com/Shared Documents/Business Plans", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "10/21/2013 20:19:22.535307", + "DLE_Unknown3": 1073741824, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Windows Explorer Windows 8.1.", + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": "USB", + "BaseName": "Templates", + "WorkingDir": null, + "LocalPath": "F:\\Templates", + "ModificationDateTime": "10/21/2013 20:04:18.000000", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91238.Donald.f01b4d95cf55d32a.automaticDestinations-ms", + "Flags": "Archive;", + "DriveType": "DRIVE_REMOVABLE;", + "AccessDateTime": "10/21/2013 04:00:00.000000", + "DriveSerialNumber": "39c7-1beb", + "AppIdCode": "f01b4d95cf55d32a", + "LnkTrgData": { + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "F:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": null, + "DistinctTypesHex": "0x2fL;0x1fL;0x31L", + "ParentSeqNum": null, + "DistinctTypesStr": "volume;root_folder;file_entry", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "TEMPLA~1", + "Location": null, + "Comments": null, + "ModificationTime": "10/21/2013 20:04:18.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Templates", + "ExtentionBlockSize": 68, + "LocalizedName": null, + "SeqNum": 0, + "EntryNum": 253312, + "FileReferenceInt": 253312, + "AccessTime": "10/21/2013 04:00:00.000000", + "CreationTime": "10/21/2013 20:16:24.000000", + "Signature": "0xbeef0004L", + "RefNum": "253312-0" + } + ] + } + ], + "ExtentionListing": "0xbeef0004L", + "ItemCount": 4, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 50, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 24, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "c5815cb387fdd36f", + "DLE_Path": "F:\\Templates", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "10/21/2013 20:16:36.410882", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Windows Explorer Windows 8.1.", + "FileExt": "", + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "10/21/2013 20:16:22.790000", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91238.Donald.f01b4d95cf55d32a.automaticDestinations-ms", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": "f01b4d95cf55d32a", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x0L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ExtentionListing": "", + "ItemCount": 5, + "ParentRefStr": null, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 47, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 420, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "548082ae120a374b", + "DLE_Path": "::{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\\\\\?\\usb#vid_0421&pid_0661&mi_00#6&6d096df&0&0000#{6ac27878-a6fa-4155-ba85-f98f491d4f33}\\SID-{10001,MTP Volume - 65537,31268536320}\\{00010000-0514-0000-0000-000000000000}", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "10/21/2013 20:09:15.642972", + "DLE_Unknown3": 1077936128, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Windows Explorer Windows 8.1.", + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "Articles", + "WorkingDir": null, + "LocalPath": "C:\\Users\\Donald\\SkyDrive\\Documents\\Articles", + "ModificationDateTime": "10/21/2013 20:05:18.707988", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91238.Donald.f01b4d95cf55d32a.automaticDestinations-ms", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "10/21/2013 20:05:18.707988", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "f01b4d95cf55d32a", + "LnkTrgData": { + "ParentLongName": "Documents", + "DistinctTypesHex": "0x31L;0x1fL", + "ParentSeqNum": 3, + "DistinctTypesStr": "root_folder;file_entry", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "DOCUME~1", + "Location": null, + "Comments": null, + "ModificationTime": "10/21/2013 19:59:22.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Documents", + "ExtentionBlockSize": 68, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 127282, + "FileReferenceInt": 844424930259250, + "AccessTime": "10/21/2013 19:59:22.000000", + "CreationTime": "08/12/2013 01:11:04.000000", + "Signature": "0xbeef0004L", + "RefNum": "127282-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Articles", + "Location": null, + "Comments": null, + "ModificationTime": "10/21/2013 20:05:20.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Articles", + "ExtentionBlockSize": 66, + "LocalizedName": null, + "SeqNum": 20, + "EntryNum": 3729, + "FileReferenceInt": 5629499534216849, + "AccessTime": "10/21/2013 20:05:20.000000", + "CreationTime": "10/21/2013 20:05:12.000000", + "Signature": "0xbeef0004L", + "RefNum": "3729-20" + } + ] + } + ], + "ExtentionListing": "0xbeef0025L;0xbeef0004L;0xbeef0004L", + "ItemCount": 4, + "ParentRefStr": "127282-3", + "ParentEntryNum": 127282, + "RootFolder": [ + { + "ShellFolderId": "8e74d236-7f35-4720-b138-1fed0b85ea75", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "ExtentionBlockSize": 30, + "Signature": "0xbeef0025L" + } + ] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 49, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "92abc06b11f16f499067ec5c94ffa9f5", + "DLE_PathSize": 86, + "DLE_DroidVolId": "92abc06b11f16f499067ec5c94ffa9f5", + "DLE_DroidFileId": "020b90dc6b3ae311be8a24fd52566ede", + "DLE_Unknown1Hash": "062a1228a8089670", + "DLE_Path": "C:\\Users\\Donald\\SkyDrive\\Documents\\Articles", + "DLE_BirthDroidFileId": "020b90dc6b3ae311be8a24fd52566ede", + "DLE_LastModificationDatetime": "10/21/2013 20:05:32.417704", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "bifrost\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Windows Explorer Windows 8.1.", + "FileExt": "", + "NetworkPath": "\\\\BIFROST\\SkyDrive\\Documents\\Articles", + "FileSize": 4096, + "CreationDateTime": "10/21/2013 20:05:11.526965", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": "Articles", + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "10/21/2013 20:04:16.946638", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91238.Donald.f01b4d95cf55d32a.automaticDestinations-ms", + "Flags": "Archive;", + "DriveType": "DRIVE_UNKNOWN;", + "AccessDateTime": "10/21/2013 20:04:16.946638", + "DriveSerialNumber": "0000-0000", + "AppIdCode": "f01b4d95cf55d32a", + "LnkTrgData": null, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 48, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "1e389934d79236429fc979e377f2430a", + "DLE_PathSize": 98, + "DLE_DroidVolId": "1e389934d79236429fc979e377f2430a", + "DLE_DroidFileId": "f3973a5b8b39e311be82000af7048353", + "DLE_Unknown1Hash": "bf697e7e865df57e", + "DLE_Path": "\\\\192.168.1.48\\Users\\dblak_000\\Documents\\Articles", + "DLE_BirthDroidFileId": "f3973a5b8b39e311be82000af7048353", + "DLE_LastModificationDatetime": "10/21/2013 20:04:38.082269", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Windows Explorer Windows 8.1.", + "FileExt": "", + "NetworkPath": "\\\\192.168.1.48\\USERS\\dblak_000\\Documents\\Articles", + "FileSize": 4096, + "CreationDateTime": "10/21/2013 20:04:16.939633", + "EnvVarLoc": "\\\\192.168.1.48\\Users\\dblak_000\\Documents\\Articles" + }, + { + "VolumeLabel": null, + "BaseName": "Templates", + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "10/21/2013 19:47:28.923336", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91238.Donald.f01b4d95cf55d32a.automaticDestinations-ms", + "Flags": "Archive;", + "DriveType": "DRIVE_UNKNOWN;", + "AccessDateTime": "10/21/2013 19:47:28.923336", + "DriveSerialNumber": "0000-0000", + "AppIdCode": "f01b4d95cf55d32a", + "LnkTrgData": null, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 46, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "1e389934d79236429fc979e377f2430a", + "DLE_PathSize": 86, + "DLE_DroidVolId": "1e389934d79236429fc979e377f2430a", + "DLE_DroidFileId": "90973a5b8b39e311be82000af7048353", + "DLE_Unknown1Hash": "bef14a3e5ab586f8", + "DLE_Path": "\\\\VALHALLA\\Users\\Public\\Documents\\Templates", + "DLE_BirthDroidFileId": "90973a5b8b39e311be82000af7048353", + "DLE_LastModificationDatetime": "10/21/2013 20:00:45.281078", + "DLE_Unknown3": 1073741824, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "valhalla\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Windows Explorer Windows 8.1.", + "FileExt": "", + "NetworkPath": "\\\\VALHALLA\\USERS\\Public\\Documents\\Templates", + "FileSize": 4096, + "CreationDateTime": "10/21/2013 19:47:27.845206", + "EnvVarLoc": "\\\\VALHALLA\\Users\\Public\\Documents\\Templates" + }, + { + "VolumeLabel": null, + "BaseName": "Lean startup", + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "10/21/2013 19:52:54.139734", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91238.Donald.f01b4d95cf55d32a.automaticDestinations-ms", + "Flags": "Archive;", + "DriveType": "DRIVE_UNKNOWN;", + "AccessDateTime": "10/21/2013 19:52:54.139734", + "DriveSerialNumber": "0000-0000", + "AppIdCode": "f01b4d95cf55d32a", + "LnkTrgData": null, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 45, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "1e389934d79236429fc979e377f2430a", + "DLE_PathSize": 92, + "DLE_DroidVolId": "1e389934d79236429fc979e377f2430a", + "DLE_DroidFileId": "8b973a5b8b39e311be82000af7048353", + "DLE_Unknown1Hash": "b199970a60c3fc00", + "DLE_Path": "\\\\VALHALLA\\Users\\Public\\Documents\\Lean startup", + "DLE_BirthDroidFileId": "8b973a5b8b39e311be82000af7048353", + "DLE_LastModificationDatetime": "10/21/2013 19:53:31.954700", + "DLE_Unknown3": 1073741824, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "valhalla\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Windows Explorer Windows 8.1.", + "FileExt": "", + "NetworkPath": "\\\\VALHALLA\\USERS\\Public\\Documents\\Lean startup", + "FileSize": 4096, + "CreationDateTime": "10/21/2013 19:46:55.588989", + "EnvVarLoc": "\\\\VALHALLA\\Users\\Public\\Documents\\Lean startup" + }, + { + "VolumeLabel": null, + "BaseName": "Articles", + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "10/21/2013 19:52:28.827249", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91238.Donald.f01b4d95cf55d32a.automaticDestinations-ms", + "Flags": "Archive;", + "DriveType": "DRIVE_UNKNOWN;", + "AccessDateTime": "10/21/2013 19:52:28.827249", + "DriveSerialNumber": "0000-0000", + "AppIdCode": "f01b4d95cf55d32a", + "LnkTrgData": null, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 44, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "1e389934d79236429fc979e377f2430a", + "DLE_PathSize": 84, + "DLE_DroidVolId": "1e389934d79236429fc979e377f2430a", + "DLE_DroidFileId": "82973a5b8b39e311be82000af7048353", + "DLE_Unknown1Hash": "a703e30c817522dd", + "DLE_Path": "\\\\VALHALLA\\Users\\Public\\Documents\\Articles", + "DLE_BirthDroidFileId": "82973a5b8b39e311be82000af7048353", + "DLE_LastModificationDatetime": "10/21/2013 19:52:36.524582", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "valhalla\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Windows Explorer Windows 8.1.", + "FileExt": "", + "NetworkPath": "\\\\VALHALLA\\USERS\\Public\\Documents\\Articles", + "FileSize": 4096, + "CreationDateTime": "10/21/2013 19:46:54.193513", + "EnvVarLoc": "\\\\VALHALLA\\Users\\Public\\Documents\\Articles" + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "Confidential Analysis Data", + "WorkingDir": null, + "LocalPath": "C:\\Users\\Donald\\Dropbox\\Shared Documents\\Confidential Analysis Data", + "ModificationDateTime": "08/08/2013 19:18:11.433875", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91238.Donald.f01b4d95cf55d32a.automaticDestinations-ms", + "Flags": "", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "08/08/2013 19:18:11.433875", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "f01b4d95cf55d32a", + "LnkTrgData": { + "ParentLongName": "Shared Documents", + "DistinctTypesHex": "0x0L;0x31L;0x1fL", + "ParentSeqNum": 4, + "DistinctTypesStr": "item;root_folder;file_entry", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "LongName": "Dropbox", + "ExtentionBlockSize": 64, + "LocalizedName": null, + "SeqNum": 4, + "EntryNum": 48220, + "FileReferenceInt": 1125899906890844, + "AccessTime": "08/08/2013 19:17:00.000000", + "CreationTime": "08/08/2013 19:17:00.000000", + "Signature": "0xbeef0004L", + "RefNum": "48220-4" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "SHARED~1", + "Location": null, + "Comments": null, + "ModificationTime": "08/08/2013 19:18:12.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Shared Documents", + "ExtentionBlockSize": 82, + "LocalizedName": null, + "SeqNum": 4, + "EntryNum": 48358, + "FileReferenceInt": 1125899906890982, + "AccessTime": "08/08/2013 19:18:12.000000", + "CreationTime": "08/08/2013 19:18:12.000000", + "Signature": "0xbeef0004L", + "RefNum": "48358-4" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "CONFID~1", + "Location": null, + "Comments": null, + "ModificationTime": "08/08/2013 19:18:12.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Confidential Analysis Data", + "ExtentionBlockSize": 102, + "LocalizedName": null, + "SeqNum": 4, + "EntryNum": 48359, + "FileReferenceInt": 1125899906890983, + "AccessTime": "08/08/2013 19:18:12.000000", + "CreationTime": "08/08/2013 19:18:12.000000", + "Signature": "0xbeef0004L", + "RefNum": "48359-4" + } + ] + } + ], + "ExtentionListing": "0xbeef0025L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 5, + "ParentRefStr": "48358-4", + "ParentEntryNum": 48358, + "RootFolder": [ + { + "ShellFolderId": "59031a47-3f72-44a7-89c5-5595fe6b30ee", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "ExtentionBlockSize": 30, + "Signature": "0xbeef0025L" + } + ] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 43, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "92abc06b11f16f499067ec5c94ffa9f5", + "DLE_PathSize": 134, + "DLE_DroidVolId": "92abc06b11f16f499067ec5c94ffa9f5", + "DLE_DroidFileId": "9efc8fdc6b3ae311be8a24fd52566ede", + "DLE_Unknown1Hash": "83b3faa058e2f2cf", + "DLE_Path": "C:\\Users\\Donald\\Dropbox\\Shared Documents\\Confidential Analysis Data", + "DLE_BirthDroidFileId": "9efc8fdc6b3ae311be8a24fd52566ede", + "DLE_LastModificationDatetime": "08/01/2013 19:21:18.555955", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "bifrost\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Windows Explorer Windows 8.1.", + "FileExt": "", + "NetworkPath": "\\\\BIFROST\\Users\\Donald\\Dropbox\\Shared Documents\\Confidential Analysis Data", + "FileSize": 4096, + "CreationDateTime": "08/08/2013 19:18:11.402623", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "Dropbox", + "WorkingDir": null, + "LocalPath": "C:\\Users\\Donald\\Dropbox", + "ModificationDateTime": "10/21/2013 19:19:32.000272", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91238.Donald.f01b4d95cf55d32a.automaticDestinations-ms", + "Flags": "Read-Only;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "10/21/2013 19:19:32.000272", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "f01b4d95cf55d32a", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x0L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "LongName": "Dropbox", + "ExtentionBlockSize": 64, + "LocalizedName": null, + "SeqNum": 4, + "EntryNum": 48220, + "FileReferenceInt": 1125899906890844, + "AccessTime": "08/08/2013 19:17:00.000000", + "CreationTime": "08/08/2013 19:17:00.000000", + "Signature": "0xbeef0004L", + "RefNum": "48220-4" + } + ] + } + ], + "ExtentionListing": "0xbeef0025L;0xbeef0004L", + "ItemCount": 3, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "59031a47-3f72-44a7-89c5-5595fe6b30ee", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "ExtentionBlockSize": 30, + "Signature": "0xbeef0025L" + } + ] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 42, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "92abc06b11f16f499067ec5c94ffa9f5", + "DLE_PathSize": 46, + "DLE_DroidVolId": "92abc06b11f16f499067ec5c94ffa9f5", + "DLE_DroidFileId": "4bfc8fdc6b3ae311be8a24fd52566ede", + "DLE_Unknown1Hash": "3b8097c91aa835af", + "DLE_Path": "C:\\Users\\Donald\\Dropbox", + "DLE_BirthDroidFileId": "4bfc8fdc6b3ae311be8a24fd52566ede", + "DLE_LastModificationDatetime": "08/01/2013 19:20:58.720706", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "bifrost\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Windows Explorer Windows 8.1.", + "FileExt": "", + "NetworkPath": "\\\\BIFROST\\Users\\Donald\\Dropbox", + "FileSize": 4096, + "CreationDateTime": "08/08/2013 19:16:59.932906", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "Documents", + "WorkingDir": null, + "LocalPath": "C:\\Users\\Donald\\SkyDrive\\Documents", + "ModificationDateTime": "08/12/2013 01:11:13.870678", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91238.Donald.f01b4d95cf55d32a.automaticDestinations-ms", + "Flags": "", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "08/12/2013 01:11:13.870678", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "f01b4d95cf55d32a", + "LnkTrgData": { + "ParentLongName": "SkyDrive", + "DistinctTypesHex": "0x0L;0x31L;0x1fL", + "ParentSeqNum": 2, + "DistinctTypesStr": "item;root_folder;file_entry", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "LongName": "SkyDrive", + "ExtentionBlockSize": 62, + "LocalizedName": null, + "SeqNum": 2, + "EntryNum": 127384, + "FileReferenceInt": 562949953548696, + "AccessTime": "08/12/2013 01:11:02.000000", + "CreationTime": "08/12/2013 01:02:20.000000", + "Signature": "0xbeef0004L", + "RefNum": "127384-2" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "DOCUME~1", + "Location": null, + "Comments": null, + "ModificationTime": "08/12/2013 01:11:14.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Documents", + "ExtentionBlockSize": 64, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 127282, + "FileReferenceInt": 844424930259250, + "AccessTime": "08/12/2013 01:11:14.000000", + "CreationTime": "08/12/2013 01:11:04.000000", + "Signature": "0xbeef0004L", + "RefNum": "127282-3" + } + ] + } + ], + "ExtentionListing": "0xbeef0004L;0xbeef0004L", + "ItemCount": 4, + "ParentRefStr": "127384-2", + "ParentEntryNum": 127384, + "RootFolder": [ + { + "ShellFolderId": "59031a47-3f72-44a7-89c5-5595fe6b30ee", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 7, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "92abc06b11f16f499067ec5c94ffa9f5", + "DLE_PathSize": 68, + "DLE_DroidVolId": "92abc06b11f16f499067ec5c94ffa9f5", + "DLE_DroidFileId": "66a6d765fc02e311be7b24fd52566ede", + "DLE_Unknown1Hash": "7e196699a9292379", + "DLE_Path": "C:\\Users\\Donald\\SkyDrive\\Documents", + "DLE_BirthDroidFileId": "66a6d765fc02e311be7b24fd52566ede", + "DLE_LastModificationDatetime": "10/21/2013 18:58:23.951990", + "DLE_Unknown3": 1096810496, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "bifrost\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Windows Explorer Windows 8.1.", + "FileExt": "", + "NetworkPath": null, + "FileSize": 4096, + "CreationDateTime": "08/12/2013 01:11:03.901405", + "EnvVarLoc": null + }, + { + "VolumeLabel": "USB", + "BaseName": "", + "WorkingDir": null, + "LocalPath": "F:\\", + "ModificationDateTime": "01/01/1980 04:00:00.000000", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91238.Donald.f01b4d95cf55d32a.automaticDestinations-ms", + "Flags": "", + "DriveType": "DRIVE_REMOVABLE;", + "AccessDateTime": "01/01/1980 04:00:00.000000", + "DriveSerialNumber": "39c7-1beb", + "AppIdCode": "f01b4d95cf55d32a", + "LnkTrgData": { + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "F:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": null, + "DistinctTypesHex": "0x2fL;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "volume;root_folder", + "ExtentionListing": "", + "ItemCount": 3, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 41, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 6, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "841d4cb65b5b34fd", + "DLE_Path": "F:\\", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "10/21/2013 18:55:59.506321", + "DLE_Unknown3": 1077936128, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Windows Explorer Windows 8.1.", + "FileExt": "", + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "01/01/1980 04:00:00.000000", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "Key Files", + "WorkingDir": null, + "LocalPath": "C:\\Users\\Donald\\SkyDrive\\Documents\\Key Files", + "ModificationDateTime": "10/21/2013 18:50:49.099212", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91238.Donald.f01b4d95cf55d32a.automaticDestinations-ms", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "10/21/2013 18:50:49.099212", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "f01b4d95cf55d32a", + "LnkTrgData": { + "ParentLongName": "Documents", + "DistinctTypesHex": "0x31L;0x1fL", + "ParentSeqNum": 3, + "DistinctTypesStr": "root_folder;file_entry", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "DOCUME~1", + "Location": null, + "Comments": null, + "ModificationTime": "10/21/2013 18:33:04.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Documents", + "ExtentionBlockSize": 68, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 127282, + "FileReferenceInt": 844424930259250, + "AccessTime": "10/21/2013 18:33:04.000000", + "CreationTime": "08/12/2013 01:11:04.000000", + "Signature": "0xbeef0004L", + "RefNum": "127282-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "KEYFIL~1", + "Location": null, + "Comments": null, + "ModificationTime": "10/21/2013 18:50:44.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Key Files", + "ExtentionBlockSize": 68, + "LocalizedName": null, + "SeqNum": 9, + "EntryNum": 45234, + "FileReferenceInt": 2533274790441138, + "AccessTime": "10/21/2013 18:50:44.000000", + "CreationTime": "10/21/2013 18:50:44.000000", + "Signature": "0xbeef0004L", + "RefNum": "45234-9" + } + ] + } + ], + "ExtentionListing": "0xbeef0004L;0xbeef0004L", + "ItemCount": 4, + "ParentRefStr": "127282-3", + "ParentEntryNum": 127282, + "RootFolder": [ + { + "ShellFolderId": "8e74d236-7f35-4720-b138-1fed0b85ea75", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 40, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "92abc06b11f16f499067ec5c94ffa9f5", + "DLE_PathSize": 88, + "DLE_DroidVolId": "92abc06b11f16f499067ec5c94ffa9f5", + "DLE_DroidFileId": "3efb8fdc6b3ae311be8a24fd52566ede", + "DLE_Unknown1Hash": "f6fc7a4cd2eac5ec", + "DLE_Path": "C:\\Users\\Donald\\SkyDrive\\Documents\\Key Files", + "DLE_BirthDroidFileId": "3efb8fdc6b3ae311be8a24fd52566ede", + "DLE_LastModificationDatetime": "10/21/2013 18:50:49.150246", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "bifrost\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Windows Explorer Windows 8.1.", + "FileExt": "", + "NetworkPath": "\\\\BIFROST\\SkyDrive\\Documents\\Key Files", + "FileSize": 0, + "CreationDateTime": "10/21/2013 18:50:42.518360", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "2013-10-21", + "WorkingDir": null, + "LocalPath": "C:\\Users\\Donald\\Pictures\\2013-10-21", + "ModificationDateTime": "10/21/2013 17:39:53.391732", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91238.Donald.f01b4d95cf55d32a.automaticDestinations-ms", + "Flags": "", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "10/21/2013 17:39:53.391732", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "f01b4d95cf55d32a", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x0L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ExtentionListing": "", + "ItemCount": 5, + "ParentRefStr": null, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "031e4825-7b94-4dc3-b131-e946b44c8dd5", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 39, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "92abc06b11f16f499067ec5c94ffa9f5", + "DLE_PathSize": 70, + "DLE_DroidVolId": "92abc06b11f16f499067ec5c94ffa9f5", + "DLE_DroidFileId": "08fb8fdc6b3ae311be8a24fd52566ede", + "DLE_Unknown1Hash": "b7dc144bd4e5f1c7", + "DLE_Path": "C:\\Users\\Donald\\Pictures\\2013-10-21", + "DLE_BirthDroidFileId": "08fb8fdc6b3ae311be8a24fd52566ede", + "DLE_LastModificationDatetime": "10/21/2013 18:47:50.264157", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "bifrost\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Windows Explorer Windows 8.1.", + "FileExt": "", + "NetworkPath": "\\\\BIFROST\\Users\\Donald\\Pictures\\2013-10-21", + "FileSize": 40960, + "CreationDateTime": "10/21/2013 17:39:09.523457", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91238.Donald.f01b4d95cf55d32a.automaticDestinations-ms", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": "f01b4d95cf55d32a", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x0L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ExtentionListing": "", + "ItemCount": 6, + "ParentRefStr": null, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "b28aa736-876b-46da-b3a8-84c5e30ba492", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 28, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 206, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "a6effb1f52cd5901", + "DLE_Path": "https://asgardventurecapital.sharepoint.com/Shared Documents/Business Plans/In Review - NOT FOR RELEASE", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "10/21/2013 18:45:09.893867", + "DLE_Unknown3": 1077936128, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Windows Explorer Windows 8.1.", + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "system32", + "WorkingDir": null, + "LocalPath": "C:\\WINDOWS\\system32", + "ModificationDateTime": "10/13/2013 09:08:10.547222", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91238.Donald.f01b4d95cf55d32a.automaticDestinations-ms", + "Flags": "Read-Only;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "10/13/2013 09:08:10.547222", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "f01b4d95cf55d32a", + "LnkTrgData": { + "DistinctTypesHex": "0x2fL;0x1fL;0x31L", + "ParentSeqNum": null, + "ParentRefStr": "None-None", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "WINDOWS", + "Location": null, + "Comments": null, + "ModificationTime": "1601-01-01 00:00:00", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "FileReferenceInt": null, + "SeqNum": null, + "Signature": "0xbeef0004L", + "RefNum": null, + "EntryNum": null, + "LongName": "WINDOWS", + "ExtentionBlockSize": 64, + "LocalizedName": null + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "system32", + "Location": null, + "Comments": null, + "ModificationTime": "1601-01-01 00:00:00", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "FileReferenceInt": null, + "SeqNum": null, + "Signature": "0xbeef0004L", + "RefNum": null, + "EntryNum": null, + "LongName": "system32", + "ExtentionBlockSize": 66, + "LocalizedName": null + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "WINDOWS", + "ParentEntryNum": null, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L", + "ItemCount": 5, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 27, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "92abc06b11f16f499067ec5c94ffa9f5", + "DLE_PathSize": 38, + "DLE_DroidVolId": "92abc06b11f16f499067ec5c94ffa9f5", + "DLE_DroidFileId": "42bd73d3a032e311be8684c15d8d3bd3", + "DLE_Unknown1Hash": "c560a42b88f481ab", + "DLE_Path": "C:\\WINDOWS\\system32", + "DLE_BirthDroidFileId": "42bd73d3a032e311be8684c15d8d3bd3", + "DLE_LastModificationDatetime": "10/19/2013 19:56:22.376579", + "DLE_Unknown3": 1082130432, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "bifrost\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Windows Explorer Windows 8.1.", + "FileExt": "", + "NetworkPath": null, + "FileSize": 864256, + "CreationDateTime": "08/22/2013 13:36:16.041074", + "EnvVarLoc": null + }, + { + "VolumeLabel": "FILES", + "BaseName": "", + "WorkingDir": null, + "LocalPath": "E:\\", + "ModificationDateTime": "01/01/1980 04:00:00.000000", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91238.Donald.f01b4d95cf55d32a.automaticDestinations-ms", + "Flags": "", + "DriveType": "DRIVE_REMOVABLE;", + "AccessDateTime": "01/01/1980 04:00:00.000000", + "DriveSerialNumber": "dc99-0719", + "AppIdCode": "f01b4d95cf55d32a", + "LnkTrgData": { + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "E:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": null, + "DistinctTypesHex": "0x2fL;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "volume;root_folder", + "ExtentionListing": "", + "ItemCount": 3, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 33, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 6, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "649cac472f84530d", + "DLE_Path": "E:\\", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "10/18/2013 18:45:07.119605", + "DLE_Unknown3": 1077936128, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Windows Explorer Windows 8.1.", + "FileExt": "", + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "01/01/1980 04:00:00.000000", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": "In Review - NOT FOR RELEASE", + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "10/13/2013 09:58:25.000000", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91238.Donald.f01b4d95cf55d32a.automaticDestinations-ms", + "Flags": "", + "DriveType": "DRIVE_UNKNOWN;", + "AccessDateTime": "10/13/2013 09:58:25.000000", + "DriveSerialNumber": "0000-0000", + "AppIdCode": "f01b4d95cf55d32a", + "LnkTrgData": null, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 26, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 224, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "694f4f46cda5a0b9", + "DLE_Path": "\\\\asgardventurecapital.sharepoint.com@SSL\\DavWWWRoot\\Shared Documents\\Business Plans\\In Review - NOT FOR RELEASE", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "10/18/2013 02:20:15.313978", + "DLE_Unknown3": 1073741824, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Windows Explorer Windows 8.1.", + "FileExt": "", + "NetworkPath": "\\\\ASGARDVENTURECAPITAL.SHAREPOINT.COM@SSL\\DAVWWWROOT\\Shared Documents\\Business Plans\\In Review - NOT FOR RELEASE", + "FileSize": 0, + "CreationDateTime": "09/26/2013 17:11:05.000000", + "EnvVarLoc": "\\\\asgardventurecapital.sharepoint.com@SSL\\DavWWWRoot\\Shared Documents\\Business Plans\\In Review - NOT FOR RELEASE" + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "Funnies", + "WorkingDir": null, + "LocalPath": "C:\\Users\\Donald\\Pictures\\Funnies", + "ModificationDateTime": "09/19/2013 16:57:25.325918", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91238.Donald.f01b4d95cf55d32a.automaticDestinations-ms", + "Flags": "", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "09/19/2013 16:57:25.325918", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "f01b4d95cf55d32a", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x0L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 2, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "ExtentionBlockSize": 42, + "Signature": "0xbeef0000L" + }, + { + "ExtentionBlockSize": 42, + "Signature": "0xbeef0019L" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "ExtentionBlockSize": 42, + "Signature": "0xbeef0019L" + } + ] + } + ], + "ExtentionListing": "0xbeef0000L;0xbeef0019L;0xbeef0019L", + "ItemCount": 4, + "ParentRefStr": null, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "031e4825-7b94-4dc3-b131-e946b44c8dd5", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 14, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "92abc06b11f16f499067ec5c94ffa9f5", + "DLE_PathSize": 64, + "DLE_DroidVolId": "92abc06b11f16f499067ec5c94ffa9f5", + "DLE_DroidFileId": "ec928162881ce311be7e24fd52566ede", + "DLE_Unknown1Hash": "c5fe22f7a5a30443", + "DLE_Path": "C:\\Users\\Donald\\Pictures\\Funnies", + "DLE_BirthDroidFileId": "ec928162881ce311be7e24fd52566ede", + "DLE_LastModificationDatetime": "10/18/2013 02:04:51.339651", + "DLE_Unknown3": 1094713344, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "bifrost\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Windows Explorer Windows 8.1.", + "FileExt": "", + "NetworkPath": null, + "FileSize": 4096, + "CreationDateTime": "09/18/2013 18:43:46.033655", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "Confidential Analysis Data", + "WorkingDir": null, + "LocalPath": "C:\\Users\\Donald\\Documents\\Shared Documents\\Confidential Analysis Data", + "ModificationDateTime": "09/23/2013 18:21:58.838705", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91238.Donald.f01b4d95cf55d32a.automaticDestinations-ms", + "Flags": "", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "09/23/2013 18:21:58.838705", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "f01b4d95cf55d32a", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x0L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ExtentionListing": "", + "ItemCount": 6, + "ParentRefStr": null, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "031e4825-7b94-4dc3-b131-e946b44c8dd5", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 18, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "92abc06b11f16f499067ec5c94ffa9f5", + "DLE_PathSize": 138, + "DLE_DroidVolId": "92abc06b11f16f499067ec5c94ffa9f5", + "DLE_DroidFileId": "53ce7f5c0323e311be7f24fd52566ede", + "DLE_Unknown1Hash": "e43746fe29937222", + "DLE_Path": "C:\\Users\\Donald\\Documents\\Shared Documents\\Confidential Analysis Data", + "DLE_BirthDroidFileId": "53ce7f5c0323e311be7f24fd52566ede", + "DLE_LastModificationDatetime": "10/18/2013 01:51:19.490093", + "DLE_Unknown3": 1073741824, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "bifrost\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Windows Explorer Windows 8.1.", + "FileExt": "", + "NetworkPath": null, + "FileSize": 4096, + "CreationDateTime": "09/23/2013 18:18:59.016318", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "Camera Photos", + "WorkingDir": null, + "LocalPath": "C:\\Users\\Donald\\Pictures\\iCloud Photos\\Shared\\Camera Photos", + "ModificationDateTime": "10/17/2013 19:27:23.602061", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91238.Donald.f01b4d95cf55d32a.automaticDestinations-ms", + "Flags": "", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "10/17/2013 19:27:23.602061", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "f01b4d95cf55d32a", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x0L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ExtentionListing": "", + "ItemCount": 7, + "ParentRefStr": null, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "031e4825-7b94-4dc3-b131-e946b44c8dd5", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 37, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "92abc06b11f16f499067ec5c94ffa9f5", + "DLE_PathSize": 118, + "DLE_DroidVolId": "92abc06b11f16f499067ec5c94ffa9f5", + "DLE_DroidFileId": "c197fc8d6f37e311be8824fd52566ede", + "DLE_Unknown1Hash": "fa1f55984e6311c9", + "DLE_Path": "C:\\Users\\Donald\\Pictures\\iCloud Photos\\Shared\\Camera Photos", + "DLE_BirthDroidFileId": "c197fc8d6f37e311be8824fd52566ede", + "DLE_LastModificationDatetime": "10/18/2013 01:43:51.610605", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "bifrost\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Windows Explorer Windows 8.1.", + "FileExt": "", + "NetworkPath": "\\\\BIFROST\\Users\\Donald\\Pictures\\iCloud Photos\\Shared\\Camera Photos", + "FileSize": 20480, + "CreationDateTime": "10/17/2013 19:25:48.214063", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "Downloads", + "WorkingDir": null, + "LocalPath": "C:\\Users\\Donald\\Downloads", + "ModificationDateTime": "09/03/2013 02:13:52.102605", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91238.Donald.f01b4d95cf55d32a.automaticDestinations-ms", + "Flags": "Read-Only;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "09/03/2013 02:13:52.102605", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "f01b4d95cf55d32a", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x0L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ExtentionListing": "", + "ItemCount": 3, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "59031a47-3f72-44a7-89c5-5595fe6b30ee", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 11, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "92abc06b11f16f499067ec5c94ffa9f5", + "DLE_PathSize": 50, + "DLE_DroidVolId": "92abc06b11f16f499067ec5c94ffa9f5", + "DLE_DroidFileId": "103db01be501e311be7424fd52566ede", + "DLE_Unknown1Hash": "18a1cfbe831fc554", + "DLE_Path": "C:\\Users\\Donald\\Downloads", + "DLE_BirthDroidFileId": "103db01be501e311be7424fd52566ede", + "DLE_LastModificationDatetime": "10/18/2013 00:27:42.277415", + "DLE_Unknown3": 1077936128, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "bifrost\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Windows Explorer Windows 8.1.", + "FileExt": "", + "NetworkPath": null, + "FileSize": 4096, + "CreationDateTime": "08/10/2013 03:03:23.667207", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "Fantasy Football", + "WorkingDir": null, + "LocalPath": "C:\\Users\\Donald\\Documents\\Fantasy Football", + "ModificationDateTime": "10/18/2013 00:25:13.983969", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91238.Donald.f01b4d95cf55d32a.automaticDestinations-ms", + "Flags": "", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "10/18/2013 00:25:13.983969", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "f01b4d95cf55d32a", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x0L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ExtentionListing": "", + "ItemCount": 5, + "ParentRefStr": null, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "031e4825-7b94-4dc3-b131-e946b44c8dd5", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 36, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "92abc06b11f16f499067ec5c94ffa9f5", + "DLE_PathSize": 84, + "DLE_DroidVolId": "92abc06b11f16f499067ec5c94ffa9f5", + "DLE_DroidFileId": "6a93fc8d6f37e311be8824fd52566ede", + "DLE_Unknown1Hash": "18dfe3ebbcbe83ee", + "DLE_Path": "C:\\Users\\Donald\\Documents\\Fantasy Football", + "DLE_BirthDroidFileId": "6a93fc8d6f37e311be8824fd52566ede", + "DLE_LastModificationDatetime": "10/18/2013 00:25:14.078032", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "bifrost\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Windows Explorer Windows 8.1.", + "FileExt": "", + "NetworkPath": "\\\\BIFROST\\Users\\Donald\\Documents\\Fantasy Football", + "FileSize": 0, + "CreationDateTime": "10/18/2013 00:23:21.042614", + "EnvVarLoc": null + }, + { + "VolumeLabel": "BLAKE FILES", + "BaseName": "BetterWidgets Business Plan", + "WorkingDir": null, + "LocalPath": "E:\\BetterWidgets Business Plan", + "ModificationDateTime": "10/17/2013 21:06:46.000000", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91238.Donald.f01b4d95cf55d32a.automaticDestinations-ms", + "Flags": "", + "DriveType": "DRIVE_REMOVABLE;", + "AccessDateTime": "10/17/2013 04:00:00.000000", + "DriveSerialNumber": "944e-9b06", + "AppIdCode": "f01b4d95cf55d32a", + "LnkTrgData": { + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "E:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": null, + "DistinctTypesHex": "0x2fL;0x1fL;0x31L", + "ParentSeqNum": null, + "DistinctTypesStr": "volume;root_folder;file_entry", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "BETTER~1", + "Location": null, + "Comments": null, + "ModificationTime": "10/17/2013 21:06:46.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "BetterWidgets Business Plan", + "ExtentionBlockSize": 104, + "LocalizedName": null, + "SeqNum": 0, + "EntryNum": 255072, + "FileReferenceInt": 255072, + "AccessTime": "10/17/2013 04:00:00.000000", + "CreationTime": "10/17/2013 21:06:46.000000", + "Signature": "0xbeef0004L", + "RefNum": "255072-0" + } + ] + } + ], + "ExtentionListing": "0xbeef0004L", + "ItemCount": 4, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 35, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 60, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "cd0ebc9fcf01ba32", + "DLE_Path": "E:\\BetterWidgets Business Plan", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "10/17/2013 21:07:03.301229", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Windows Explorer Windows 8.1.", + "FileExt": "", + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "10/17/2013 21:06:45.130000", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "Skype Transfer Files", + "WorkingDir": null, + "LocalPath": "C:\\Users\\Donald\\SkyDrive\\Documents\\Skype Transfer Files", + "ModificationDateTime": "10/17/2013 19:20:53.640923", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91238.Donald.f01b4d95cf55d32a.automaticDestinations-ms", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "10/17/2013 19:20:53.640923", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "f01b4d95cf55d32a", + "LnkTrgData": { + "ParentLongName": "Documents", + "DistinctTypesHex": "0x31L;0x1fL", + "ParentSeqNum": 3, + "DistinctTypesStr": "root_folder;file_entry", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "DOCUME~1", + "Location": null, + "Comments": null, + "ModificationTime": "10/13/2013 10:39:06.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Documents", + "ExtentionBlockSize": 68, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 127282, + "FileReferenceInt": 844424930259250, + "AccessTime": "10/13/2013 10:39:06.000000", + "CreationTime": "08/12/2013 01:11:04.000000", + "Signature": "0xbeef0004L", + "RefNum": "127282-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "SKYPET~1", + "Location": null, + "Comments": null, + "ModificationTime": "10/17/2013 19:20:44.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Skype Transfer Files", + "ExtentionBlockSize": 90, + "LocalizedName": null, + "SeqNum": 8, + "EntryNum": 19940, + "FileReferenceInt": 2251799813705188, + "AccessTime": "10/17/2013 19:20:44.000000", + "CreationTime": "10/17/2013 19:20:44.000000", + "Signature": "0xbeef0004L", + "RefNum": "19940-8" + } + ] + } + ], + "ExtentionListing": "0xbeef0004L;0xbeef0004L", + "ItemCount": 4, + "ParentRefStr": "127282-3", + "ParentEntryNum": 127282, + "RootFolder": [ + { + "ShellFolderId": "8e74d236-7f35-4720-b138-1fed0b85ea75", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 30, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "92abc06b11f16f499067ec5c94ffa9f5", + "DLE_PathSize": 110, + "DLE_DroidVolId": "92abc06b11f16f499067ec5c94ffa9f5", + "DLE_DroidFileId": "1149851c5f37e311be8824fd52566ede", + "DLE_Unknown1Hash": "49e10332ba59016f", + "DLE_Path": "C:\\Users\\Donald\\SkyDrive\\Documents\\Skype Transfer Files", + "DLE_BirthDroidFileId": "1149851c5f37e311be8824fd52566ede", + "DLE_LastModificationDatetime": "10/17/2013 21:06:28.535308", + "DLE_Unknown3": 1077936128, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "bifrost\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Windows Explorer Windows 8.1.", + "FileExt": "", + "NetworkPath": "\\\\BIFROST\\SkyDrive\\Documents\\Skype Transfer Files", + "FileSize": 0, + "CreationDateTime": "10/17/2013 19:20:43.783167", + "EnvVarLoc": null + }, + { + "VolumeLabel": "PHOTOS BACK", + "BaseName": "Saved pictures", + "WorkingDir": null, + "LocalPath": "E:\\From Donald's Windows Phone\\Saved pictures", + "ModificationDateTime": "10/12/2013 17:35:30.000000", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91238.Donald.f01b4d95cf55d32a.automaticDestinations-ms", + "Flags": "", + "DriveType": "DRIVE_REMOVABLE;", + "AccessDateTime": "10/17/2013 04:00:00.000000", + "DriveSerialNumber": "440f-17ad", + "AppIdCode": "f01b4d95cf55d32a", + "LnkTrgData": { + "DistinctTypesHex": "0x2fL;0x1fL;0x31L", + "ParentSeqNum": 0, + "ParentRefStr": "66912-0", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "FROMDO~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/02/2013 20:02:26.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "From Donald's Windows Phone", + "ExtentionBlockSize": 104, + "LocalizedName": null, + "SeqNum": 0, + "EntryNum": 66912, + "FileReferenceInt": 66912, + "AccessTime": "10/17/2013 04:00:00.000000", + "CreationTime": "10/17/2013 19:29:06.000000", + "Signature": "0xbeef0004L", + "RefNum": "66912-0" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "SAVEDP~1", + "Location": null, + "Comments": null, + "ModificationTime": "10/12/2013 17:35:30.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Saved pictures", + "ExtentionBlockSize": 78, + "LocalizedName": null, + "SeqNum": 0, + "EntryNum": 4309184, + "FileReferenceInt": 4309184, + "AccessTime": "10/17/2013 04:00:00.000000", + "CreationTime": "10/17/2013 19:29:12.000000", + "Signature": "0xbeef0004L", + "RefNum": "4309184-0" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "E:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "From Donald's Windows Phone", + "ParentEntryNum": 66912, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L", + "ItemCount": 5, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 34, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 90, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "4a74954020bb6624", + "DLE_Path": "E:\\From Donald's Windows Phone\\Saved pictures", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "10/17/2013 19:29:46.807372", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Windows Explorer Windows 8.1.", + "FileExt": "", + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "10/17/2013 19:29:10.260000", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "Pictures", + "WorkingDir": null, + "LocalPath": "C:\\Users\\Donald\\Pictures", + "ModificationDateTime": "10/17/2013 19:05:48.231777", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91238.Donald.f01b4d95cf55d32a.automaticDestinations-ms", + "Flags": "Read-Only;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "10/17/2013 19:05:48.231777", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "f01b4d95cf55d32a", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x0L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ExtentionListing": "", + "ItemCount": 4, + "ParentRefStr": null, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "031e4825-7b94-4dc3-b131-e946b44c8dd5", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 32, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "92abc06b11f16f499067ec5c94ffa9f5", + "DLE_PathSize": 48, + "DLE_DroidVolId": "92abc06b11f16f499067ec5c94ffa9f5", + "DLE_DroidFileId": "0b3db01be501e311be7424fd52566ede", + "DLE_Unknown1Hash": "4b861efe155acbd1", + "DLE_Path": "C:\\Users\\Donald\\Pictures", + "DLE_BirthDroidFileId": "0b3db01be501e311be7424fd52566ede", + "DLE_LastModificationDatetime": "10/17/2013 19:29:03.811141", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "bifrost\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Windows Explorer Windows 8.1.", + "FileExt": "", + "NetworkPath": "\\\\BIFROST\\Users\\Donald\\Pictures", + "FileSize": 12288, + "CreationDateTime": "08/10/2013 03:03:23.667207", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "Camera roll", + "WorkingDir": null, + "LocalPath": "C:\\Users\\Donald\\Pictures\\From Donald's Windows Phone\\Camera roll", + "ModificationDateTime": "10/12/2013 17:34:36.688580", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91238.Donald.f01b4d95cf55d32a.automaticDestinations-ms", + "Flags": "", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "10/12/2013 17:34:36.688580", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "f01b4d95cf55d32a", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x0L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ExtentionListing": "", + "ItemCount": 6, + "ParentRefStr": null, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "031e4825-7b94-4dc3-b131-e946b44c8dd5", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 31, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "92abc06b11f16f499067ec5c94ffa9f5", + "DLE_PathSize": 128, + "DLE_DroidVolId": "92abc06b11f16f499067ec5c94ffa9f5", + "DLE_DroidFileId": "8510eac26137e311be8824fd52566ede", + "DLE_Unknown1Hash": "26b708b4f9282e73", + "DLE_Path": "C:\\Users\\Donald\\Pictures\\From Donald's Windows Phone\\Camera roll", + "DLE_BirthDroidFileId": "8510eac26137e311be8824fd52566ede", + "DLE_LastModificationDatetime": "10/17/2013 19:26:22.524902", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "bifrost\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Windows Explorer Windows 8.1.", + "FileExt": "", + "NetworkPath": "\\\\BIFROST\\Users\\Donald\\Pictures\\From Donald's Windows Phone\\Camera roll", + "FileSize": 8192, + "CreationDateTime": "09/02/2013 20:02:25.695774", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "Templates", + "WorkingDir": null, + "LocalPath": "C:\\Users\\Donald\\AppData\\Roaming\\Microsoft\\Templates", + "ModificationDateTime": "10/09/2013 15:51:46.536801", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91238.Donald.f01b4d95cf55d32a.automaticDestinations-ms", + "Flags": "", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "10/09/2013 15:51:46.536801", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "f01b4d95cf55d32a", + "LnkTrgData": { + "ParentLongName": "Microsoft", + "DistinctTypesHex": "0x0L;0x31L;0x1fL", + "ParentSeqNum": 3, + "DistinctTypesStr": "item;root_folder;file_entry", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "LongName": "AppData", + "ExtentionBlockSize": 64, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 232350, + "FileReferenceInt": 844424930364318, + "AccessTime": "09/23/2013 19:18:00.000000", + "CreationTime": "09/23/2013 19:17:32.000000", + "Signature": "0xbeef0004L", + "RefNum": "232350-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Roaming", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 19:47:22.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Roaming", + "ExtentionBlockSize": 64, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 232353, + "FileReferenceInt": 844424930364321, + "AccessTime": "09/23/2013 19:47:22.000000", + "CreationTime": "09/23/2013 19:17:32.000000", + "Signature": "0xbeef0004L", + "RefNum": "232353-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "MICROS~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:41:52.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Microsoft", + "ExtentionBlockSize": 68, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 232356, + "FileReferenceInt": 844424930364324, + "AccessTime": "09/23/2013 20:41:52.000000", + "CreationTime": "09/23/2013 19:17:32.000000", + "Signature": "0xbeef0004L", + "RefNum": "232356-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "TEMPLA~1", + "Location": null, + "Comments": null, + "ModificationTime": "10/09/2013 15:51:48.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Templates", + "ExtentionBlockSize": 68, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 130530, + "FileReferenceInt": 844424930262498, + "AccessTime": "10/09/2013 15:51:48.000000", + "CreationTime": "08/12/2013 01:32:34.000000", + "Signature": "0xbeef0004L", + "RefNum": "130530-3" + } + ] + } + ], + "ExtentionListing": "0xbeef0025L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 6, + "ParentRefStr": "232356-3", + "ParentEntryNum": 232356, + "RootFolder": [ + { + "ShellFolderId": "59031a47-3f72-44a7-89c5-5595fe6b30ee", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "ExtentionBlockSize": 30, + "Signature": "0xbeef0025L" + } + ] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 25, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "92abc06b11f16f499067ec5c94ffa9f5", + "DLE_PathSize": 102, + "DLE_DroidVolId": "92abc06b11f16f499067ec5c94ffa9f5", + "DLE_DroidFileId": "8f2580fde702e311be7724fd52566ede", + "DLE_Unknown1Hash": "59c06cfdca7cb56a", + "DLE_Path": "C:\\Users\\Donald\\AppData\\Roaming\\Microsoft\\Templates", + "DLE_BirthDroidFileId": "8f2580fde702e311be7724fd52566ede", + "DLE_LastModificationDatetime": "10/17/2013 19:19:37.355396", + "DLE_Unknown3": 1077936128, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "bifrost\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Windows Explorer Windows 8.1.", + "FileExt": "", + "NetworkPath": "\\\\BIFROST\\Users\\Donald\\AppData\\Roaming\\Microsoft\\Templates", + "FileSize": 4096, + "CreationDateTime": "08/12/2013 01:32:32.739772", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": "Templates", + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "10/17/2013 16:53:54.804679", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91238.Donald.f01b4d95cf55d32a.automaticDestinations-ms", + "Flags": "", + "DriveType": "DRIVE_UNKNOWN;", + "AccessDateTime": "10/17/2013 16:53:54.804679", + "DriveSerialNumber": "0000-0000", + "AppIdCode": "f01b4d95cf55d32a", + "LnkTrgData": { + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "P:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": null, + "DistinctTypesHex": "0x2fL;0x1fL;0x31L", + "ParentSeqNum": null, + "DistinctTypesStr": "volume;root_folder;file_entry", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Templates", + "Location": null, + "Comments": null, + "ModificationTime": "10/17/2013 16:53:56.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 4096, + "ExtentionBlocks": [ + { + "LongName": "Templates", + "ExtentionBlockSize": 68, + "LocalizedName": null, + "SeqNum": 17, + "EntryNum": 44735, + "FileReferenceInt": 4785074604125887, + "AccessTime": "10/17/2013 16:53:56.000000", + "CreationTime": "10/17/2013 16:53:52.000000", + "Signature": "0xbeef0004L", + "RefNum": "44735-17" + } + ] + } + ], + "ExtentionListing": "0xbeef0004L", + "ItemCount": 4, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 29, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "0c439b5510b9924a8098dc78480e7f56", + "DLE_PathSize": 24, + "DLE_DroidVolId": "0c439b5510b9924a8098dc78480e7f56", + "DLE_DroidFileId": "64d62f25c635e311be80000af7048353", + "DLE_Unknown1Hash": "bbe23b982a275e89", + "DLE_Path": "P:\\Templates", + "DLE_BirthDroidFileId": "64d62f25c635e311be80000af7048353", + "DLE_LastModificationDatetime": "10/17/2013 19:19:37.102732", + "DLE_Unknown3": 1073741824, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "valhalla\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Windows Explorer Windows 8.1.", + "FileExt": "", + "NetworkPath": "\\\\valhalla\\Public\\Templates", + "FileSize": 4096, + "CreationDateTime": "10/17/2013 16:53:50.835988", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": "Business Plans", + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "09/26/2013 17:12:39.000000", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91238.Donald.f01b4d95cf55d32a.automaticDestinations-ms", + "Flags": "", + "DriveType": "DRIVE_UNKNOWN;", + "AccessDateTime": "09/26/2013 17:12:39.000000", + "DriveSerialNumber": "0000-0000", + "AppIdCode": "f01b4d95cf55d32a", + "LnkTrgData": null, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 23, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 168, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "12611675e3b4f1f9", + "DLE_Path": "\\\\asgardventurecapital.sharepoint.com@SSL\\DavWWWRoot\\Shared Documents\\Business Plans", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "10/13/2013 09:14:18.164449", + "DLE_Unknown3": 1073741824, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Windows Explorer Windows 8.1.", + "FileExt": "", + "NetworkPath": "\\\\ASGARDVENTURECAPITAL.SHAREPOINT.COM@SSL\\DAVWWWROOT\\Shared Documents\\Business Plans", + "FileSize": 0, + "CreationDateTime": "09/26/2013 17:11:05.000000", + "EnvVarLoc": "\\\\asgardventurecapital.sharepoint.com@SSL\\DavWWWRoot\\Shared Documents\\Business Plans" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91238.Donald.f01b4d95cf55d32a.automaticDestinations-ms", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": "f01b4d95cf55d32a", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x0L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ExtentionListing": "", + "ItemCount": 7, + "ParentRefStr": null, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "b28aa736-876b-46da-b3a8-84c5e30ba492", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 24, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 240, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "926302569a46b0d4", + "DLE_Path": "https://asgardventurecapital-my.sharepoint.com/personal/dblake_asgard-venture-capital_com/Documents/Shared with Everyone", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "10/07/2013 08:36:03.688966", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Windows Explorer Windows 8.1.", + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91238.Donald.f01b4d95cf55d32a.automaticDestinations-ms", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": "f01b4d95cf55d32a", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x0L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ExtentionListing": "", + "ItemCount": 6, + "ParentRefStr": null, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "b28aa736-876b-46da-b3a8-84c5e30ba492", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 20, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 198, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "59293797034a6cfb", + "DLE_Path": "https://asgardventurecapital-my.sharepoint.com/personal/dblake_asgard-venture-capital_com/Documents", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "10/07/2013 08:33:30.190581", + "DLE_Unknown3": 1073741824, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Windows Explorer Windows 8.1.", + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "Red Solo Cup (Hip Hop Re-Mix) - Single", + "WorkingDir": null, + "LocalPath": "C:\\Users\\Donald\\Music\\iTunes\\iTunes Media\\Music\\Hip Hop Rednex\\Red Solo Cup (Hip Hop Re-Mix) - Single", + "ModificationDateTime": "10/03/2013 12:08:50.016527", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91238.Donald.f01b4d95cf55d32a.automaticDestinations-ms", + "Flags": "", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "10/03/2013 12:08:50.016527", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "f01b4d95cf55d32a", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x0L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ExtentionListing": "", + "ItemCount": 9, + "ParentRefStr": null, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "031e4825-7b94-4dc3-b131-e946b44c8dd5", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 22, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "92abc06b11f16f499067ec5c94ffa9f5", + "DLE_PathSize": 202, + "DLE_DroidVolId": "92abc06b11f16f499067ec5c94ffa9f5", + "DLE_DroidFileId": "8c82a51e142ce311be8124fd52566ede", + "DLE_Unknown1Hash": "287fc8d104532d01", + "DLE_Path": "C:\\Users\\Donald\\Music\\iTunes\\iTunes Media\\Music\\Hip Hop Rednex\\Red Solo Cup (Hip Hop Re-Mix) - Single", + "DLE_BirthDroidFileId": "8c82a51e142ce311be8124fd52566ede", + "DLE_LastModificationDatetime": "10/03/2013 12:09:22.476548", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "bifrost\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Windows Explorer Windows 8.1.", + "FileExt": "", + "NetworkPath": "\\\\BIFROST\\Users\\Donald\\Music\\iTunes\\iTunes Media\\Music\\Hip Hop Rednex\\Red Solo Cup (Hip Hop Re-Mix) - Single", + "FileSize": 0, + "CreationDateTime": "10/01/2013 02:04:32.312268", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "NETFLIX SEC Filings", + "WorkingDir": null, + "LocalPath": "C:\\Users\\Donald\\Documents\\NETFLIX SEC Filings", + "ModificationDateTime": "09/01/2013 16:43:11.793510", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91238.Donald.f01b4d95cf55d32a.automaticDestinations-ms", + "Flags": "", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "09/01/2013 16:43:11.793510", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "f01b4d95cf55d32a", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x0L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 2, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "ExtentionBlockSize": 42, + "Signature": "0xbeef0000L" + }, + { + "ExtentionBlockSize": 42, + "Signature": "0xbeef0019L" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "ExtentionBlockSize": 42, + "Signature": "0xbeef0019L" + } + ] + } + ], + "ExtentionListing": "0xbeef0000L;0xbeef0019L;0xbeef0019L", + "ItemCount": 4, + "ParentRefStr": null, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "031e4825-7b94-4dc3-b131-e946b44c8dd5", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 9, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "92abc06b11f16f499067ec5c94ffa9f5", + "DLE_PathSize": 90, + "DLE_DroidVolId": "92abc06b11f16f499067ec5c94ffa9f5", + "DLE_DroidFileId": "d68a65a09a11e311be7d24fd52566ede", + "DLE_Unknown1Hash": "86d905596eb1337c", + "DLE_Path": "C:\\Users\\Donald\\Documents\\NETFLIX SEC Filings", + "DLE_BirthDroidFileId": "d68a65a09a11e311be7d24fd52566ede", + "DLE_LastModificationDatetime": "10/03/2013 12:09:01.684894", + "DLE_Unknown3": 1090519040, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "bifrost\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Windows Explorer Windows 8.1.", + "FileExt": "", + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "09/01/2013 16:42:57.621673", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": "History", + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "10/01/2013 18:47:57.854352", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91238.Donald.f01b4d95cf55d32a.automaticDestinations-ms", + "Flags": "", + "DriveType": "DRIVE_UNKNOWN;", + "AccessDateTime": "10/01/2013 18:47:57.854352", + "DriveSerialNumber": "0000-0000", + "AppIdCode": "f01b4d95cf55d32a", + "LnkTrgData": null, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 21, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "1e389934d79236429fc979e377f2430a", + "DLE_PathSize": 68, + "DLE_DroidVolId": "1e389934d79236429fc979e377f2430a", + "DLE_DroidFileId": "f1b50101c92ae311be7f000af7048353", + "DLE_Unknown1Hash": "89df9b8fe813b058", + "DLE_Path": "\\\\VALHALLA\\Users\\dblak_000\\History", + "DLE_BirthDroidFileId": "f1b50101c92ae311be7f000af7048353", + "DLE_LastModificationDatetime": "10/01/2013 18:48:02.354025", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "valhalla\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Windows Explorer Windows 8.1.", + "FileExt": "", + "NetworkPath": "\\\\VALHALLA\\USERS\\dblak_000\\History", + "FileSize": 0, + "CreationDateTime": "10/01/2013 18:47:57.854352", + "EnvVarLoc": "\\\\VALHALLA\\Users\\dblak_000\\History" + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "VC Files", + "WorkingDir": null, + "LocalPath": "C:\\Users\\Donald\\Documents\\VC Files", + "ModificationDateTime": "08/31/2013 03:55:25.552551", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91238.Donald.f01b4d95cf55d32a.automaticDestinations-ms", + "Flags": "", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "08/31/2013 03:55:25.552551", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "f01b4d95cf55d32a", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x0L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ExtentionListing": "", + "ItemCount": 5, + "ParentRefStr": null, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "031e4825-7b94-4dc3-b131-e946b44c8dd5", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 8, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "92abc06b11f16f499067ec5c94ffa9f5", + "DLE_PathSize": 68, + "DLE_DroidVolId": "92abc06b11f16f499067ec5c94ffa9f5", + "DLE_DroidFileId": "ec8965a09a11e311be7d24fd52566ede", + "DLE_Unknown1Hash": "41ec47f5078ece2d", + "DLE_Path": "C:\\Users\\Donald\\Documents\\VC Files", + "DLE_BirthDroidFileId": "ec8965a09a11e311be7d24fd52566ede", + "DLE_LastModificationDatetime": "09/27/2013 02:57:54.845871", + "DLE_Unknown3": 1073741824, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "bifrost\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Windows Explorer Windows 8.1.", + "FileExt": "", + "NetworkPath": null, + "FileSize": 4096, + "CreationDateTime": "08/31/2013 03:53:21.305843", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "Documents.library-ms", + "WorkingDir": null, + "LocalPath": "C:\\Users\\Donald\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\Documents.library-ms", + "ModificationDateTime": "08/10/2013 03:04:17.885817", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91238.Donald.f01b4d95cf55d32a.automaticDestinations-ms", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "08/10/2013 03:04:17.885817", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "f01b4d95cf55d32a", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x0L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ExtentionListing": "", + "ItemCount": 3, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "031e4825-7b94-4dc3-b131-e946b44c8dd5", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 1, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "92abc06b11f16f499067ec5c94ffa9f5", + "DLE_PathSize": 122, + "DLE_DroidVolId": "92abc06b11f16f499067ec5c94ffa9f5", + "DLE_DroidFileId": "153db01be501e311be7424fd52566ede", + "DLE_Unknown1Hash": "bbceae67413c401d", + "DLE_Path": "::{031E4825-7B94-4DC3-B131-E946B44C8DD5}\\Documents.library-ms", + "DLE_BirthDroidFileId": "153db01be501e311be7424fd52566ede", + "DLE_LastModificationDatetime": "09/23/2013 19:47:38.785737", + "DLE_Unknown3": 1082130432, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "bifrost\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Windows Explorer Windows 8.1.", + "FileExt": "library-ms", + "NetworkPath": null, + "FileSize": 3463, + "CreationDateTime": "08/10/2013 03:04:17.838941", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "Pictures.library-ms", + "WorkingDir": null, + "LocalPath": "C:\\Users\\Donald\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\Pictures.library-ms", + "ModificationDateTime": "08/10/2013 03:04:17.932696", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91238.Donald.f01b4d95cf55d32a.automaticDestinations-ms", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "08/10/2013 03:04:17.932696", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "f01b4d95cf55d32a", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x0L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ExtentionListing": "", + "ItemCount": 3, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "031e4825-7b94-4dc3-b131-e946b44c8dd5", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 2, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "92abc06b11f16f499067ec5c94ffa9f5", + "DLE_PathSize": 120, + "DLE_DroidVolId": "92abc06b11f16f499067ec5c94ffa9f5", + "DLE_DroidFileId": "163db01be501e311be7424fd52566ede", + "DLE_Unknown1Hash": "59bed0f95d33e002", + "DLE_Path": "::{031E4825-7B94-4DC3-B131-E946B44C8DD5}\\Pictures.library-ms", + "DLE_BirthDroidFileId": "163db01be501e311be7424fd52566ede", + "DLE_LastModificationDatetime": "09/23/2013 19:47:38.785737", + "DLE_Unknown3": 1081711002, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "bifrost\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Windows Explorer Windows 8.1.", + "FileExt": "library-ms", + "NetworkPath": null, + "FileSize": 3455, + "CreationDateTime": "08/10/2013 03:04:17.917069", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "Music.library-ms", + "WorkingDir": null, + "LocalPath": "C:\\Users\\Donald\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\Music.library-ms", + "ModificationDateTime": "08/10/2013 03:04:17.995199", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91238.Donald.f01b4d95cf55d32a.automaticDestinations-ms", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "08/10/2013 03:04:17.995199", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "f01b4d95cf55d32a", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x0L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ExtentionListing": "", + "ItemCount": 3, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "031e4825-7b94-4dc3-b131-e946b44c8dd5", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 3, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "92abc06b11f16f499067ec5c94ffa9f5", + "DLE_PathSize": 114, + "DLE_DroidVolId": "92abc06b11f16f499067ec5c94ffa9f5", + "DLE_DroidFileId": "173db01be501e311be7424fd52566ede", + "DLE_Unknown1Hash": "6247b7f2c190ddca", + "DLE_Path": "::{031E4825-7B94-4DC3-B131-E946B44C8DD5}\\Music.library-ms", + "DLE_BirthDroidFileId": "173db01be501e311be7424fd52566ede", + "DLE_LastModificationDatetime": "09/23/2013 19:47:38.785737", + "DLE_Unknown3": 1081291571, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "bifrost\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Windows Explorer Windows 8.1.", + "FileExt": "library-ms", + "NetworkPath": null, + "FileSize": 3421, + "CreationDateTime": "08/10/2013 03:04:17.979573", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "Videos.library-ms", + "WorkingDir": null, + "LocalPath": "C:\\Users\\Donald\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\Videos.library-ms", + "ModificationDateTime": "08/10/2013 03:04:17.979573", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91238.Donald.f01b4d95cf55d32a.automaticDestinations-ms", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "08/10/2013 03:04:17.979573", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "f01b4d95cf55d32a", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x0L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ExtentionListing": "", + "ItemCount": 3, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "031e4825-7b94-4dc3-b131-e946b44c8dd5", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 4, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "92abc06b11f16f499067ec5c94ffa9f5", + "DLE_PathSize": 116, + "DLE_DroidVolId": "92abc06b11f16f499067ec5c94ffa9f5", + "DLE_DroidFileId": "183db01be501e311be7424fd52566ede", + "DLE_Unknown1Hash": "57cd00da1555fb4c", + "DLE_Path": "::{031E4825-7B94-4DC3-B131-E946B44C8DD5}\\Videos.library-ms", + "DLE_BirthDroidFileId": "183db01be501e311be7424fd52566ede", + "DLE_LastModificationDatetime": "09/23/2013 19:47:38.785737", + "DLE_Unknown3": 1080872141, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "bifrost\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Windows Explorer Windows 8.1.", + "FileExt": "library-ms", + "NetworkPath": null, + "FileSize": 3434, + "CreationDateTime": "08/10/2013 03:04:17.963947", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": "Confidential Analysis Data", + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "09/21/2013 21:59:59.000000", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91238.Donald.f01b4d95cf55d32a.automaticDestinations-ms", + "Flags": "", + "DriveType": "DRIVE_UNKNOWN;", + "AccessDateTime": "09/21/2013 21:59:59.000000", + "DriveSerialNumber": "0000-0000", + "AppIdCode": "f01b4d95cf55d32a", + "LnkTrgData": null, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 16, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 192, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "010c60a714b31bc3", + "DLE_Path": "\\\\asgardventurecapital.sharepoint.com@SSL\\DavWWWRoot\\Shared Documents\\Confidential Analysis Data", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "09/23/2013 18:19:35.369803", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Windows Explorer Windows 8.1.", + "FileExt": "", + "NetworkPath": "\\\\ASGARDVENTURECAPITAL.SHAREPOINT.COM@SSL\\DAVWWWROOT\\Shared Documents\\Confidential Analysis Data", + "FileSize": 0, + "CreationDateTime": "09/21/2013 21:58:39.000000", + "EnvVarLoc": "\\\\asgardventurecapital.sharepoint.com@SSL\\DavWWWRoot\\Shared Documents\\Confidential Analysis Data" + }, + { + "VolumeLabel": null, + "BaseName": "Shared Documents", + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "09/21/2013 21:59:59.000000", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91238.Donald.f01b4d95cf55d32a.automaticDestinations-ms", + "Flags": "", + "DriveType": "DRIVE_UNKNOWN;", + "AccessDateTime": "09/21/2013 21:59:59.000000", + "DriveSerialNumber": "0000-0000", + "AppIdCode": "f01b4d95cf55d32a", + "LnkTrgData": null, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 15, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 138, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "67e36b2d1dbdf3ee", + "DLE_Path": "\\\\asgardventurecapital.sharepoint.com@SSL\\DavWWWRoot\\Shared Documents", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "09/23/2013 18:18:29.979156", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Windows Explorer Windows 8.1.", + "FileExt": "", + "NetworkPath": "\\\\ASGARDVENTURECAPITAL.SHAREPOINT.COM@SSL\\DAVWWWROOT\\Shared Documents", + "FileSize": 0, + "CreationDateTime": "07/22/2013 05:01:22.000000", + "EnvVarLoc": "\\\\asgardventurecapital.sharepoint.com@SSL\\DavWWWRoot\\Shared Documents" + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "Camera Roll", + "WorkingDir": null, + "LocalPath": "C:\\Users\\Donald\\SkyDrive\\Pictures\\Camera Roll", + "ModificationDateTime": "09/18/2013 17:56:32.887303", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91238.Donald.f01b4d95cf55d32a.automaticDestinations-ms", + "Flags": "", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "09/18/2013 17:56:32.887303", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "f01b4d95cf55d32a", + "LnkTrgData": { + "ParentLongName": "Pictures", + "DistinctTypesHex": "0x0L;0x31L;0x1fL", + "ParentSeqNum": 3, + "DistinctTypesStr": "item;root_folder;file_entry", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "LongName": "SkyDrive", + "ExtentionBlockSize": 62, + "LocalizedName": null, + "SeqNum": 2, + "EntryNum": 127384, + "FileReferenceInt": 562949953548696, + "AccessTime": "08/12/2013 01:11:02.000000", + "CreationTime": "08/12/2013 01:02:20.000000", + "Signature": "0xbeef0004L", + "RefNum": "127384-2" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Pictures", + "Location": null, + "Comments": null, + "ModificationTime": "08/12/2013 01:11:04.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Pictures", + "ExtentionBlockSize": 62, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 127278, + "FileReferenceInt": 844424930259246, + "AccessTime": "08/12/2013 01:11:04.000000", + "CreationTime": "08/12/2013 01:11:04.000000", + "Signature": "0xbeef0004L", + "RefNum": "127278-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "CAMERA~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/18/2013 17:56:34.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Camera Roll", + "ExtentionBlockSize": 68, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 127281, + "FileReferenceInt": 844424930259249, + "AccessTime": "09/18/2013 17:56:34.000000", + "CreationTime": "08/12/2013 01:11:04.000000", + "Signature": "0xbeef0004L", + "RefNum": "127281-3" + } + ] + } + ], + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 5, + "ParentRefStr": "127278-3", + "ParentEntryNum": 127278, + "RootFolder": [ + { + "ShellFolderId": "59031a47-3f72-44a7-89c5-5595fe6b30ee", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 13, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "92abc06b11f16f499067ec5c94ffa9f5", + "DLE_PathSize": 90, + "DLE_DroidVolId": "92abc06b11f16f499067ec5c94ffa9f5", + "DLE_DroidFileId": "70918162881ce311be7e24fd52566ede", + "DLE_Unknown1Hash": "ea20284a8b134008", + "DLE_Path": "C:\\Users\\Donald\\SkyDrive\\Pictures\\Camera Roll", + "DLE_BirthDroidFileId": "70918162881ce311be7e24fd52566ede", + "DLE_LastModificationDatetime": "09/18/2013 17:57:51.772989", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "bifrost\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Windows Explorer Windows 8.1.", + "FileExt": "", + "NetworkPath": null, + "FileSize": 8192, + "CreationDateTime": "08/12/2013 01:11:03.901405", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "Signatures", + "WorkingDir": null, + "LocalPath": "C:\\Users\\Donald\\AppData\\Roaming\\Microsoft\\Signatures", + "ModificationDateTime": "09/11/2013 16:19:56.560680", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91238.Donald.f01b4d95cf55d32a.automaticDestinations-ms", + "Flags": "", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "09/11/2013 16:19:56.560680", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "f01b4d95cf55d32a", + "LnkTrgData": { + "ParentLongName": "Microsoft", + "DistinctTypesHex": "0x0L;0x31L;0x1fL", + "ParentSeqNum": 8, + "DistinctTypesStr": "item;root_folder;file_entry", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "LongName": "AppData", + "ExtentionBlockSize": 60, + "LocalizedName": null, + "SeqNum": 2, + "EntryNum": 4019, + "FileReferenceInt": 562949953425331, + "AccessTime": "08/10/2013 03:03:24.000000", + "CreationTime": "08/10/2013 03:03:24.000000", + "Signature": "0xbeef0004L", + "RefNum": "4019-2" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Roaming", + "Location": null, + "Comments": null, + "ModificationTime": "09/03/2013 02:12:48.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Roaming", + "ExtentionBlockSize": 60, + "LocalizedName": null, + "SeqNum": 8, + "EntryNum": 5093, + "FileReferenceInt": 2251799813690341, + "AccessTime": "09/03/2013 02:12:48.000000", + "CreationTime": "08/10/2013 03:03:24.000000", + "Signature": "0xbeef0004L", + "RefNum": "5093-8" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "MICROS~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/10/2013 01:30:00.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Microsoft", + "ExtentionBlockSize": 64, + "LocalizedName": null, + "SeqNum": 8, + "EntryNum": 5094, + "FileReferenceInt": 2251799813690342, + "AccessTime": "09/10/2013 01:30:00.000000", + "CreationTime": "08/10/2013 03:03:24.000000", + "Signature": "0xbeef0004L", + "RefNum": "5094-8" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "SIGNAT~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/11/2013 16:19:58.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Signatures", + "ExtentionBlockSize": 66, + "LocalizedName": null, + "SeqNum": 5, + "EntryNum": 188595, + "FileReferenceInt": 1407374883741875, + "AccessTime": "09/11/2013 16:19:58.000000", + "CreationTime": "08/12/2013 02:39:44.000000", + "Signature": "0xbeef0004L", + "RefNum": "188595-5" + } + ] + } + ], + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 6, + "ParentRefStr": "5094-8", + "ParentEntryNum": 5094, + "RootFolder": [ + { + "ShellFolderId": "59031a47-3f72-44a7-89c5-5595fe6b30ee", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 12, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "92abc06b11f16f499067ec5c94ffa9f5", + "DLE_PathSize": 104, + "DLE_DroidVolId": "92abc06b11f16f499067ec5c94ffa9f5", + "DLE_DroidFileId": "d09a34878615e311be7d24fd52566ede", + "DLE_Unknown1Hash": "1597d31119651deb", + "DLE_Path": "C:\\Users\\Donald\\AppData\\Roaming\\Microsoft\\Signatures", + "DLE_BirthDroidFileId": "d09a34878615e311be7d24fd52566ede", + "DLE_LastModificationDatetime": "09/11/2013 16:19:56.563182", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "bifrost\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Windows Explorer Windows 8.1.", + "FileExt": "", + "NetworkPath": null, + "FileSize": 4096, + "CreationDateTime": "08/12/2013 02:39:42.831628", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "VC Files.library-ms", + "WorkingDir": null, + "LocalPath": "C:\\Users\\Donald\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\VC Files.library-ms", + "ModificationDateTime": "09/03/2013 02:13:34.433383", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91238.Donald.f01b4d95cf55d32a.automaticDestinations-ms", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "09/03/2013 02:13:34.431883", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "f01b4d95cf55d32a", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x0L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 3, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "LongName": "VC Files.library-ms", + "ExtentionBlockSize": 84, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 177617, + "FileReferenceInt": 844424930309585, + "AccessTime": "09/03/2013 02:13:36.000000", + "CreationTime": "09/03/2013 01:45:48.000000", + "Signature": "0xbeef0004L", + "RefNum": "177617-3" + }, + { + "ExtentionBlockSize": 42, + "Signature": "0xbeef0000L" + }, + { + "ExtentionBlockSize": 42, + "Signature": "0xbeef0019L" + } + ] + } + ], + "ExtentionListing": "0xbeef0004L;0xbeef0000L;0xbeef0019L", + "ItemCount": 3, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "031e4825-7b94-4dc3-b131-e946b44c8dd5", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 10, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "92abc06b11f16f499067ec5c94ffa9f5", + "DLE_PathSize": 120, + "DLE_DroidVolId": "92abc06b11f16f499067ec5c94ffa9f5", + "DLE_DroidFileId": "ab9765a09a11e311be7d24fd52566ede", + "DLE_Unknown1Hash": "d101c9e481943249", + "DLE_Path": "::{031E4825-7B94-4DC3-B131-E946B44C8DD5}\\VC Files.library-ms", + "DLE_BirthDroidFileId": "ab9765a09a11e311be7d24fd52566ede", + "DLE_LastModificationDatetime": "09/03/2013 02:13:38.317115", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "bifrost\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Windows Explorer Windows 8.1.", + "FileExt": "library-ms", + "NetworkPath": null, + "FileSize": 2083, + "CreationDateTime": "09/03/2013 01:45:47.004997", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "Outlook Files", + "WorkingDir": null, + "LocalPath": "C:\\Users\\Donald\\Documents\\Outlook Files", + "ModificationDateTime": "08/12/2013 02:34:21.022893", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91238.Donald.f01b4d95cf55d32a.automaticDestinations-ms", + "Flags": "", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "08/12/2013 02:34:21.022893", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "f01b4d95cf55d32a", + "LnkTrgData": { + "DistinctTypesHex": "0x2fL;0x1fL;0x31L", + "ParentSeqNum": 2, + "ParentRefStr": "4017-2", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Users", + "Location": null, + "Comments": null, + "ModificationTime": "08/10/2013 03:03:24.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Users", + "ExtentionBlockSize": 56, + "LocalizedName": null, + "SeqNum": 1, + "EntryNum": 3915, + "FileReferenceInt": 281474976714571, + "AccessTime": "08/10/2013 03:03:24.000000", + "CreationTime": "07/26/2012 05:38:00.000000", + "Signature": "0xbeef0004L", + "RefNum": "3915-1" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Donald", + "Location": null, + "Comments": null, + "ModificationTime": "08/12/2013 01:02:20.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Donald", + "ExtentionBlockSize": 58, + "LocalizedName": null, + "SeqNum": 2, + "EntryNum": 4007, + "FileReferenceInt": 562949953425319, + "AccessTime": "08/12/2013 01:02:20.000000", + "CreationTime": "08/10/2013 03:03:24.000000", + "Signature": "0xbeef0004L", + "RefNum": "4007-2" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "DOCUME~1", + "Location": null, + "Comments": null, + "ModificationTime": "08/12/2013 02:34:18.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Documents", + "ExtentionBlockSize": 104, + "LocalizedName": "@shell32.dll,-21770", + "SeqNum": 2, + "EntryNum": 4017, + "FileReferenceInt": 562949953425329, + "AccessTime": "08/12/2013 02:34:18.000000", + "CreationTime": "08/10/2013 03:03:24.000000", + "Signature": "0xbeef0004L", + "RefNum": "4017-2" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "OUTLOO~1", + "Location": null, + "Comments": null, + "ModificationTime": "08/12/2013 02:34:18.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Outlook Files", + "ExtentionBlockSize": 72, + "LocalizedName": null, + "SeqNum": 69, + "EntryNum": 54683, + "FileReferenceInt": 19421773393089947, + "AccessTime": "08/12/2013 02:34:18.000000", + "CreationTime": "08/12/2013 02:34:18.000000", + "Signature": "0xbeef0004L", + "RefNum": "54683-69" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "Documents", + "ParentEntryNum": 4017, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 7, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 6, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "92abc06b11f16f499067ec5c94ffa9f5", + "DLE_PathSize": 78, + "DLE_DroidVolId": "92abc06b11f16f499067ec5c94ffa9f5", + "DLE_DroidFileId": "562b80fde702e311be7724fd52566ede", + "DLE_Unknown1Hash": "3b45fcef703f9c8e", + "DLE_Path": "C:\\Users\\Donald\\Documents\\Outlook Files", + "DLE_BirthDroidFileId": "562b80fde702e311be7724fd52566ede", + "DLE_LastModificationDatetime": "08/12/2013 02:34:21.085393", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "bifrost\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Windows Explorer Windows 8.1.", + "FileExt": "", + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "08/12/2013 02:34:16.600786", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "PDF", + "WorkingDir": null, + "LocalPath": "C:\\UserGuidePDF\\PDF", + "ModificationDateTime": "06/02/2013 03:47:56.958713", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91238.Donald.f01b4d95cf55d32a.automaticDestinations-ms", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "06/02/2013 03:47:56.958713", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "f01b4d95cf55d32a", + "LnkTrgData": { + "DistinctTypesHex": "0x2fL;0x1fL;0x31L", + "ParentSeqNum": 7, + "ParentRefStr": "145028-7", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "USERGU~1", + "Location": null, + "Comments": null, + "ModificationTime": "06/02/2013 03:47:58.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "UserGuidePDF", + "ExtentionBlockSize": 70, + "LocalizedName": null, + "SeqNum": 7, + "EntryNum": 145028, + "FileReferenceInt": 1970324837119620, + "AccessTime": "06/02/2013 03:47:58.000000", + "CreationTime": "06/02/2013 03:47:58.000000", + "Signature": "0xbeef0004L", + "RefNum": "145028-7" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PDF", + "Location": null, + "Comments": null, + "ModificationTime": "06/02/2013 03:47:58.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "PDF", + "ExtentionBlockSize": 52, + "LocalizedName": null, + "SeqNum": 6, + "EntryNum": 145982, + "FileReferenceInt": 1688849860409918, + "AccessTime": "06/02/2013 03:47:58.000000", + "CreationTime": "06/02/2013 03:47:58.000000", + "Signature": "0xbeef0004L", + "RefNum": "145982-6" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "UserGuidePDF", + "ParentEntryNum": 145028, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L", + "ItemCount": 5, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 5, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "92abc06b11f16f499067ec5c94ffa9f5", + "DLE_PathSize": 38, + "DLE_DroidVolId": "92abc06b11f16f499067ec5c94ffa9f5", + "DLE_DroidFileId": "7b3fb01be501e311be7424fd52566ede", + "DLE_Unknown1Hash": "5a97bdb3209f364d", + "DLE_Path": "C:\\UserGuidePDF\\PDF", + "DLE_BirthDroidFileId": "7b3fb01be501e311be7424fd52566ede", + "DLE_LastModificationDatetime": "08/10/2013 04:24:15.749162", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "bifrost\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Windows Explorer Windows 8.1.", + "FileExt": "", + "NetworkPath": null, + "FileSize": 4096, + "CreationDateTime": "06/02/2013 03:47:56.527498", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "Donald", + "WorkingDir": null, + "LocalPath": "C:\\Users\\Donald", + "ModificationDateTime": "08/12/2013 01:02:19.400909", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91238.Donald.f01b4d95cf55d32a.automaticDestinations-ms", + "Flags": "", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "08/12/2013 01:02:19.400909", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "f01b4d95cf55d32a", + "LnkTrgData": { + "DistinctTypesHex": "0x1fL", + "ParentSeqNum": null, + "ParentLongName": null, + "ParentEntryNum": null, + "DistinctTypesStr": "root_folder", + "ExtentionListing": "", + "ItemCount": 2, + "RootFolder": [ + { + "ShellFolderId": "59031a47-3f72-44a7-89c5-5595fe6b30ee", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 17, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "92abc06b11f16f499067ec5c94ffa9f5", + "DLE_PathSize": 30, + "DLE_DroidVolId": "92abc06b11f16f499067ec5c94ffa9f5", + "DLE_DroidFileId": "44ce7f5c0323e311be7f24fd52566ede", + "DLE_Unknown1Hash": "2d567c026f3a9ca0", + "DLE_Path": "C:\\Users\\Donald", + "DLE_BirthDroidFileId": "44ce7f5c0323e311be7f24fd52566ede", + "DLE_LastModificationDatetime": "1601-01-01 00:00:00", + "DLE_Unknown3": 0, + "DLE_PinStatus": 0, + "DLE_Hostname": "bifrost\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Windows Explorer Windows 8.1.", + "FileExt": "", + "NetworkPath": null, + "FileSize": 8192, + "CreationDateTime": "08/10/2013 03:03:23.635963", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91785.Donald.7e4dca80246863e3.automaticDestinations-ms", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": "7e4dca80246863e3", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x0L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ExtentionListing": "", + "ItemCount": 3, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "ed7ba470-8e54-465e-825c-99712043e01c", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 4, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 244, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "3858d54eaa1f8ebf", + "DLE_Path": "::{26EE0668-A00A-44D7-9371-BEB064C98683}\\0\\::{ED7BA470-8E54-465E-825C-99712043E01C}\\{040873CB-404A-49FE-A254-A9BB9CEFAEA5}", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "10/22/2013 16:52:25.240845", + "DLE_Unknown3": 1094713344, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Control Panel (?)", + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91785.Donald.7e4dca80246863e3.automaticDestinations-ms", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": "7e4dca80246863e3", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x0L;0x71L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x71L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ExtentionListing": "", + "ItemCount": 4, + "ParentRefStr": null, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "26ee0668-a00a-44d7-9371-beb064c98683", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 9, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 166, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "9165dbfc48b800f0", + "DLE_Path": "::{26EE0668-A00A-44D7-9371-BEB064C98683}\\5\\::{BB06C0E4-D293-4F75-8A90-CB05B6477EEE}", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "10/21/2013 20:23:50.867551", + "DLE_Unknown3": 1088421888, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Control Panel (?)", + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91785.Donald.7e4dca80246863e3.automaticDestinations-ms", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": "7e4dca80246863e3", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x0L;0x71L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x71L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ExtentionListing": "", + "ItemCount": 5, + "ParentRefStr": null, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "26ee0668-a00a-44d7-9371-beb064c98683", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 36, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 188, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "996aabb0bac15ab2", + "DLE_Path": "::{26EE0668-A00A-44D7-9371-BEB064C98683}\\0\\::{C58C4893-3BE0-4B45-ABB5-A63E4B8C8651}\\resultPage", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "10/21/2013 20:10:17.792019", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Control Panel (?)", + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91785.Donald.7e4dca80246863e3.automaticDestinations-ms", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": "7e4dca80246863e3", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x0L;0x71L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x71L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ExtentionListing": "", + "ItemCount": 4, + "ParentRefStr": null, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "26ee0668-a00a-44d7-9371-beb064c98683", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 35, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 166, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "ac29f56106e26d7e", + "DLE_Path": "::{26EE0668-A00A-44D7-9371-BEB064C98683}\\5\\::{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "10/20/2013 22:25:20.217199", + "DLE_Unknown3": 1073741824, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Control Panel (?)", + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91785.Donald.7e4dca80246863e3.automaticDestinations-ms", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": "7e4dca80246863e3", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x0L;0x71L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x71L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ExtentionListing": "", + "ItemCount": 4, + "ParentRefStr": null, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "26ee0668-a00a-44d7-9371-beb064c98683", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 8, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 166, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "f945936ac7f6cc5b", + "DLE_Path": "::{26EE0668-A00A-44D7-9371-BEB064C98683}\\5\\::{F6B6E965-E9B2-444B-9286-10C9152EDBC5}", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "10/20/2013 22:24:38.222586", + "DLE_Unknown3": 1084227584, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Control Panel (?)", + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91785.Donald.7e4dca80246863e3.automaticDestinations-ms", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": "7e4dca80246863e3", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x0L;0x71L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x71L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ExtentionListing": "", + "ItemCount": 4, + "ParentRefStr": null, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "26ee0668-a00a-44d7-9371-beb064c98683", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 18, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 146, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "4b3f801926a68e51", + "DLE_Path": "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "10/19/2013 19:56:19.522760", + "DLE_Unknown3": 1084227584, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Control Panel (?)", + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91785.Donald.7e4dca80246863e3.automaticDestinations-ms", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": "7e4dca80246863e3", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x0L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ExtentionListing": "", + "ItemCount": 3, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "ed7ba470-8e54-465e-825c-99712043e01c", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 10, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 244, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "b09df9006b872395", + "DLE_Path": "::{26EE0668-A00A-44D7-9371-BEB064C98683}\\0\\::{ED7BA470-8E54-465E-825C-99712043E01C}\\{AACA901F-E74F-4894-B074-F55059532853}", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "10/19/2013 19:56:09.619497", + "DLE_Unknown3": 1086324736, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Control Panel (?)", + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91785.Donald.7e4dca80246863e3.automaticDestinations-ms", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": "7e4dca80246863e3", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x0L;0x71L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x71L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ExtentionListing": "", + "ItemCount": 4, + "ParentRefStr": null, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "26ee0668-a00a-44d7-9371-beb064c98683", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 13, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 166, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "f6e2687e71db756d", + "DLE_Path": "::{26EE0668-A00A-44D7-9371-BEB064C98683}\\5\\::{BE122A0E-4503-11DA-8BDE-F66BAD1E3F3A}", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "10/19/2013 19:54:11.296037", + "DLE_Unknown3": 1077936128, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Control Panel (?)", + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91785.Donald.7e4dca80246863e3.automaticDestinations-ms", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": "7e4dca80246863e3", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x0L;0x71L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x71L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ExtentionListing": "", + "ItemCount": 4, + "ParentRefStr": null, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "26ee0668-a00a-44d7-9371-beb064c98683", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 12, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 166, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "322cf63e9a372c0f", + "DLE_Path": "::{26EE0668-A00A-44D7-9371-BEB064C98683}\\5\\::{36EEF7DB-88AD-4E81-AD49-0E313F0C35F8}", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "10/19/2013 19:53:44.856340", + "DLE_Unknown3": 1093664768, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Control Panel (?)", + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91785.Donald.7e4dca80246863e3.automaticDestinations-ms", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": "7e4dca80246863e3", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x0L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ExtentionListing": "", + "ItemCount": 3, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "ed7ba470-8e54-465e-825c-99712043e01c", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 34, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 244, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "6f5addfda0472434", + "DLE_Path": "::{26EE0668-A00A-44D7-9371-BEB064C98683}\\0\\::{ED7BA470-8E54-465E-825C-99712043E01C}\\{1CD00BD6-1C67-48A1-983C-D1157553B119}", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "10/19/2013 01:52:27.412254", + "DLE_Unknown3": 1073741824, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Control Panel (?)", + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91785.Donald.7e4dca80246863e3.automaticDestinations-ms", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": "7e4dca80246863e3", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x0L;0x71L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x71L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ExtentionListing": "", + "ItemCount": 4, + "ParentRefStr": null, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "26ee0668-a00a-44d7-9371-beb064c98683", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 33, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 166, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "6e189707dec93c7b", + "DLE_Path": "::{26EE0668-A00A-44D7-9371-BEB064C98683}\\0\\::{74246BFC-4C96-11D0-ABEF-0020AF6B0B7A}", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "10/18/2013 02:08:10.989016", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Control Panel (?)", + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91785.Donald.7e4dca80246863e3.automaticDestinations-ms", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": "7e4dca80246863e3", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x0L;0x71L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x71L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ExtentionListing": "", + "ItemCount": 4, + "ParentRefStr": null, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "26ee0668-a00a-44d7-9371-beb064c98683", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 32, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 166, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "98eb61026580b691", + "DLE_Path": "::{26EE0668-A00A-44D7-9371-BEB064C98683}\\0\\::{81E8B13B-EDEA-FF08-90CB-47D97550AD14}", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "10/18/2013 01:38:49.253289", + "DLE_Unknown3": 1073741824, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Control Panel (?)", + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91785.Donald.7e4dca80246863e3.automaticDestinations-ms", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": "7e4dca80246863e3", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x0L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ExtentionListing": "", + "ItemCount": 3, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "ed7ba470-8e54-465e-825c-99712043e01c", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 28, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 244, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "d833d443300bda4d", + "DLE_Path": "::{26EE0668-A00A-44D7-9371-BEB064C98683}\\0\\::{ED7BA470-8E54-465E-825C-99712043E01C}\\{7D13A5DB-6081-48BD-8EA3-A9D7FE67A335}", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "10/13/2013 09:22:24.012614", + "DLE_Unknown3": 1073741824, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Control Panel (?)", + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91785.Donald.7e4dca80246863e3.automaticDestinations-ms", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": "7e4dca80246863e3", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x0L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ExtentionListing": "", + "ItemCount": 3, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "ed7ba470-8e54-465e-825c-99712043e01c", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 31, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 244, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "daa3e66bb125b39b", + "DLE_Path": "::{26EE0668-A00A-44D7-9371-BEB064C98683}\\0\\::{ED7BA470-8E54-465E-825C-99712043E01C}\\{14DEC75C-D6CE-44A9-8349-AD0F46EF96BE}", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "10/13/2013 09:22:03.504063", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Control Panel (?)", + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91785.Donald.7e4dca80246863e3.automaticDestinations-ms", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": "7e4dca80246863e3", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x0L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ExtentionListing": "", + "ItemCount": 3, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "ed7ba470-8e54-465e-825c-99712043e01c", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 30, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 244, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "6aa015a754176258", + "DLE_Path": "::{26EE0668-A00A-44D7-9371-BEB064C98683}\\0\\::{ED7BA470-8E54-465E-825C-99712043E01C}\\{DD338333-7000-45CC-A84D-64680D6E683D}", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "10/13/2013 09:11:18.296454", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Control Panel (?)", + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91785.Donald.7e4dca80246863e3.automaticDestinations-ms", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": "7e4dca80246863e3", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x0L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ExtentionListing": "", + "ItemCount": 3, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "ed7ba470-8e54-465e-825c-99712043e01c", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 29, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 244, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "11e8b396fdf2c7af", + "DLE_Path": "::{26EE0668-A00A-44D7-9371-BEB064C98683}\\0\\::{ED7BA470-8E54-465E-825C-99712043E01C}\\{C86B1923-8E1F-414B-83DB-94B09BA73E15}", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "10/13/2013 09:01:25.843248", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Control Panel (?)", + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91785.Donald.7e4dca80246863e3.automaticDestinations-ms", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": "7e4dca80246863e3", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x0L;0x71L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x71L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ExtentionListing": "", + "ItemCount": 4, + "ParentRefStr": null, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "26ee0668-a00a-44d7-9371-beb064c98683", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 5, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 166, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "76afc36b3246aff1", + "DLE_Path": "::{26EE0668-A00A-44D7-9371-BEB064C98683}\\8\\::{7B81BE6A-CE2B-4676-A29E-EB907A5126C5}", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "10/13/2013 08:58:30.625537", + "DLE_Unknown3": 1084227584, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Control Panel (?)", + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91785.Donald.7e4dca80246863e3.automaticDestinations-ms", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": "7e4dca80246863e3", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x0L;0x71L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x71L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ExtentionListing": "", + "ItemCount": 4, + "ParentRefStr": null, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "26ee0668-a00a-44d7-9371-beb064c98683", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 27, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 166, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "245ab1a66dc48fd5", + "DLE_Path": "::{26EE0668-A00A-44D7-9371-BEB064C98683}\\9\\::{60632754-C523-4B62-B45C-4172DA012619}", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "10/07/2013 11:37:28.562362", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Control Panel (?)", + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91785.Donald.7e4dca80246863e3.automaticDestinations-ms", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": "7e4dca80246863e3", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x0L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ExtentionListing": "", + "ItemCount": 3, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "ed7ba470-8e54-465e-825c-99712043e01c", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 26, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 244, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "4dfe26abe409f7af", + "DLE_Path": "::{26EE0668-A00A-44D7-9371-BEB064C98683}\\0\\::{ED7BA470-8E54-465E-825C-99712043E01C}\\{16CE80CC-80CE-4C7D-8B36-3A997849A46E}", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "10/04/2013 17:42:57.220466", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Control Panel (?)", + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91785.Donald.7e4dca80246863e3.automaticDestinations-ms", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": "7e4dca80246863e3", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x0L;0x71L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x71L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ExtentionListing": "", + "ItemCount": 4, + "ParentRefStr": null, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "26ee0668-a00a-44d7-9371-beb064c98683", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 25, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 166, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "d66844bbb38a2d2a", + "DLE_Path": "::{26EE0668-A00A-44D7-9371-BEB064C98683}\\2\\::{A8A91A66-3A7D-4424-8D24-04E180695C7A}", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "10/04/2013 17:35:53.039223", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Control Panel (?)", + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91785.Donald.7e4dca80246863e3.automaticDestinations-ms", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": "7e4dca80246863e3", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x0L;0x71L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x71L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ExtentionListing": "", + "ItemCount": 5, + "ParentRefStr": null, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "26ee0668-a00a-44d7-9371-beb064c98683", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 24, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 188, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "562f5a499c89532f", + "DLE_Path": "::{26EE0668-A00A-44D7-9371-BEB064C98683}\\3\\::{8E908FC9-BECC-40F6-915B-F4CA0E70D03D}\\ShareMedia", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "10/01/2013 18:58:44.798312", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Control Panel (?)", + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91785.Donald.7e4dca80246863e3.automaticDestinations-ms", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": "7e4dca80246863e3", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x0L;0x71L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x71L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ExtentionListing": "", + "ItemCount": 4, + "ParentRefStr": null, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "26ee0668-a00a-44d7-9371-beb064c98683", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 23, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 166, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "e38bef963ea1a5dc", + "DLE_Path": "::{26EE0668-A00A-44D7-9371-BEB064C98683}\\3\\::{8E908FC9-BECC-40F6-915B-F4CA0E70D03D}", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "09/23/2013 17:56:27.048903", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Control Panel (?)", + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91785.Donald.7e4dca80246863e3.automaticDestinations-ms", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": "7e4dca80246863e3", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x0L;0x71L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x71L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ExtentionListing": "", + "ItemCount": 4, + "ParentRefStr": null, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "26ee0668-a00a-44d7-9371-beb064c98683", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 1, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 166, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "61f717f760af8856", + "DLE_Path": "::{26EE0668-A00A-44D7-9371-BEB064C98683}\\1\\::{ED834ED6-4B5A-4BFE-8F11-A626DCB6A921}", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "09/19/2013 16:51:19.833115", + "DLE_Unknown3": 1084227584, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Control Panel (?)", + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91785.Donald.7e4dca80246863e3.automaticDestinations-ms", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": "7e4dca80246863e3", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x0L;0x71L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x71L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ExtentionListing": "", + "ItemCount": 5, + "ParentRefStr": null, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "26ee0668-a00a-44d7-9371-beb064c98683", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 22, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 204, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "8674804ceaa69263", + "DLE_Path": "::{26EE0668-A00A-44D7-9371-BEB064C98683}\\8\\::{17CD9488-1228-4B2F-88CE-4298E93E0966}\\pageDefaultProgram", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "09/10/2013 00:57:17.731465", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Control Panel (?)", + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91785.Donald.7e4dca80246863e3.automaticDestinations-ms", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": "7e4dca80246863e3", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x0L;0x71L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x71L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ExtentionListing": "", + "ItemCount": 4, + "ParentRefStr": null, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "26ee0668-a00a-44d7-9371-beb064c98683", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 19, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 166, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "c186b2e75f9fb200", + "DLE_Path": "::{26EE0668-A00A-44D7-9371-BEB064C98683}\\2\\::{025A5937-A6BE-4686-A844-36FE4BEC8B6D}", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "08/30/2013 16:56:20.260483", + "DLE_Unknown3": 1073741824, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Control Panel (?)", + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91785.Donald.7e4dca80246863e3.automaticDestinations-ms", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": "7e4dca80246863e3", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x0L;0x71L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x71L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ExtentionListing": "", + "ItemCount": 4, + "ParentRefStr": null, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "26ee0668-a00a-44d7-9371-beb064c98683", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 21, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 166, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "1931528fa8e42e9f", + "DLE_Path": "::{26EE0668-A00A-44D7-9371-BEB064C98683}\\7\\::{D555645E-D4F8-4C29-A827-D93C859C4F2A}", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "08/12/2013 03:25:04.707526", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Control Panel (?)", + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91785.Donald.7e4dca80246863e3.automaticDestinations-ms", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": "7e4dca80246863e3", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x0L;0x71L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x71L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ExtentionListing": "", + "ItemCount": 4, + "ParentRefStr": null, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "26ee0668-a00a-44d7-9371-beb064c98683", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 11, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 166, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "b69ad37b3a3ec78f", + "DLE_Path": "::{26EE0668-A00A-44D7-9371-BEB064C98683}\\0\\::{9FE63AFD-59CF-4419-9775-ABCC3849F861}", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "08/12/2013 03:24:43.344872", + "DLE_Unknown3": 1073741824, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Control Panel (?)", + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91785.Donald.7e4dca80246863e3.automaticDestinations-ms", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": "7e4dca80246863e3", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x0L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ExtentionListing": "", + "ItemCount": 3, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "ed7ba470-8e54-465e-825c-99712043e01c", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 20, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 244, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "6dacf80b28dc9201", + "DLE_Path": "::{26EE0668-A00A-44D7-9371-BEB064C98683}\\0\\::{ED7BA470-8E54-465E-825C-99712043E01C}\\{C5AE651D-D027-4D11-8125-595B9933C78B}", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "08/12/2013 03:19:10.655412", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Control Panel (?)", + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91785.Donald.7e4dca80246863e3.automaticDestinations-ms", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": "7e4dca80246863e3", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x0L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ExtentionListing": "", + "ItemCount": 3, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "ed7ba470-8e54-465e-825c-99712043e01c", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 17, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 244, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "b66a925989f119c9", + "DLE_Path": "::{26EE0668-A00A-44D7-9371-BEB064C98683}\\0\\::{ED7BA470-8E54-465E-825C-99712043E01C}\\{45FDB5DF-1457-4A41-A824-7AD9C75767BC}", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "08/12/2013 02:54:16.388662", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Control Panel (?)", + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91785.Donald.7e4dca80246863e3.automaticDestinations-ms", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": "7e4dca80246863e3", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x0L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ExtentionListing": "", + "ItemCount": 3, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "ed7ba470-8e54-465e-825c-99712043e01c", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 16, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 244, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "bc2d799518407d0f", + "DLE_Path": "::{26EE0668-A00A-44D7-9371-BEB064C98683}\\0\\::{ED7BA470-8E54-465E-825C-99712043E01C}\\{821FB666-D307-4865-86BB-68725A30999C}", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "08/12/2013 02:53:01.446960", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Control Panel (?)", + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91785.Donald.7e4dca80246863e3.automaticDestinations-ms", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": "7e4dca80246863e3", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x0L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ExtentionListing": "", + "ItemCount": 3, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "ed7ba470-8e54-465e-825c-99712043e01c", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 15, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 244, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "ba15d68c34a6e643", + "DLE_Path": "::{26EE0668-A00A-44D7-9371-BEB064C98683}\\0\\::{ED7BA470-8E54-465E-825C-99712043E01C}\\{91BA8E01-F854-4418-A108-E63323DDAE60}", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "08/12/2013 02:52:32.898431", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Control Panel (?)", + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91785.Donald.7e4dca80246863e3.automaticDestinations-ms", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": "7e4dca80246863e3", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x0L;0x71L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x71L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ExtentionListing": "", + "ItemCount": 4, + "ParentRefStr": null, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "26ee0668-a00a-44d7-9371-beb064c98683", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 14, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 166, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "3720d83252b8e687", + "DLE_Path": "::{26EE0668-A00A-44D7-9371-BEB064C98683}\\0\\::{A0D4CD32-5D5D-4F72-BAAA-767A7AD6BAC5}", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "08/12/2013 02:22:35.499292", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Control Panel (?)", + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91785.Donald.7e4dca80246863e3.automaticDestinations-ms", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": "7e4dca80246863e3", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x0L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ExtentionListing": "", + "ItemCount": 3, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "ed7ba470-8e54-465e-825c-99712043e01c", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 7, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 244, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "ae9f41aa68a12d02", + "DLE_Path": "::{26EE0668-A00A-44D7-9371-BEB064C98683}\\0\\::{ED7BA470-8E54-465E-825C-99712043E01C}\\{76F31A78-3FDA-4F80-B015-95CFD81463AD}", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "08/12/2013 00:43:34.912971", + "DLE_Unknown3": 1073741824, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Control Panel (?)", + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91785.Donald.7e4dca80246863e3.automaticDestinations-ms", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": "7e4dca80246863e3", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x0L;0x71L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x71L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ExtentionListing": "", + "ItemCount": 4, + "ParentRefStr": null, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "26ee0668-a00a-44d7-9371-beb064c98683", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 6, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 166, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "0e44f23ab8892b30", + "DLE_Path": "::{26EE0668-A00A-44D7-9371-BEB064C98683}\\0\\::{F1F37C58-E099-4BE2-9C27-AA8D45A7E9EA}", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "08/11/2013 17:44:19.098927", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Control Panel (?)", + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91785.Donald.7e4dca80246863e3.automaticDestinations-ms", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": "7e4dca80246863e3", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x0L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ExtentionListing": "", + "ItemCount": 3, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "ed7ba470-8e54-465e-825c-99712043e01c", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 3, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 244, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "931d89e3a1faff51", + "DLE_Path": "::{26EE0668-A00A-44D7-9371-BEB064C98683}\\0\\::{ED7BA470-8E54-465E-825C-99712043E01C}\\{A7160DE5-E591-4D98-9BB0-0CAC99D5F2D5}", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "08/10/2013 04:15:30.523889", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Control Panel (?)", + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91785.Donald.7e4dca80246863e3.automaticDestinations-ms", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": "7e4dca80246863e3", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x0L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ExtentionListing": "", + "ItemCount": 3, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "ed7ba470-8e54-465e-825c-99712043e01c", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 2, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 244, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "5425121dd87dae6d", + "DLE_Path": "::{26EE0668-A00A-44D7-9371-BEB064C98683}\\0\\::{ED7BA470-8E54-465E-825C-99712043E01C}\\{F89E9A98-06B5-44EA-9B08-03D9A5D5448C}", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "08/10/2013 04:15:14.273067", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Control Panel (?)", + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91804.Donald.28c8b86deab549a1.automaticDestinations-ms", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": "28c8b86deab549a1", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x61L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x61L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "ExtentionBlockSize": 30, + "Signature": "0xbeef001aL" + } + ] + } + ], + "ExtentionListing": "0xbeef001aL", + "ItemCount": 3, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "871c5380-42a0-1069-a2ea-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 23, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 464, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "f3620b1ff4a8195c", + "DLE_Path": "https://customer.hotspotsystem.com/customer/hotspotlogin.php?res=notyet&uamip=192.168.182.1&uamport=3990&challenge=a36ddb438860bcfc92784e8a59244ffa&userurl=http%3a%2f%2fwww.msftncsi.com%2fredirect&nasid=lot38_1&mac=24-FD-52-56-47-D2", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "10/21/2013 18:19:15.276788", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Internet Explorer 8 / 9 / 10 (32-bit)", + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91804.Donald.28c8b86deab549a1.automaticDestinations-ms", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": "28c8b86deab549a1", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x61L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x61L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "ExtentionBlockSize": 28, + "Signature": "0xbeef001aL" + } + ] + } + ], + "ExtentionListing": "0xbeef001aL", + "ItemCount": 3, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "871c5380-42a0-1069-a2ea-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 22, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 288, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "8e01d1b8d368590b", + "DLE_Path": "http://54.224.124.95/fam/ck.php?p=__pid=2afb481afa952e4a__sid=45831__bid=821575__cb=3b082aee5d__h=1382295964__s=f8ff8bb5be69fa05f6aca43617050e83", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "10/20/2013 19:06:59.103950", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Internet Explorer 8 / 9 / 10 (32-bit)", + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91804.Donald.28c8b86deab549a1.automaticDestinations-ms", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": "28c8b86deab549a1", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x61L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x61L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "ExtentionBlockSize": 28, + "Signature": "0xbeef001aL" + } + ] + } + ], + "ExtentionListing": "0xbeef001aL", + "ItemCount": 3, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "871c5380-42a0-1069-a2ea-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 21, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 200, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "8af986ba17098158", + "DLE_Path": "http://www.eightforums.com/tutorials/32238-internet-explorer-11-pin-website-start-windows-8-1-a.html", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "10/19/2013 02:01:32.142901", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Internet Explorer 8 / 9 / 10 (32-bit)", + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91804.Donald.28c8b86deab549a1.automaticDestinations-ms", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": "28c8b86deab549a1", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x61L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x61L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "ExtentionBlockSize": 28, + "Signature": "0xbeef001aL" + } + ] + } + ], + "ExtentionListing": "0xbeef001aL", + "ItemCount": 3, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "871c5380-42a0-1069-a2ea-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 20, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 68, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "fa900874a66a0f92", + "DLE_Path": "http://support.apple.com/kb/DL1455", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "10/17/2013 19:05:17.614835", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Internet Explorer 8 / 9 / 10 (32-bit)", + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91804.Donald.28c8b86deab549a1.automaticDestinations-ms", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": "28c8b86deab549a1", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x61L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x61L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 2, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "ExtentionBlockSize": 28, + "Signature": "0xbeef001aL" + }, + { + "ExtentionBlockSize": 28, + "Signature": "0xbeef001aL" + } + ] + } + ], + "ExtentionListing": "0xbeef001aL;0xbeef001aL", + "ItemCount": 3, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "871c5380-42a0-1069-a2ea-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 19, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 308, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "7e558922e01ec937", + "DLE_Path": "http://andromeda.gcomm.cz/?originalUrl=http%3A%2F%2Fwww.msftncsi.com%2Fredirect&loginurl=https%3A%2F%2Fandromeda.gcomm.cz%2Flandingpage_prg.aero%2Fconnect", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "10/14/2013 07:18:45.731074", + "DLE_Unknown3": 1082130432, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Internet Explorer 8 / 9 / 10 (32-bit)", + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91804.Donald.28c8b86deab549a1.automaticDestinations-ms", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": "28c8b86deab549a1", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x61L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x61L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "ExtentionBlockSize": 28, + "Signature": "0xbeef001aL" + } + ] + } + ], + "ExtentionListing": "0xbeef001aL", + "ItemCount": 3, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "871c5380-42a0-1069-a2ea-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 18, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 142, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "ca1457d7ffaef9c0", + "DLE_Path": "http://helpdeskgeek.com/windows-8/how-to-run-disk-cleanup-in-windows-8/", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "10/13/2013 08:52:11.778999", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Internet Explorer 8 / 9 / 10 (32-bit)", + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91804.Donald.28c8b86deab549a1.automaticDestinations-ms", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": "28c8b86deab549a1", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x61L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x61L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "ExtentionBlockSize": 28, + "Signature": "0xbeef001aL" + } + ] + } + ], + "ExtentionListing": "0xbeef001aL", + "ItemCount": 3, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "871c5380-42a0-1069-a2ea-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 17, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 38, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "62c59bbcb5177c62", + "DLE_Path": "http://www.hrad.cz/", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "10/12/2013 17:43:03.279823", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Internet Explorer 8 / 9 / 10 (32-bit)", + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91804.Donald.28c8b86deab549a1.automaticDestinations-ms", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": "28c8b86deab549a1", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x61L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x61L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 2, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "ExtentionBlockSize": 28, + "Signature": "0xbeef001aL" + }, + { + "ExtentionBlockSize": 28, + "Signature": "0xbeef001aL" + } + ] + } + ], + "ExtentionListing": "0xbeef001aL;0xbeef001aL", + "ItemCount": 3, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "871c5380-42a0-1069-a2ea-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 16, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 58, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "3cd17efb4b68936e", + "DLE_Path": "http://www.praha-vysehrad.cz/", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "10/12/2013 17:43:03.190764", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Internet Explorer 8 / 9 / 10 (32-bit)", + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91804.Donald.28c8b86deab549a1.automaticDestinations-ms", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": "28c8b86deab549a1", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x61L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x61L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "ExtentionBlockSize": 28, + "Signature": "0xbeef001aL" + } + ] + } + ], + "ExtentionListing": "0xbeef001aL", + "ItemCount": 3, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "871c5380-42a0-1069-a2ea-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 15, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 68, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "d9aab9bea339e909", + "DLE_Path": "http://money.cnn.com/data/markets/", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "10/12/2013 17:40:22.485782", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Internet Explorer 8 / 9 / 10 (32-bit)", + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91804.Donald.28c8b86deab549a1.automaticDestinations-ms", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": "28c8b86deab549a1", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x61L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x61L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "ExtentionBlockSize": 28, + "Signature": "0xbeef001aL" + } + ] + } + ], + "ExtentionListing": "0xbeef001aL", + "ItemCount": 3, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "871c5380-42a0-1069-a2ea-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 14, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 40, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "752ad526120a8479", + "DLE_Path": "http://www.xbox.com/", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "10/12/2013 17:36:31.796856", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Internet Explorer 8 / 9 / 10 (32-bit)", + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91804.Donald.28c8b86deab549a1.automaticDestinations-ms", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": "28c8b86deab549a1", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x61L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x61L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 2, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "ExtentionBlockSize": 30, + "Signature": "0xbeef001aL" + }, + { + "ExtentionBlockSize": 30, + "Signature": "0xbeef001aL" + } + ] + } + ], + "ExtentionListing": "0xbeef001aL;0xbeef001aL", + "ItemCount": 3, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "871c5380-42a0-1069-a2ea-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 10, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 124, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "0c47c7590bc0c239", + "DLE_Path": "https://buy.wsj.com/offers/html/offerN.html?trackCode=aap4pozs", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "10/11/2013 18:39:54.187970", + "DLE_Unknown3": 1077936128, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Internet Explorer 8 / 9 / 10 (32-bit)", + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91804.Donald.28c8b86deab549a1.automaticDestinations-ms", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": "28c8b86deab549a1", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x61L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x61L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "ExtentionBlockSize": 28, + "Signature": "0xbeef001aL" + } + ] + } + ], + "ExtentionListing": "0xbeef001aL", + "ItemCount": 3, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "871c5380-42a0-1069-a2ea-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 13, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 200, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "4cd714cd057a6731", + "DLE_Path": "http://www.linkedin.com/e/bgaybo-hmme52lc-6f/nth/false/eml_nus_home_top/?hs=false&tok=3dULI4vIMsklY1", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "10/11/2013 18:01:41.997937", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Internet Explorer 8 / 9 / 10 (32-bit)", + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91804.Donald.28c8b86deab549a1.automaticDestinations-ms", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": "28c8b86deab549a1", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x61L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x61L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "ExtentionBlockSize": 30, + "Signature": "0xbeef001aL" + } + ] + } + ], + "ExtentionListing": "0xbeef001aL", + "ItemCount": 3, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "871c5380-42a0-1069-a2ea-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 12, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 196, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "4a99a2a757b8a91b", + "DLE_Path": "https://www.amazon.com/gp/kindle/kcp/links?deviceType=A3C2X3KG4GJCOD&eid=meow&method=CreateAccount", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "10/04/2013 17:29:45.114308", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Internet Explorer 8 / 9 / 10 (32-bit)", + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91804.Donald.28c8b86deab549a1.automaticDestinations-ms", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": "28c8b86deab549a1", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x61L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x61L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "ExtentionBlockSize": 30, + "Signature": "0xbeef001aL" + } + ] + } + ], + "ExtentionListing": "0xbeef001aL", + "ItemCount": 3, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "871c5380-42a0-1069-a2ea-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 11, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 118, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "b36bc9347876780e", + "DLE_Path": "https://commerce.wsj.com/auth/forgotpass?mod=CustomerCenter", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "10/03/2013 12:17:54.982738", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Internet Explorer 8 / 9 / 10 (32-bit)", + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91804.Donald.28c8b86deab549a1.automaticDestinations-ms", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": "28c8b86deab549a1", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x61L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x61L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "ExtentionBlockSize": 28, + "Signature": "0xbeef001aL" + } + ] + } + ], + "ExtentionListing": "0xbeef001aL", + "ItemCount": 3, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "871c5380-42a0-1069-a2ea-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 9, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 302, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "7d0a464596566a48", + "DLE_Path": "http://airborne.gogoinflight.com/abp/page/abpDefault.do?REP=127.0.0.1&AUTH=127.0.0.1&CLI=172.19.131.157&PORT=54273&RPORT=54272&ABS=0&acpu_redirect=true", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "10/03/2013 11:50:10.368144", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Internet Explorer 8 / 9 / 10 (32-bit)", + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91804.Donald.28c8b86deab549a1.automaticDestinations-ms", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": "28c8b86deab549a1", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x61L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x61L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "ExtentionBlockSize": 28, + "Signature": "0xbeef001aL" + } + ] + } + ], + "ExtentionListing": "0xbeef001aL", + "ItemCount": 3, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "871c5380-42a0-1069-a2ea-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 8, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 38, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "67c0eeb408a410c2", + "DLE_Path": "http://192.168.1.1/", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "10/01/2013 18:45:14.661744", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Internet Explorer 8 / 9 / 10 (32-bit)", + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91804.Donald.28c8b86deab549a1.automaticDestinations-ms", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": "28c8b86deab549a1", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x61L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x61L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "ExtentionBlockSize": 28, + "Signature": "0xbeef001aL" + } + ] + } + ], + "ExtentionListing": "0xbeef001aL", + "ItemCount": 3, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "871c5380-42a0-1069-a2ea-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 7, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 52, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "5cc7c33e9b990b25", + "DLE_Path": "http://alert.logitech.com/", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "10/01/2013 18:44:58.842147", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Internet Explorer 8 / 9 / 10 (32-bit)", + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91804.Donald.28c8b86deab549a1.automaticDestinations-ms", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": "28c8b86deab549a1", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x61L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x61L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "ExtentionBlockSize": 30, + "Signature": "0xbeef001aL" + } + ] + } + ], + "ExtentionListing": "0xbeef001aL", + "ItemCount": 3, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "871c5380-42a0-1069-a2ea-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 6, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 648, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "154649d2ac14fda8", + "DLE_Path": "https://id.apple.com/cgi-bin/verify.cgi?language=US-EN&key=M2VmN2UzYTI1NGUzMGI1M2NjZDMwNzMwNDdkNjkwOTVkY2Y0OTM4M2Y2OTkxMGJjMTA1MmU1ZmRkOWY1OWFhYWYzNGViYzMzY2NjNmUxZTQyYjhjYWI3MDFkNTRlZDAxYjJmOGVkOGI1NTYzYzcwMDE3NWM5YjBjZmM2MTM2YTQwZWM4NDY1OGNiOTI5NDEyMmQ4YzUyZTgwZTQ3ZDI5N2ZhNWVlNjExZGFjNzVlMjU5ZmQyZGNkYWMyOGIzMWEx&type=DFT", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "09/29/2013 19:01:15.448476", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Internet Explorer 8 / 9 / 10 (32-bit)", + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91804.Donald.28c8b86deab549a1.automaticDestinations-ms", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": "28c8b86deab549a1", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x61L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x61L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "ExtentionBlockSize": 28, + "Signature": "0xbeef001aL" + } + ] + } + ], + "ExtentionListing": "0xbeef001aL", + "ItemCount": 3, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "871c5380-42a0-1069-a2ea-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 5, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 496, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "89dad2843c794dae", + "DLE_Path": "http://www.facebook.com/n/?friends/requests/&fcode=AY9W3ic_NfAjPYCW&f=100006626202907&r=100006412544116&aref=2015996&medium=email&mid=8aea0baG5af48eb1e874G1ec2fcG2&bcode=1.1380230029.Abn6sVCWKNYsFVBb&n_m=thunder.gawd.donald%40gmail.com&lloc=1st_cta", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "09/27/2013 03:03:38.190323", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Internet Explorer 8 / 9 / 10 (32-bit)", + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91804.Donald.28c8b86deab549a1.automaticDestinations-ms", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": "28c8b86deab549a1", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x61L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x61L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 2, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "ExtentionBlockSize": 58, + "Signature": "0xbeef0001L" + }, + { + "ExtentionBlockSize": 30, + "Signature": "0xbeef001aL" + } + ] + } + ], + "ExtentionListing": "0xbeef0001L;0xbeef001aL", + "ItemCount": 3, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "871c5380-42a0-1069-a2ea-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 4, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 64, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "a452998edfa9b769", + "DLE_Path": "https://www.google.com/contacts/", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "09/01/2013 17:21:35.764640", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Internet Explorer 8 / 9 / 10 (32-bit)", + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91804.Donald.28c8b86deab549a1.automaticDestinations-ms", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": "28c8b86deab549a1", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x61L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x61L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "ExtentionBlockSize": 30, + "Signature": "0xbeef001aL" + } + ] + } + ], + "ExtentionListing": "0xbeef001aL", + "ItemCount": 3, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "871c5380-42a0-1069-a2ea-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 3, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 246, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "2ae7803841a11168", + "DLE_Path": "https://secure.skype.com/login/sso?nonce=RJJNOZfvYmr5KVaQhxKA&go=myaccount&intsrc=client-_-windows8_9-_-1.8-_-go-my-account", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "08/31/2013 20:35:11.681079", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Internet Explorer 8 / 9 / 10 (32-bit)", + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91804.Donald.28c8b86deab549a1.automaticDestinations-ms", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": "28c8b86deab549a1", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x61L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x61L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "ExtentionBlockSize": 28, + "Signature": "0xbeef001aL" + } + ] + } + ], + "ExtentionListing": "0xbeef001aL", + "ItemCount": 3, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "871c5380-42a0-1069-a2ea-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 2, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 434, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "68d662aca7d3303e", + "DLE_Path": "http://nmd.hil-bosbhhh.bos.wayport.net/index.adp?MacAddr=24%3aFD%3a52%3a56%3a47%3aD2&IpAddr=192%2e168%2e6%2e170&vsgpId=a32e659c%2d17fe%2d1e9d%2de040%2d0cd80de5444e&vsgId=496765&UserAgent=&ProxyHost=&TunnelIfId=3226708", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "08/10/2013 21:46:48.279319", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Internet Explorer 8 / 9 / 10 (32-bit)", + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\91804.Donald.28c8b86deab549a1.automaticDestinations-ms", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": "28c8b86deab549a1", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x61L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x61L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "ExtentionBlockSize": 28, + "Signature": "0xbeef001aL" + } + ] + } + ], + "ExtentionListing": "0xbeef001aL", + "ItemCount": 3, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "871c5380-42a0-1069-a2ea-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 1, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 110, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "2730050f67f64f1f", + "DLE_Path": "http://go.microsoft.com/fwlink/?LinkId=248215&mkt=en-US", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "08/10/2013 03:07:29.815676", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": "Internet Explorer 8 / 9 / 10 (32-bit)", + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "Doncaster-business-plan.xlsx", + "WorkingDir": null, + "LocalPath": "C:\\Users\\Donald\\Documents\\Doncaster-business-plan.xlsx", + "ModificationDateTime": "10/21/2013 18:38:34.243188", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\986.Donald.b8ab77100df80ab2.automaticDestinations-ms", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "10/21/2013 18:38:34.155969", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "b8ab77100df80ab2", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x0L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ExtentionListing": "", + "ItemCount": 5, + "ParentRefStr": null, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "031e4825-7b94-4dc3-b131-e946b44c8dd5", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 8, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "92abc06b11f16f499067ec5c94ffa9f5", + "DLE_PathSize": 108, + "DLE_DroidVolId": "92abc06b11f16f499067ec5c94ffa9f5", + "DLE_DroidFileId": "51fa8fdc6b3ae311be8a24fd52566ede", + "DLE_Unknown1Hash": "d23ed9aa11520e13", + "DLE_Path": "C:\\Users\\Donald\\Documents\\Doncaster-business-plan.xlsx", + "DLE_BirthDroidFileId": "51fa8fdc6b3ae311be8a24fd52566ede", + "DLE_LastModificationDatetime": "10/22/2013 16:33:39.563238", + "DLE_Unknown3": 1077936128, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "bifrost\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "xlsx", + "NetworkPath": "\\\\BIFROST\\Users\\Donald\\Documents\\Doncaster-business-plan.xlsx", + "FileSize": 32748, + "CreationDateTime": "10/21/2013 18:38:28.600612", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "EXCEL.EXE", + "WorkingDir": null, + "LocalPath": "C:\\Program Files\\Microsoft Office 15\\root\\office15\\EXCEL.EXE", + "ModificationDateTime": "09/23/2013 20:28:31.559819", + "CmdArgs": "https://asgardventurecapital.sharepoint.com/Shared%20Documents/Confidential%20Analysis%20Data/NETFLIX_10-K_20130201.xlsx", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\986.Donald.b8ab77100df80ab2.automaticDestinations-ms", + "Flags": "Sparse File;Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "09/23/2013 20:28:15.874480", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "b8ab77100df80ab2", + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 6, + "ParentRefStr": "5225-6", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~1", + "Location": null, + "Comments": null, + "ModificationTime": "10/13/2013 09:39:12.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files", + "ExtentionBlockSize": 116, + "LocalizedName": "@shell32.dll,-21781", + "SeqNum": 6, + "EntryNum": 197634, + "FileReferenceInt": 1688849860461570, + "AccessTime": "10/13/2013 09:39:12.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "197634-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "MICROS~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:24:20.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Microsoft Office 15", + "ExtentionBlockSize": 88, + "LocalizedName": null, + "SeqNum": 15, + "EntryNum": 4229, + "FileReferenceInt": 4222124650664069, + "AccessTime": "09/23/2013 20:24:20.000000", + "CreationTime": "09/23/2013 20:23:56.000000", + "Signature": "0xbeef0004L", + "RefNum": "4229-15" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "root", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:24:22.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "root", + "ExtentionBlockSize": 58, + "LocalizedName": null, + "SeqNum": 9, + "EntryNum": 5190, + "FileReferenceInt": 2533274790401094, + "AccessTime": "09/23/2013 20:24:22.000000", + "CreationTime": "09/23/2013 20:24:08.000000", + "Signature": "0xbeef0004L", + "RefNum": "5190-9" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "office15", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:40:10.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "office15", + "ExtentionBlockSize": 66, + "LocalizedName": null, + "SeqNum": 6, + "EntryNum": 5225, + "FileReferenceInt": 1688849860269161, + "AccessTime": "09/23/2013 20:40:10.000000", + "CreationTime": "09/23/2013 20:24:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "5225-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "EXCEL.EXE", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:28:32.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 32876192, + "ExtentionBlocks": [ + { + "LongName": "EXCEL.EXE", + "ExtentionBlockSize": 68, + "LocalizedName": null, + "SeqNum": 24, + "EntryNum": 4777, + "FileReferenceInt": 6755399441060521, + "AccessTime": "09/23/2013 20:28:16.000000", + "CreationTime": "09/23/2013 20:24:22.000000", + "Signature": "0xbeef0004L", + "RefNum": "4777-24" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "office15", + "ParentEntryNum": 5225, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 8, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "https://asgardventurecapital.sharepoint.com/Shared Documents/Confidential Analysis Data/NETFLIX_10-K_20130201.xlsx", + "DestInfo": { + "DLE_EntryNum": 5, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 32, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "5bc594f8ed137642", + "DLE_Path": "376ee1bfd31f027f", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "10/21/2013 20:19:56.980526", + "DLE_Unknown3": 1077936128, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%ProgramFiles%\\Microsoft Office 15\\Root\\Office15\\EXCEL.EXE", + "AppIdName": null, + "FileExt": "EXE", + "NetworkPath": null, + "FileSize": 32876192, + "CreationDateTime": "09/23/2013 20:24:21.102777", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": "guided-cash-flow-statement.xls", + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "10/21/2013 19:47:28.642041", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\986.Donald.b8ab77100df80ab2.automaticDestinations-ms", + "Flags": "Archive;", + "DriveType": "DRIVE_UNKNOWN;", + "AccessDateTime": "10/21/2013 19:47:28.555417", + "DriveSerialNumber": "0000-0000", + "AppIdCode": "b8ab77100df80ab2", + "LnkTrgData": null, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 14, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "1e389934d79236429fc979e377f2430a", + "DLE_PathSize": 148, + "DLE_DroidVolId": "1e389934d79236429fc979e377f2430a", + "DLE_DroidFileId": "8f973a5b8b39e311be82000af7048353", + "DLE_Unknown1Hash": "f8977237c0357a53", + "DLE_Path": "\\\\VALHALLA\\Users\\Public\\Documents\\Templates\\guided-cash-flow-statement.xls", + "DLE_BirthDroidFileId": "8f973a5b8b39e311be82000af7048353", + "DLE_LastModificationDatetime": "10/21/2013 20:00:45.265067", + "DLE_Unknown3": 1073741824, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "valhalla\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "xls", + "NetworkPath": "\\\\VALHALLA\\USERS\\Public\\Documents\\Templates\\guided-cash-flow-statement.xls", + "FileSize": 45056, + "CreationDateTime": "10/21/2013 19:47:28.555417", + "EnvVarLoc": "\\\\VALHALLA\\Users\\Public\\Documents\\Templates\\guided-cash-flow-statement.xls" + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "WACC Calc Spreadsheet.xls", + "WorkingDir": null, + "LocalPath": "C:\\Users\\Donald\\SkyDrive\\Documents\\WACC Calc Spreadsheet.xls", + "ModificationDateTime": "08/08/2013 03:59:09.343000", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\986.Donald.b8ab77100df80ab2.automaticDestinations-ms", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "09/23/2013 19:48:50.000000", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "b8ab77100df80ab2", + "LnkTrgData": { + "ParentLongName": "Documents", + "DistinctTypesHex": "0x32L;0x31L;0x1fL", + "ParentSeqNum": 3, + "DistinctTypesStr": "root_folder;file_entry", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "DOCUME~1", + "Location": null, + "Comments": null, + "ModificationTime": "10/21/2013 18:50:46.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Documents", + "ExtentionBlockSize": 68, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 127282, + "FileReferenceInt": 844424930259250, + "AccessTime": "10/21/2013 18:50:46.000000", + "CreationTime": "08/12/2013 01:11:04.000000", + "Signature": "0xbeef0004L", + "RefNum": "127282-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "WACCCA~2.XLS", + "Location": null, + "Comments": null, + "ModificationTime": "08/08/2013 03:59:10.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 2, + "Description": null, + "FileSize": 16384, + "ExtentionBlocks": [ + { + "LongName": "WACC Calc Spreadsheet.xls", + "ExtentionBlockSize": 100, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 127314, + "FileReferenceInt": 844424930259282, + "AccessTime": "09/23/2013 19:48:50.000000", + "CreationTime": "08/08/2013 03:57:36.000000", + "Signature": "0xbeef0004L", + "RefNum": "127314-3" + }, + { + "ExtentionBlockSize": 40, + "Signature": "0xbeef001aL" + } + ] + } + ], + "ExtentionListing": "0xbeef0025L;0xbeef0004L;0xbeef0004L;0xbeef001aL", + "ItemCount": 4, + "ParentRefStr": "127282-3", + "ParentEntryNum": 127282, + "RootFolder": [ + { + "ShellFolderId": "8e74d236-7f35-4720-b138-1fed0b85ea75", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "ExtentionBlockSize": 30, + "Signature": "0xbeef0025L" + } + ] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 13, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "92abc06b11f16f499067ec5c94ffa9f5", + "DLE_PathSize": 120, + "DLE_DroidVolId": "92abc06b11f16f499067ec5c94ffa9f5", + "DLE_DroidFileId": "c1fb8fdc6b3ae311be8a24fd52566ede", + "DLE_Unknown1Hash": "a6567ebf4b8e5516", + "DLE_Path": "C:\\Users\\Donald\\SkyDrive\\Documents\\WACC Calc Spreadsheet.xls", + "DLE_BirthDroidFileId": "c1fb8fdc6b3ae311be8a24fd52566ede", + "DLE_LastModificationDatetime": "10/21/2013 18:58:23.930585", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "bifrost\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "xls", + "NetworkPath": "\\\\BIFROST\\SkyDrive\\Documents\\WACC Calc Spreadsheet.xls", + "FileSize": 16384, + "CreationDateTime": "08/08/2013 03:57:34.463000", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "EXCEL.EXE", + "WorkingDir": null, + "LocalPath": "C:\\Program Files\\Microsoft Office 15\\root\\office15\\EXCEL.EXE", + "ModificationDateTime": "09/23/2013 20:28:31.559819", + "CmdArgs": "https://d.docs.live.net/7f095149027848ed/Documents/WACC%20Calc%20Spreadsheet.xls", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\986.Donald.b8ab77100df80ab2.automaticDestinations-ms", + "Flags": "Sparse File;Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "09/23/2013 20:28:15.874480", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "b8ab77100df80ab2", + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 6, + "ParentRefStr": "5225-6", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~1", + "Location": null, + "Comments": null, + "ModificationTime": "10/18/2013 00:28:36.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files", + "ExtentionBlockSize": 116, + "LocalizedName": "@shell32.dll,-21781", + "SeqNum": 6, + "EntryNum": 197634, + "FileReferenceInt": 1688849860461570, + "AccessTime": "10/18/2013 00:28:36.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "197634-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "MICROS~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:24:20.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Microsoft Office 15", + "ExtentionBlockSize": 88, + "LocalizedName": null, + "SeqNum": 15, + "EntryNum": 4229, + "FileReferenceInt": 4222124650664069, + "AccessTime": "09/23/2013 20:24:20.000000", + "CreationTime": "09/23/2013 20:23:56.000000", + "Signature": "0xbeef0004L", + "RefNum": "4229-15" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "root", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:24:22.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "root", + "ExtentionBlockSize": 58, + "LocalizedName": null, + "SeqNum": 9, + "EntryNum": 5190, + "FileReferenceInt": 2533274790401094, + "AccessTime": "09/23/2013 20:24:22.000000", + "CreationTime": "09/23/2013 20:24:08.000000", + "Signature": "0xbeef0004L", + "RefNum": "5190-9" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "office15", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:40:10.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "office15", + "ExtentionBlockSize": 66, + "LocalizedName": null, + "SeqNum": 6, + "EntryNum": 5225, + "FileReferenceInt": 1688849860269161, + "AccessTime": "09/23/2013 20:40:10.000000", + "CreationTime": "09/23/2013 20:24:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "5225-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "EXCEL.EXE", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:28:32.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 32876192, + "ExtentionBlocks": [ + { + "LongName": "EXCEL.EXE", + "ExtentionBlockSize": 68, + "LocalizedName": null, + "SeqNum": 24, + "EntryNum": 4777, + "FileReferenceInt": 6755399441060521, + "AccessTime": "09/23/2013 20:28:16.000000", + "CreationTime": "09/23/2013 20:24:22.000000", + "Signature": "0xbeef0004L", + "RefNum": "4777-24" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "office15", + "ParentEntryNum": 5225, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 8, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "https://d.docs.live.net/7f095149027848ed/Documents/WACC Calc Spreadsheet.xls", + "DestInfo": { + "DLE_EntryNum": 12, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 32, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "3a73b81886ee354b", + "DLE_Path": "c610294c34a22498", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "10/21/2013 18:58:23.813502", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%ProgramFiles%\\Microsoft Office 15\\Root\\Office15\\EXCEL.EXE", + "AppIdName": null, + "FileExt": "EXE", + "NetworkPath": null, + "FileSize": 32876192, + "CreationDateTime": "09/23/2013 20:24:21.102777", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "SuperProject_Solved.xls", + "WorkingDir": null, + "LocalPath": "C:\\Users\\Donald\\SkyDrive\\Documents\\SuperProject_Solved.xls", + "ModificationDateTime": "08/08/2013 03:48:04.000000", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\986.Donald.b8ab77100df80ab2.automaticDestinations-ms", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "09/23/2013 19:48:48.000000", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "b8ab77100df80ab2", + "LnkTrgData": { + "ParentLongName": "Documents", + "DistinctTypesHex": "0x32L;0x31L;0x1fL", + "ParentSeqNum": 3, + "DistinctTypesStr": "root_folder;file_entry", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "DOCUME~1", + "Location": null, + "Comments": null, + "ModificationTime": "10/21/2013 18:50:46.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Documents", + "ExtentionBlockSize": 68, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 127282, + "FileReferenceInt": 844424930259250, + "AccessTime": "10/21/2013 18:50:46.000000", + "CreationTime": "08/12/2013 01:11:04.000000", + "Signature": "0xbeef0004L", + "RefNum": "127282-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "SUPERP~1.XLS", + "Location": null, + "Comments": null, + "ModificationTime": "08/08/2013 03:48:04.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 2, + "Description": null, + "FileSize": 36864, + "ExtentionBlocks": [ + { + "LongName": "SuperProject_Solved.xls", + "ExtentionBlockSize": 96, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 127305, + "FileReferenceInt": 844424930259273, + "AccessTime": "09/23/2013 19:48:48.000000", + "CreationTime": "08/08/2013 03:52:48.000000", + "Signature": "0xbeef0004L", + "RefNum": "127305-3" + }, + { + "ExtentionBlockSize": 40, + "Signature": "0xbeef001aL" + } + ] + } + ], + "ExtentionListing": "0xbeef0025L;0xbeef0004L;0xbeef0004L;0xbeef001aL", + "ItemCount": 4, + "ParentRefStr": "127282-3", + "ParentEntryNum": 127282, + "RootFolder": [ + { + "ShellFolderId": "8e74d236-7f35-4720-b138-1fed0b85ea75", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "ExtentionBlockSize": 30, + "Signature": "0xbeef0025L" + } + ] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 11, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "92abc06b11f16f499067ec5c94ffa9f5", + "DLE_PathSize": 116, + "DLE_DroidVolId": "92abc06b11f16f499067ec5c94ffa9f5", + "DLE_DroidFileId": "b2fb8fdc6b3ae311be8a24fd52566ede", + "DLE_Unknown1Hash": "aed9ede2ae5dd648", + "DLE_Path": "C:\\Users\\Donald\\SkyDrive\\Documents\\SuperProject_Solved.xls", + "DLE_BirthDroidFileId": "b2fb8fdc6b3ae311be8a24fd52566ede", + "DLE_LastModificationDatetime": "10/21/2013 18:58:13.303359", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "bifrost\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "xls", + "NetworkPath": "\\\\BIFROST\\SkyDrive\\Documents\\SuperProject_Solved.xls", + "FileSize": 36864, + "CreationDateTime": "08/08/2013 03:52:46.900000", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "EXCEL.EXE", + "WorkingDir": null, + "LocalPath": "C:\\Program Files\\Microsoft Office 15\\root\\office15\\EXCEL.EXE", + "ModificationDateTime": "09/23/2013 20:28:31.559819", + "CmdArgs": "https://d.docs.live.net/7f095149027848ed/Documents/SuperProject_Solved.xls", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\986.Donald.b8ab77100df80ab2.automaticDestinations-ms", + "Flags": "Sparse File;Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "09/23/2013 20:28:15.874480", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "b8ab77100df80ab2", + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 6, + "ParentRefStr": "5225-6", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~1", + "Location": null, + "Comments": null, + "ModificationTime": "10/18/2013 00:28:36.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files", + "ExtentionBlockSize": 116, + "LocalizedName": "@shell32.dll,-21781", + "SeqNum": 6, + "EntryNum": 197634, + "FileReferenceInt": 1688849860461570, + "AccessTime": "10/18/2013 00:28:36.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "197634-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "MICROS~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:24:20.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Microsoft Office 15", + "ExtentionBlockSize": 88, + "LocalizedName": null, + "SeqNum": 15, + "EntryNum": 4229, + "FileReferenceInt": 4222124650664069, + "AccessTime": "09/23/2013 20:24:20.000000", + "CreationTime": "09/23/2013 20:23:56.000000", + "Signature": "0xbeef0004L", + "RefNum": "4229-15" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "root", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:24:22.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "root", + "ExtentionBlockSize": 58, + "LocalizedName": null, + "SeqNum": 9, + "EntryNum": 5190, + "FileReferenceInt": 2533274790401094, + "AccessTime": "09/23/2013 20:24:22.000000", + "CreationTime": "09/23/2013 20:24:08.000000", + "Signature": "0xbeef0004L", + "RefNum": "5190-9" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "office15", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:40:10.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "office15", + "ExtentionBlockSize": 66, + "LocalizedName": null, + "SeqNum": 6, + "EntryNum": 5225, + "FileReferenceInt": 1688849860269161, + "AccessTime": "09/23/2013 20:40:10.000000", + "CreationTime": "09/23/2013 20:24:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "5225-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "EXCEL.EXE", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:28:32.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 32876192, + "ExtentionBlocks": [ + { + "LongName": "EXCEL.EXE", + "ExtentionBlockSize": 68, + "LocalizedName": null, + "SeqNum": 24, + "EntryNum": 4777, + "FileReferenceInt": 6755399441060521, + "AccessTime": "09/23/2013 20:28:16.000000", + "CreationTime": "09/23/2013 20:24:22.000000", + "Signature": "0xbeef0004L", + "RefNum": "4777-24" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "office15", + "ParentEntryNum": 5225, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 8, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "https://d.docs.live.net/7f095149027848ed/Documents/SuperProject_Solved.xls", + "DestInfo": { + "DLE_EntryNum": 10, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 32, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "b8bb870a374fbcde", + "DLE_Path": "a52384734d17ee2e", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "10/21/2013 18:58:13.144222", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%ProgramFiles%\\Microsoft Office 15\\Root\\Office15\\EXCEL.EXE", + "AppIdName": null, + "FileExt": "EXE", + "NetworkPath": null, + "FileSize": 32876192, + "CreationDateTime": "09/23/2013 20:24:21.102777", + "EnvVarLoc": null + }, + { + "VolumeLabel": "USB", + "BaseName": "Doncaster-business-plan.xlsx", + "WorkingDir": null, + "LocalPath": "F:\\Doncaster-business-plan.xlsx", + "ModificationDateTime": "10/21/2013 18:45:30.000000", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\986.Donald.b8ab77100df80ab2.automaticDestinations-ms", + "Flags": "Archive;", + "DriveType": "DRIVE_REMOVABLE;", + "AccessDateTime": "10/21/2013 04:00:00.000000", + "DriveSerialNumber": "39c7-1beb", + "AppIdCode": "b8ab77100df80ab2", + "LnkTrgData": { + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "F:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": null, + "DistinctTypesHex": "0x32L;0x2fL;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "volume;root_folder;file_entry", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "DONCAS~1.XLS", + "Location": null, + "Comments": null, + "ModificationTime": "10/21/2013 18:45:30.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 2, + "Description": null, + "FileSize": 32746, + "ExtentionBlocks": [ + { + "LongName": "Doncaster-business-plan.xlsx", + "ExtentionBlockSize": 106, + "LocalizedName": null, + "SeqNum": 0, + "EntryNum": 251328, + "FileReferenceInt": 251328, + "AccessTime": "10/21/2013 04:00:00.000000", + "CreationTime": "10/21/2013 18:53:02.000000", + "Signature": "0xbeef0004L", + "RefNum": "251328-0" + }, + { + "ExtentionBlockSize": 42, + "Signature": "0xbeef001aL" + } + ] + } + ], + "ExtentionListing": "0xbeef0004L;0xbeef001aL", + "ItemCount": 4, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 9, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 62, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "51f8787a52bd39d2", + "DLE_Path": "F:\\Doncaster-business-plan.xlsx", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "10/21/2013 18:55:38.254068", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "xlsx", + "NetworkPath": null, + "FileSize": 32746, + "CreationDateTime": "10/21/2013 18:53:01.590000", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "EXCEL.EXE", + "WorkingDir": null, + "LocalPath": "C:\\Program Files\\Microsoft Office 15\\root\\office15\\EXCEL.EXE", + "ModificationDateTime": "09/23/2013 20:28:31.559819", + "CmdArgs": "https://asgardventurecapital.sharepoint.com/Shared%20Documents/Business%20Plans/In%20Review%20-%20NOT%20FOR%20RELEASE/Doncaster-business-plan.xlsx", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\986.Donald.b8ab77100df80ab2.automaticDestinations-ms", + "Flags": "Sparse File;Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "09/23/2013 20:28:15.874480", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "b8ab77100df80ab2", + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 6, + "ParentRefStr": "5225-6", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~1", + "Location": null, + "Comments": null, + "ModificationTime": "10/18/2013 00:28:36.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files", + "ExtentionBlockSize": 116, + "LocalizedName": "@shell32.dll,-21781", + "SeqNum": 6, + "EntryNum": 197634, + "FileReferenceInt": 1688849860461570, + "AccessTime": "10/18/2013 00:28:36.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "197634-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "MICROS~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:24:20.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Microsoft Office 15", + "ExtentionBlockSize": 88, + "LocalizedName": null, + "SeqNum": 15, + "EntryNum": 4229, + "FileReferenceInt": 4222124650664069, + "AccessTime": "09/23/2013 20:24:20.000000", + "CreationTime": "09/23/2013 20:23:56.000000", + "Signature": "0xbeef0004L", + "RefNum": "4229-15" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "root", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:24:22.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "root", + "ExtentionBlockSize": 58, + "LocalizedName": null, + "SeqNum": 9, + "EntryNum": 5190, + "FileReferenceInt": 2533274790401094, + "AccessTime": "09/23/2013 20:24:22.000000", + "CreationTime": "09/23/2013 20:24:08.000000", + "Signature": "0xbeef0004L", + "RefNum": "5190-9" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "office15", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:40:10.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "office15", + "ExtentionBlockSize": 66, + "LocalizedName": null, + "SeqNum": 6, + "EntryNum": 5225, + "FileReferenceInt": 1688849860269161, + "AccessTime": "09/23/2013 20:40:10.000000", + "CreationTime": "09/23/2013 20:24:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "5225-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "EXCEL.EXE", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:28:32.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 32876192, + "ExtentionBlocks": [ + { + "LongName": "EXCEL.EXE", + "ExtentionBlockSize": 68, + "LocalizedName": null, + "SeqNum": 24, + "EntryNum": 4777, + "FileReferenceInt": 6755399441060521, + "AccessTime": "09/23/2013 20:28:16.000000", + "CreationTime": "09/23/2013 20:24:22.000000", + "Signature": "0xbeef0004L", + "RefNum": "4777-24" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "office15", + "ParentEntryNum": 5225, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 8, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "https://asgardventurecapital.sharepoint.com/Shared Documents/Business Plans/In Review - NOT FOR RELEASE/Doncaster-business-plan.xlsx", + "DestInfo": { + "DLE_EntryNum": 7, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 32, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "15a2a6d98b4d307d", + "DLE_Path": "e2556b857ff6b6ca", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "10/21/2013 18:45:11.432953", + "DLE_Unknown3": 1073741824, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%ProgramFiles%\\Microsoft Office 15\\root\\office15\\EXCEL.EXE", + "AppIdName": null, + "FileExt": "EXE", + "NetworkPath": null, + "FileSize": 32876192, + "CreationDateTime": "09/23/2013 20:24:21.102777", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "EXCEL.EXE", + "WorkingDir": null, + "LocalPath": "C:\\Program Files\\Microsoft Office 15\\root\\office15\\EXCEL.EXE", + "ModificationDateTime": "09/23/2013 20:28:31.559819", + "CmdArgs": "https://asgardventurecapital.sharepoint.com/Shared%20Documents/Business%20Plans/RLPC-business-plan-2013-07.xlsx", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\986.Donald.b8ab77100df80ab2.automaticDestinations-ms", + "Flags": "Sparse File;Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "09/23/2013 20:28:15.874480", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "b8ab77100df80ab2", + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 6, + "ParentRefStr": "5225-6", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~1", + "Location": null, + "Comments": null, + "ModificationTime": "10/13/2013 09:39:12.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files", + "ExtentionBlockSize": 116, + "LocalizedName": "@shell32.dll,-21781", + "SeqNum": 6, + "EntryNum": 197634, + "FileReferenceInt": 1688849860461570, + "AccessTime": "10/13/2013 09:39:12.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "197634-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "MICROS~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:24:20.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Microsoft Office 15", + "ExtentionBlockSize": 88, + "LocalizedName": null, + "SeqNum": 15, + "EntryNum": 4229, + "FileReferenceInt": 4222124650664069, + "AccessTime": "09/23/2013 20:24:20.000000", + "CreationTime": "09/23/2013 20:23:56.000000", + "Signature": "0xbeef0004L", + "RefNum": "4229-15" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "root", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:24:22.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "root", + "ExtentionBlockSize": 58, + "LocalizedName": null, + "SeqNum": 9, + "EntryNum": 5190, + "FileReferenceInt": 2533274790401094, + "AccessTime": "09/23/2013 20:24:22.000000", + "CreationTime": "09/23/2013 20:24:08.000000", + "Signature": "0xbeef0004L", + "RefNum": "5190-9" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "office15", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:40:10.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "office15", + "ExtentionBlockSize": 66, + "LocalizedName": null, + "SeqNum": 6, + "EntryNum": 5225, + "FileReferenceInt": 1688849860269161, + "AccessTime": "09/23/2013 20:40:10.000000", + "CreationTime": "09/23/2013 20:24:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "5225-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "EXCEL.EXE", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:28:32.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 32876192, + "ExtentionBlocks": [ + { + "LongName": "EXCEL.EXE", + "ExtentionBlockSize": 68, + "LocalizedName": null, + "SeqNum": 24, + "EntryNum": 4777, + "FileReferenceInt": 6755399441060521, + "AccessTime": "09/23/2013 20:28:16.000000", + "CreationTime": "09/23/2013 20:24:22.000000", + "Signature": "0xbeef0004L", + "RefNum": "4777-24" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "office15", + "ParentEntryNum": 5225, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 8, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "https://asgardventurecapital.sharepoint.com/Shared Documents/Business Plans/RLPC-business-plan-2013-07.xlsx", + "DestInfo": { + "DLE_EntryNum": 6, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 32, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "d8588896acaf9b43", + "DLE_Path": "6efb7b2f8c1e99a7", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "10/13/2013 10:27:09.711385", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%ProgramFiles%\\Microsoft Office 15\\Root\\Office15\\EXCEL.EXE", + "AppIdName": null, + "FileExt": "EXE", + "NetworkPath": null, + "FileSize": 32876192, + "CreationDateTime": "09/23/2013 20:24:21.102777", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "EXCEL.EXE", + "WorkingDir": null, + "LocalPath": "C:\\Program Files\\Microsoft Office 15\\root\\office15\\EXCEL.EXE", + "ModificationDateTime": "09/23/2013 20:28:31.559819", + "CmdArgs": "https://asgardventurecapital-my.sharepoint.com/personal/dblake_asgard-venture-capital_com/Documents/Tire%20City%20Numbers.xlsx", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\986.Donald.b8ab77100df80ab2.automaticDestinations-ms", + "Flags": "Sparse File;Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "09/23/2013 20:28:15.874480", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "b8ab77100df80ab2", + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 6, + "ParentRefStr": "5225-6", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/26/2013 17:54:36.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files", + "ExtentionBlockSize": 116, + "LocalizedName": "@shell32.dll,-21781", + "SeqNum": 6, + "EntryNum": 197634, + "FileReferenceInt": 1688849860461570, + "AccessTime": "09/26/2013 17:54:36.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "197634-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "MICROS~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:24:20.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Microsoft Office 15", + "ExtentionBlockSize": 88, + "LocalizedName": null, + "SeqNum": 15, + "EntryNum": 4229, + "FileReferenceInt": 4222124650664069, + "AccessTime": "09/23/2013 20:24:20.000000", + "CreationTime": "09/23/2013 20:23:56.000000", + "Signature": "0xbeef0004L", + "RefNum": "4229-15" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "root", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:24:22.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "root", + "ExtentionBlockSize": 58, + "LocalizedName": null, + "SeqNum": 9, + "EntryNum": 5190, + "FileReferenceInt": 2533274790401094, + "AccessTime": "09/23/2013 20:24:22.000000", + "CreationTime": "09/23/2013 20:24:08.000000", + "Signature": "0xbeef0004L", + "RefNum": "5190-9" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "office15", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:40:10.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "office15", + "ExtentionBlockSize": 66, + "LocalizedName": null, + "SeqNum": 6, + "EntryNum": 5225, + "FileReferenceInt": 1688849860269161, + "AccessTime": "09/23/2013 20:40:10.000000", + "CreationTime": "09/23/2013 20:24:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "5225-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "EXCEL.EXE", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:28:32.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 32876192, + "ExtentionBlocks": [ + { + "LongName": "EXCEL.EXE", + "ExtentionBlockSize": 68, + "LocalizedName": null, + "SeqNum": 24, + "EntryNum": 4777, + "FileReferenceInt": 6755399441060521, + "AccessTime": "09/23/2013 20:28:16.000000", + "CreationTime": "09/23/2013 20:24:22.000000", + "Signature": "0xbeef0004L", + "RefNum": "4777-24" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "office15", + "ParentEntryNum": 5225, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 8, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "https://asgardventurecapital-my.sharepoint.com/personal/dblake_asgard-venture-capital_com/Documents/Tire City Numbers.xlsx", + "DestInfo": { + "DLE_EntryNum": 4, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 32, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "0828723baa81fb17", + "DLE_Path": "7ba391748f45d17b", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "10/01/2013 02:15:22.380378", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%ProgramFiles%\\Microsoft Office 15\\Root\\Office15\\EXCEL.EXE", + "AppIdName": null, + "FileExt": "EXE", + "NetworkPath": null, + "FileSize": 32876192, + "CreationDateTime": "09/23/2013 20:24:21.102777", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "Tire City Numbers.xlsx", + "WorkingDir": null, + "LocalPath": "C:\\Users\\Donald\\SkyDrive\\Documents\\Tire City Numbers.xlsx", + "ModificationDateTime": "08/12/2013 03:39:32.000000", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\986.Donald.b8ab77100df80ab2.automaticDestinations-ms", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "09/23/2013 19:48:50.857366", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "b8ab77100df80ab2", + "LnkTrgData": { + "ParentLongName": "Documents", + "DistinctTypesHex": "0x32L;0x31L;0x1fL", + "ParentSeqNum": 3, + "DistinctTypesStr": "root_folder;file_entry", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "DOCUME~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 19:49:02.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Documents", + "ExtentionBlockSize": 68, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 127282, + "FileReferenceInt": 844424930259250, + "AccessTime": "09/23/2013 19:49:02.000000", + "CreationTime": "08/12/2013 01:11:04.000000", + "Signature": "0xbeef0004L", + "RefNum": "127282-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "TIRECI~2.XLS", + "Location": null, + "Comments": null, + "ModificationTime": "08/12/2013 03:39:32.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 2, + "Description": null, + "FileSize": 13610, + "ExtentionBlocks": [ + { + "LongName": "Tire City Numbers.xlsx", + "ExtentionBlockSize": 94, + "LocalizedName": null, + "SeqNum": 2, + "EntryNum": 281354, + "FileReferenceInt": 562949953702666, + "AccessTime": "09/23/2013 19:48:52.000000", + "CreationTime": "08/08/2013 03:52:54.000000", + "Signature": "0xbeef0004L", + "RefNum": "281354-2" + }, + { + "ExtentionBlockSize": 42, + "Signature": "0xbeef001aL" + } + ] + } + ], + "ExtentionListing": "0xbeef0025L;0xbeef0004L;0xbeef0004L;0xbeef001aL", + "ItemCount": 4, + "ParentRefStr": "127282-3", + "ParentEntryNum": 127282, + "RootFolder": [ + { + "ShellFolderId": "8e74d236-7f35-4720-b138-1fed0b85ea75", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "ExtentionBlockSize": 30, + "Signature": "0xbeef0025L" + } + ] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 3, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "92abc06b11f16f499067ec5c94ffa9f5", + "DLE_PathSize": 114, + "DLE_DroidVolId": "92abc06b11f16f499067ec5c94ffa9f5", + "DLE_DroidFileId": "92a6d765fc02e311be7b24fd52566ede", + "DLE_Unknown1Hash": "83c98c0dc2221068", + "DLE_Path": "C:\\Users\\Donald\\SkyDrive\\Documents\\Tire City Numbers.xlsx", + "DLE_BirthDroidFileId": "92a6d765fc02e311be7b24fd52566ede", + "DLE_LastModificationDatetime": "10/01/2013 02:14:26.446799", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "bifrost\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "xlsx", + "NetworkPath": null, + "FileSize": 13610, + "CreationDateTime": "08/08/2013 03:52:53.000000", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "EXCEL.EXE", + "WorkingDir": null, + "LocalPath": "C:\\Program Files\\Microsoft Office 15\\root\\office15\\EXCEL.EXE", + "ModificationDateTime": "09/23/2013 20:28:31.559819", + "CmdArgs": "https://d.docs.live.net/7f095149027848ed/Documents/Tire%20City%20Numbers.xlsx", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\986.Donald.b8ab77100df80ab2.automaticDestinations-ms", + "Flags": "Sparse File;Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "09/23/2013 20:28:15.874480", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "b8ab77100df80ab2", + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 6, + "ParentRefStr": "5225-6", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/26/2013 17:54:36.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files", + "ExtentionBlockSize": 116, + "LocalizedName": "@shell32.dll,-21781", + "SeqNum": 6, + "EntryNum": 197634, + "FileReferenceInt": 1688849860461570, + "AccessTime": "09/26/2013 17:54:36.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "197634-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "MICROS~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:24:20.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Microsoft Office 15", + "ExtentionBlockSize": 88, + "LocalizedName": null, + "SeqNum": 15, + "EntryNum": 4229, + "FileReferenceInt": 4222124650664069, + "AccessTime": "09/23/2013 20:24:20.000000", + "CreationTime": "09/23/2013 20:23:56.000000", + "Signature": "0xbeef0004L", + "RefNum": "4229-15" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "root", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:24:22.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "root", + "ExtentionBlockSize": 58, + "LocalizedName": null, + "SeqNum": 9, + "EntryNum": 5190, + "FileReferenceInt": 2533274790401094, + "AccessTime": "09/23/2013 20:24:22.000000", + "CreationTime": "09/23/2013 20:24:08.000000", + "Signature": "0xbeef0004L", + "RefNum": "5190-9" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "office15", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:40:10.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "office15", + "ExtentionBlockSize": 66, + "LocalizedName": null, + "SeqNum": 6, + "EntryNum": 5225, + "FileReferenceInt": 1688849860269161, + "AccessTime": "09/23/2013 20:40:10.000000", + "CreationTime": "09/23/2013 20:24:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "5225-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "EXCEL.EXE", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:28:32.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 32876192, + "ExtentionBlocks": [ + { + "LongName": "EXCEL.EXE", + "ExtentionBlockSize": 68, + "LocalizedName": null, + "SeqNum": 24, + "EntryNum": 4777, + "FileReferenceInt": 6755399441060521, + "AccessTime": "09/23/2013 20:28:16.000000", + "CreationTime": "09/23/2013 20:24:22.000000", + "Signature": "0xbeef0004L", + "RefNum": "4777-24" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "office15", + "ParentEntryNum": 5225, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 8, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "https://d.docs.live.net/7f095149027848ed/Documents/Tire City Numbers.xlsx", + "DestInfo": { + "DLE_EntryNum": 2, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "00000000000000000000000000000000", + "DLE_PathSize": 32, + "DLE_DroidVolId": "00000000000000000000000000000000", + "DLE_DroidFileId": "00000000000000000000000000000000", + "DLE_Unknown1Hash": "95a994ff5dc415a6", + "DLE_Path": "f1635b55c3536c23", + "DLE_BirthDroidFileId": "00000000000000000000000000000000", + "DLE_LastModificationDatetime": "10/01/2013 02:14:26.373751", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%ProgramFiles%\\Microsoft Office 15\\Root\\Office15\\EXCEL.EXE", + "AppIdName": null, + "FileExt": "EXE", + "NetworkPath": null, + "FileSize": 32876192, + "CreationDateTime": "09/23/2013 20:24:21.102777", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "WACC Calc Spreadsheet.xls", + "WorkingDir": null, + "LocalPath": "C:\\Users\\Donald\\Documents\\VC Files\\WACC Calc Spreadsheet.xls", + "ModificationDateTime": "09/27/2013 02:57:54.475000", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\jumplists\\986.Donald.b8ab77100df80ab2.automaticDestinations-ms", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "08/31/2013 03:53:30.875225", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": "b8ab77100df80ab2", + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x0L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ExtentionListing": "", + "ItemCount": 6, + "ParentRefStr": null, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "031e4825-7b94-4dc3-b131-e946b44c8dd5", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "DestInfo": { + "DLE_EntryNum": 1, + "DLE_Unknown2": 0, + "DLE_BirthDroidVolId": "92abc06b11f16f499067ec5c94ffa9f5", + "DLE_PathSize": 120, + "DLE_DroidVolId": "92abc06b11f16f499067ec5c94ffa9f5", + "DLE_DroidFileId": "98d17dd18b24e311be8024fd52566ede", + "DLE_Unknown1Hash": "1ab077f1238fc703", + "DLE_Path": "C:\\Users\\Donald\\Documents\\VC Files\\WACC Calc Spreadsheet.xls", + "DLE_BirthDroidFileId": "98d17dd18b24e311be8024fd52566ede", + "DLE_LastModificationDatetime": "09/27/2013 02:57:54.815851", + "DLE_Unknown3": 1065353216, + "DLE_PinStatus": 4294967295, + "DLE_Hostname": "bifrost\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" + }, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "xls", + "NetworkPath": null, + "FileSize": 16384, + "CreationDateTime": "08/31/2013 03:53:30.875225", + "EnvVarLoc": null + } + ] +} diff --git a/report_examples/gc_lnk_report.json b/report_examples/gc_lnk_report.json new file mode 100644 index 0000000..40de880 --- /dev/null +++ b/report_examples/gc_lnk_report.json @@ -0,0 +1,35276 @@ +{ + "gc_link_file": [ + { + "VolumeLabel": "Windows8_OS", + "BaseName": "DelDrv64.exe", + "WorkingDir": null, + "LocalPath": "C:\\Windows\\System32\\CanonIJ Uninstaller Information\\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MX870_series\\DelDrv64.exe", + "ModificationDateTime": "09/10/2009 13:12:10.000000", + "CmdArgs": "/U:{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MX870_series /L0x0009", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\101811..MP Drivers Uninstaller.lnk", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "08/31/2013 03:48:12.113105", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 5, + "ParentRefStr": "101676-5", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Windows", + "Location": null, + "Comments": null, + "ModificationTime": "08/12/2013 03:07:06.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Windows", + "ExtentionBlockSize": 60, + "LocalizedName": null, + "SeqNum": 1, + "EntryNum": 4069, + "FileReferenceInt": 281474976714725, + "AccessTime": "08/12/2013 03:07:06.000000", + "CreationTime": "07/26/2012 05:38:00.000000", + "Signature": "0xbeef0004L", + "RefNum": "4069-1" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "System32", + "Location": null, + "Comments": null, + "ModificationTime": "08/31/2013 03:48:14.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "System32", + "ExtentionBlockSize": 62, + "LocalizedName": null, + "SeqNum": 1, + "EntryNum": 6089, + "FileReferenceInt": 281474976716745, + "AccessTime": "08/31/2013 03:48:14.000000", + "CreationTime": "07/26/2012 05:38:02.000000", + "Signature": "0xbeef0004L", + "RefNum": "6089-1" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "CANONI~1", + "Location": null, + "Comments": null, + "ModificationTime": "08/31/2013 03:48:14.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "CanonIJ Uninstaller Information", + "ExtentionBlockSize": 108, + "LocalizedName": null, + "SeqNum": 8, + "EntryNum": 101675, + "FileReferenceInt": 2251799813786923, + "AccessTime": "08/31/2013 03:48:14.000000", + "CreationTime": "08/31/2013 03:48:14.000000", + "Signature": "0xbeef0004L", + "RefNum": "101675-8" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "{1199F~1", + "Location": null, + "Comments": null, + "ModificationTime": "08/31/2013 03:48:14.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MX870_series", + "ExtentionBlockSize": 160, + "LocalizedName": null, + "SeqNum": 5, + "EntryNum": 101676, + "FileReferenceInt": 1407374883654956, + "AccessTime": "08/31/2013 03:48:14.000000", + "CreationTime": "08/31/2013 03:48:14.000000", + "Signature": "0xbeef0004L", + "RefNum": "101676-5" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "DelDrv64.exe", + "Location": null, + "Comments": null, + "ModificationTime": "09/10/2009 13:12:10.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 659800, + "ExtentionBlocks": [ + { + "LongName": "DelDrv64.exe", + "ExtentionBlockSize": 70, + "LocalizedName": null, + "SeqNum": 4, + "EntryNum": 101678, + "FileReferenceInt": 1125899906944302, + "AccessTime": "08/31/2013 03:48:14.000000", + "CreationTime": "08/31/2013 03:48:14.000000", + "Signature": "0xbeef0004L", + "RefNum": "101678-4" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MX870_series", + "ParentEntryNum": 101676, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 8, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": "..\\..\\..\\..\\..\\..\\Windows\\System32\\CanonIJ Uninstaller Information\\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MX870_series\\DelDrv64.exe", + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 659800, + "CreationDateTime": "08/31/2013 03:48:12.113105", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\11063.Donald.Microsoft.XboxCompanion.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\114187..Access 2013.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": null, + "ParentRefStr": "None-None", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Program Files", + "Location": null, + "Comments": null, + "ModificationTime": "1601-01-01 00:00:00", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "FileReferenceInt": null, + "SeqNum": null, + "Signature": "0xbeef0004L", + "RefNum": null, + "EntryNum": null, + "LongName": "Program Files", + "ExtentionBlockSize": 72, + "LocalizedName": null + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Microsoft Office", + "Location": null, + "Comments": null, + "ModificationTime": "1601-01-01 00:00:00", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "FileReferenceInt": null, + "SeqNum": null, + "Signature": "0xbeef0004L", + "RefNum": null, + "EntryNum": null, + "LongName": "Microsoft Office", + "ExtentionBlockSize": 78, + "LocalizedName": null + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Office15", + "Location": null, + "Comments": null, + "ModificationTime": "1601-01-01 00:00:00", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "FileReferenceInt": null, + "SeqNum": null, + "Signature": "0xbeef0004L", + "RefNum": null, + "EntryNum": null, + "LongName": "Office15", + "ExtentionBlockSize": 62, + "LocalizedName": null + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "MSACCESS.EXE", + "Location": null, + "Comments": null, + "ModificationTime": "1601-01-01 00:00:00", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "FileReferenceInt": null, + "SeqNum": null, + "Signature": "0xbeef0004L", + "RefNum": null, + "EntryNum": null, + "LongName": "MSACCESS.EXE", + "ExtentionBlockSize": 70, + "LocalizedName": null + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "Office15", + "ParentEntryNum": null, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 7, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "Build a professional app quickly to manage data.", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%SystemRoot%\\Installer\\{90150000-000F-0000-1000-0000000FF1CE}\\accicons.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": " /design ", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\114188..InfoPath Designer 2013.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": null, + "ParentRefStr": "None-None", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Program Files", + "Location": null, + "Comments": null, + "ModificationTime": "1601-01-01 00:00:00", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "FileReferenceInt": null, + "SeqNum": null, + "Signature": "0xbeef0004L", + "RefNum": null, + "EntryNum": null, + "LongName": "Program Files", + "ExtentionBlockSize": 72, + "LocalizedName": null + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Microsoft Office", + "Location": null, + "Comments": null, + "ModificationTime": "1601-01-01 00:00:00", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "FileReferenceInt": null, + "SeqNum": null, + "Signature": "0xbeef0004L", + "RefNum": null, + "EntryNum": null, + "LongName": "Microsoft Office", + "ExtentionBlockSize": 78, + "LocalizedName": null + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Office15", + "Location": null, + "Comments": null, + "ModificationTime": "1601-01-01 00:00:00", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "FileReferenceInt": null, + "SeqNum": null, + "Signature": "0xbeef0004L", + "RefNum": null, + "EntryNum": null, + "LongName": "Office15", + "ExtentionBlockSize": 62, + "LocalizedName": null + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "INFOPATH.EXE", + "Location": null, + "Comments": null, + "ModificationTime": "1601-01-01 00:00:00", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "FileReferenceInt": null, + "SeqNum": null, + "Signature": "0xbeef0004L", + "RefNum": null, + "EntryNum": null, + "LongName": "INFOPATH.EXE", + "ExtentionBlockSize": 70, + "LocalizedName": null + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "Office15", + "ParentEntryNum": null, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 7, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "Design dynamic forms to gather and reuse information throughout the organization using Microsoft InfoPath.", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%SystemRoot%\\Installer\\{90150000-000F-0000-1000-0000000FF1CE}\\inficon.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\114191..Office 2013 Upload Center.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": null, + "ParentRefStr": "None-None", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Program Files", + "Location": null, + "Comments": null, + "ModificationTime": "1601-01-01 00:00:00", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "FileReferenceInt": null, + "SeqNum": null, + "Signature": "0xbeef0004L", + "RefNum": null, + "EntryNum": null, + "LongName": "Program Files", + "ExtentionBlockSize": 72, + "LocalizedName": null + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Microsoft Office", + "Location": null, + "Comments": null, + "ModificationTime": "1601-01-01 00:00:00", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "FileReferenceInt": null, + "SeqNum": null, + "Signature": "0xbeef0004L", + "RefNum": null, + "EntryNum": null, + "LongName": "Microsoft Office", + "ExtentionBlockSize": 78, + "LocalizedName": null + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Office15", + "Location": null, + "Comments": null, + "ModificationTime": "1601-01-01 00:00:00", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "FileReferenceInt": null, + "SeqNum": null, + "Signature": "0xbeef0004L", + "RefNum": null, + "EntryNum": null, + "LongName": "Office15", + "ExtentionBlockSize": 62, + "LocalizedName": null + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "MSOUC.EXE", + "Location": null, + "Comments": null, + "ModificationTime": "1601-01-01 00:00:00", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "FileReferenceInt": null, + "SeqNum": null, + "Signature": "0xbeef0004L", + "RefNum": null, + "EntryNum": null, + "LongName": "MSOUC.EXE", + "ExtentionBlockSize": 64, + "LocalizedName": null + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "Office15", + "ParentEntryNum": null, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 7, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "Manage file uploads to web servers using the Microsoft Office Upload Center.", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%SystemRoot%\\Installer\\{90150000-000F-0000-1000-0000000FF1CE}\\msouc.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\114192..Excel 2013.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": null, + "ParentRefStr": "None-None", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Program Files", + "Location": null, + "Comments": null, + "ModificationTime": "1601-01-01 00:00:00", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "FileReferenceInt": null, + "SeqNum": null, + "Signature": "0xbeef0004L", + "RefNum": null, + "EntryNum": null, + "LongName": "Program Files", + "ExtentionBlockSize": 72, + "LocalizedName": null + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Microsoft Office", + "Location": null, + "Comments": null, + "ModificationTime": "1601-01-01 00:00:00", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "FileReferenceInt": null, + "SeqNum": null, + "Signature": "0xbeef0004L", + "RefNum": null, + "EntryNum": null, + "LongName": "Microsoft Office", + "ExtentionBlockSize": 78, + "LocalizedName": null + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Office15", + "Location": null, + "Comments": null, + "ModificationTime": "1601-01-01 00:00:00", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "FileReferenceInt": null, + "SeqNum": null, + "Signature": "0xbeef0004L", + "RefNum": null, + "EntryNum": null, + "LongName": "Office15", + "ExtentionBlockSize": 62, + "LocalizedName": null + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "EXCEL.EXE", + "Location": null, + "Comments": null, + "ModificationTime": "1601-01-01 00:00:00", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "FileReferenceInt": null, + "SeqNum": null, + "Signature": "0xbeef0004L", + "RefNum": null, + "EntryNum": null, + "LongName": "EXCEL.EXE", + "ExtentionBlockSize": 64, + "LocalizedName": null + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "Office15", + "ParentEntryNum": null, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 7, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "Easily discover, visualize, and share insights from your data.", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%SystemRoot%\\Installer\\{90150000-000F-0000-1000-0000000FF1CE}\\xlicons.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\114193..Lync 2013.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": null, + "ParentRefStr": "None-None", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Program Files", + "Location": null, + "Comments": null, + "ModificationTime": "1601-01-01 00:00:00", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "FileReferenceInt": null, + "SeqNum": null, + "Signature": "0xbeef0004L", + "RefNum": null, + "EntryNum": null, + "LongName": "Program Files", + "ExtentionBlockSize": 72, + "LocalizedName": null + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Microsoft Office", + "Location": null, + "Comments": null, + "ModificationTime": "1601-01-01 00:00:00", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "FileReferenceInt": null, + "SeqNum": null, + "Signature": "0xbeef0004L", + "RefNum": null, + "EntryNum": null, + "LongName": "Microsoft Office", + "ExtentionBlockSize": 78, + "LocalizedName": null + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Office15", + "Location": null, + "Comments": null, + "ModificationTime": "1601-01-01 00:00:00", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "FileReferenceInt": null, + "SeqNum": null, + "Signature": "0xbeef0004L", + "RefNum": null, + "EntryNum": null, + "LongName": "Office15", + "ExtentionBlockSize": 62, + "LocalizedName": null + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "lync.exe", + "Location": null, + "Comments": null, + "ModificationTime": "1601-01-01 00:00:00", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "FileReferenceInt": null, + "SeqNum": null, + "Signature": "0xbeef0004L", + "RefNum": null, + "EntryNum": null, + "LongName": "lync.exe", + "ExtentionBlockSize": 62, + "LocalizedName": null + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "Office15", + "ParentEntryNum": null, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 7, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "Connect with people everywhere through voice and video calls, Lync Meetings, and IM.", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%SystemRoot%\\Installer\\{90150000-000F-0000-1000-0000000FF1CE}\\lyncicon.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\114195..InfoPath Filler 2013.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": null, + "ParentRefStr": "None-None", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Program Files", + "Location": null, + "Comments": null, + "ModificationTime": "1601-01-01 00:00:00", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "FileReferenceInt": null, + "SeqNum": null, + "Signature": "0xbeef0004L", + "RefNum": null, + "EntryNum": null, + "LongName": "Program Files", + "ExtentionBlockSize": 72, + "LocalizedName": null + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Microsoft Office", + "Location": null, + "Comments": null, + "ModificationTime": "1601-01-01 00:00:00", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "FileReferenceInt": null, + "SeqNum": null, + "Signature": "0xbeef0004L", + "RefNum": null, + "EntryNum": null, + "LongName": "Microsoft Office", + "ExtentionBlockSize": 78, + "LocalizedName": null + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Office15", + "Location": null, + "Comments": null, + "ModificationTime": "1601-01-01 00:00:00", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "FileReferenceInt": null, + "SeqNum": null, + "Signature": "0xbeef0004L", + "RefNum": null, + "EntryNum": null, + "LongName": "Office15", + "ExtentionBlockSize": 62, + "LocalizedName": null + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "INFOPATH.EXE", + "Location": null, + "Comments": null, + "ModificationTime": "1601-01-01 00:00:00", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "FileReferenceInt": null, + "SeqNum": null, + "Signature": "0xbeef0004L", + "RefNum": null, + "EntryNum": null, + "LongName": "INFOPATH.EXE", + "ExtentionBlockSize": 70, + "LocalizedName": null + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "Office15", + "ParentEntryNum": null, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 7, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "Fill out dynamic forms to gather and reuse information throughout the organization using Microsoft InfoPath.", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%SystemRoot%\\Installer\\{90150000-000F-0000-1000-0000000FF1CE}\\inficon.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\114197..Office 2013 Language Preferences.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": null, + "ParentRefStr": "None-None", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Program Files", + "Location": null, + "Comments": null, + "ModificationTime": "1601-01-01 00:00:00", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "FileReferenceInt": null, + "SeqNum": null, + "Signature": "0xbeef0004L", + "RefNum": null, + "EntryNum": null, + "LongName": "Program Files", + "ExtentionBlockSize": 72, + "LocalizedName": null + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Microsoft Office", + "Location": null, + "Comments": null, + "ModificationTime": "1601-01-01 00:00:00", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "FileReferenceInt": null, + "SeqNum": null, + "Signature": "0xbeef0004L", + "RefNum": null, + "EntryNum": null, + "LongName": "Microsoft Office", + "ExtentionBlockSize": 78, + "LocalizedName": null + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Office15", + "Location": null, + "Comments": null, + "ModificationTime": "1601-01-01 00:00:00", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "FileReferenceInt": null, + "SeqNum": null, + "Signature": "0xbeef0004L", + "RefNum": null, + "EntryNum": null, + "LongName": "Office15", + "ExtentionBlockSize": 62, + "LocalizedName": null + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "SETLANG.EXE", + "Location": null, + "Comments": null, + "ModificationTime": "1601-01-01 00:00:00", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "FileReferenceInt": null, + "SeqNum": null, + "Signature": "0xbeef0004L", + "RefNum": null, + "EntryNum": null, + "LongName": "SETLANG.EXE", + "ExtentionBlockSize": 68, + "LocalizedName": null + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "Office15", + "ParentEntryNum": null, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 7, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "Change the language preferences for Office applications.", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%SystemRoot%\\Installer\\{90150000-000F-0000-1000-0000000FF1CE}\\misc.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\114198..Lync Recording Manager.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": null, + "ParentRefStr": "None-None", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Program Files", + "Location": null, + "Comments": null, + "ModificationTime": "1601-01-01 00:00:00", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "FileReferenceInt": null, + "SeqNum": null, + "Signature": "0xbeef0004L", + "RefNum": null, + "EntryNum": null, + "LongName": "Program Files", + "ExtentionBlockSize": 72, + "LocalizedName": null + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Microsoft Office", + "Location": null, + "Comments": null, + "ModificationTime": "1601-01-01 00:00:00", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "FileReferenceInt": null, + "SeqNum": null, + "Signature": "0xbeef0004L", + "RefNum": null, + "EntryNum": null, + "LongName": "Microsoft Office", + "ExtentionBlockSize": 78, + "LocalizedName": null + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Office15", + "Location": null, + "Comments": null, + "ModificationTime": "1601-01-01 00:00:00", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "FileReferenceInt": null, + "SeqNum": null, + "Signature": "0xbeef0004L", + "RefNum": null, + "EntryNum": null, + "LongName": "Office15", + "ExtentionBlockSize": 62, + "LocalizedName": null + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "OcPubMgr.exe", + "Location": null, + "Comments": null, + "ModificationTime": "1601-01-01 00:00:00", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "FileReferenceInt": null, + "SeqNum": null, + "Signature": "0xbeef0004L", + "RefNum": null, + "EntryNum": null, + "LongName": "OcPubMgr.exe", + "ExtentionBlockSize": 70, + "LocalizedName": null + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "Office15", + "ParentEntryNum": null, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 7, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "Manage all your Lync recordings in one place.", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%SystemRoot%\\Installer\\{90150000-000F-0000-1000-0000000FF1CE}\\lyncicon.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\114199..Database Compare 2013.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": null, + "ParentRefStr": "None-None", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Program Files (x86)", + "Location": null, + "Comments": null, + "ModificationTime": "1601-01-01 00:00:00", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "FileReferenceInt": null, + "SeqNum": null, + "Signature": "0xbeef0004L", + "RefNum": null, + "EntryNum": null, + "LongName": "Program Files (x86)", + "ExtentionBlockSize": 84, + "LocalizedName": null + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Microsoft Office", + "Location": null, + "Comments": null, + "ModificationTime": "1601-01-01 00:00:00", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "FileReferenceInt": null, + "SeqNum": null, + "Signature": "0xbeef0004L", + "RefNum": null, + "EntryNum": null, + "LongName": "Microsoft Office", + "ExtentionBlockSize": 78, + "LocalizedName": null + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Office15", + "Location": null, + "Comments": null, + "ModificationTime": "1601-01-01 00:00:00", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "FileReferenceInt": null, + "SeqNum": null, + "Signature": "0xbeef0004L", + "RefNum": null, + "EntryNum": null, + "LongName": "Office15", + "ExtentionBlockSize": 62, + "LocalizedName": null + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "DCF", + "Location": null, + "Comments": null, + "ModificationTime": "1601-01-01 00:00:00", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "FileReferenceInt": null, + "SeqNum": null, + "Signature": "0xbeef0004L", + "RefNum": null, + "EntryNum": null, + "LongName": "DCF", + "ExtentionBlockSize": 52, + "LocalizedName": null + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "DATABASECOMPARE.EXE", + "Location": null, + "Comments": null, + "ModificationTime": "1601-01-01 00:00:00", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "FileReferenceInt": null, + "SeqNum": null, + "Signature": "0xbeef0004L", + "RefNum": null, + "EntryNum": null, + "LongName": "DATABASECOMPARE.EXE", + "ExtentionBlockSize": 84, + "LocalizedName": null + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "DCF", + "ParentEntryNum": null, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 8, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "Compare versions of an Access database.", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%SystemRoot%\\Installer\\{90150000-000F-0000-1000-0000000FF1CE}\\dbcicons.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\114200..Telemetry Log for Office 2013.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": null, + "ParentRefStr": "None-None", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Program Files", + "Location": null, + "Comments": null, + "ModificationTime": "1601-01-01 00:00:00", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "FileReferenceInt": null, + "SeqNum": null, + "Signature": "0xbeef0004L", + "RefNum": null, + "EntryNum": null, + "LongName": "Program Files", + "ExtentionBlockSize": 72, + "LocalizedName": null + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Microsoft Office", + "Location": null, + "Comments": null, + "ModificationTime": "1601-01-01 00:00:00", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "FileReferenceInt": null, + "SeqNum": null, + "Signature": "0xbeef0004L", + "RefNum": null, + "EntryNum": null, + "LongName": "Microsoft Office", + "ExtentionBlockSize": 78, + "LocalizedName": null + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Office15", + "Location": null, + "Comments": null, + "ModificationTime": "1601-01-01 00:00:00", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "FileReferenceInt": null, + "SeqNum": null, + "Signature": "0xbeef0004L", + "RefNum": null, + "EntryNum": null, + "LongName": "Office15", + "ExtentionBlockSize": 62, + "LocalizedName": null + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "msoev.exe", + "Location": null, + "Comments": null, + "ModificationTime": "1601-01-01 00:00:00", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "FileReferenceInt": null, + "SeqNum": null, + "Signature": "0xbeef0004L", + "RefNum": null, + "EntryNum": null, + "LongName": "msoev.exe", + "ExtentionBlockSize": 64, + "LocalizedName": null + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "Office15", + "ParentEntryNum": null, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 7, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "View critical errors, compatibility issues and workaround information for your Office solutions by using Office Telemetry Log.", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%SystemRoot%\\Installer\\{90150000-000F-0000-1000-0000000FF1CE}\\osmclienticon.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\114201..Telemetry Dashboard for Office 2013.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": null, + "ParentRefStr": "None-None", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Program Files", + "Location": null, + "Comments": null, + "ModificationTime": "1601-01-01 00:00:00", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "FileReferenceInt": null, + "SeqNum": null, + "Signature": "0xbeef0004L", + "RefNum": null, + "EntryNum": null, + "LongName": "Program Files", + "ExtentionBlockSize": 72, + "LocalizedName": null + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Microsoft Office", + "Location": null, + "Comments": null, + "ModificationTime": "1601-01-01 00:00:00", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "FileReferenceInt": null, + "SeqNum": null, + "Signature": "0xbeef0004L", + "RefNum": null, + "EntryNum": null, + "LongName": "Microsoft Office", + "ExtentionBlockSize": 78, + "LocalizedName": null + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Office15", + "Location": null, + "Comments": null, + "ModificationTime": "1601-01-01 00:00:00", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "FileReferenceInt": null, + "SeqNum": null, + "Signature": "0xbeef0004L", + "RefNum": null, + "EntryNum": null, + "LongName": "Office15", + "ExtentionBlockSize": 62, + "LocalizedName": null + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "msotd.exe", + "Location": null, + "Comments": null, + "ModificationTime": "1601-01-01 00:00:00", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "FileReferenceInt": null, + "SeqNum": null, + "Signature": "0xbeef0004L", + "RefNum": null, + "EntryNum": null, + "LongName": "msotd.exe", + "ExtentionBlockSize": 64, + "LocalizedName": null + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "Office15", + "ParentEntryNum": null, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 7, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "Analyze and monitor Office solutions in your organization by using Office Telemetry Dashboard.", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%SystemRoot%\\Installer\\{90150000-000F-0000-1000-0000000FF1CE}\\osmadminicon.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\114202..OneNote 2013.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": null, + "ParentRefStr": "None-None", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Program Files", + "Location": null, + "Comments": null, + "ModificationTime": "1601-01-01 00:00:00", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "FileReferenceInt": null, + "SeqNum": null, + "Signature": "0xbeef0004L", + "RefNum": null, + "EntryNum": null, + "LongName": "Program Files", + "ExtentionBlockSize": 72, + "LocalizedName": null + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Microsoft Office", + "Location": null, + "Comments": null, + "ModificationTime": "1601-01-01 00:00:00", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "FileReferenceInt": null, + "SeqNum": null, + "Signature": "0xbeef0004L", + "RefNum": null, + "EntryNum": null, + "LongName": "Microsoft Office", + "ExtentionBlockSize": 78, + "LocalizedName": null + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Office15", + "Location": null, + "Comments": null, + "ModificationTime": "1601-01-01 00:00:00", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "FileReferenceInt": null, + "SeqNum": null, + "Signature": "0xbeef0004L", + "RefNum": null, + "EntryNum": null, + "LongName": "Office15", + "ExtentionBlockSize": 62, + "LocalizedName": null + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "ONENOTE.EXE", + "Location": null, + "Comments": null, + "ModificationTime": "1601-01-01 00:00:00", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "FileReferenceInt": null, + "SeqNum": null, + "Signature": "0xbeef0004L", + "RefNum": null, + "EntryNum": null, + "LongName": "ONENOTE.EXE", + "ExtentionBlockSize": 68, + "LocalizedName": null + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "Office15", + "ParentEntryNum": null, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 7, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "Take notes and have them when you need them.", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%SystemRoot%\\Installer\\{90150000-000F-0000-1000-0000000FF1CE}\\joticon.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\114211..Outlook 2013.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": null, + "ParentRefStr": "None-None", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Program Files", + "Location": null, + "Comments": null, + "ModificationTime": "1601-01-01 00:00:00", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "FileReferenceInt": null, + "SeqNum": null, + "Signature": "0xbeef0004L", + "RefNum": null, + "EntryNum": null, + "LongName": "Program Files", + "ExtentionBlockSize": 72, + "LocalizedName": null + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Microsoft Office", + "Location": null, + "Comments": null, + "ModificationTime": "1601-01-01 00:00:00", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "FileReferenceInt": null, + "SeqNum": null, + "Signature": "0xbeef0004L", + "RefNum": null, + "EntryNum": null, + "LongName": "Microsoft Office", + "ExtentionBlockSize": 78, + "LocalizedName": null + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Office15", + "Location": null, + "Comments": null, + "ModificationTime": "1601-01-01 00:00:00", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "FileReferenceInt": null, + "SeqNum": null, + "Signature": "0xbeef0004L", + "RefNum": null, + "EntryNum": null, + "LongName": "Office15", + "ExtentionBlockSize": 62, + "LocalizedName": null + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "OUTLOOK.EXE", + "Location": null, + "Comments": null, + "ModificationTime": "1601-01-01 00:00:00", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "FileReferenceInt": null, + "SeqNum": null, + "Signature": "0xbeef0004L", + "RefNum": null, + "EntryNum": null, + "LongName": "OUTLOOK.EXE", + "ExtentionBlockSize": 68, + "LocalizedName": null + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "Office15", + "ParentEntryNum": null, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 7, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "Manage your email, schedules, contacts, and to-dos.", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%SystemRoot%\\Installer\\{90150000-000F-0000-1000-0000000FF1CE}\\outicon.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\114212..Spreadsheet Compare 2013.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": null, + "ParentRefStr": "None-None", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Program Files (x86)", + "Location": null, + "Comments": null, + "ModificationTime": "1601-01-01 00:00:00", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "FileReferenceInt": null, + "SeqNum": null, + "Signature": "0xbeef0004L", + "RefNum": null, + "EntryNum": null, + "LongName": "Program Files (x86)", + "ExtentionBlockSize": 84, + "LocalizedName": null + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Microsoft Office", + "Location": null, + "Comments": null, + "ModificationTime": "1601-01-01 00:00:00", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "FileReferenceInt": null, + "SeqNum": null, + "Signature": "0xbeef0004L", + "RefNum": null, + "EntryNum": null, + "LongName": "Microsoft Office", + "ExtentionBlockSize": 78, + "LocalizedName": null + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Office15", + "Location": null, + "Comments": null, + "ModificationTime": "1601-01-01 00:00:00", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "FileReferenceInt": null, + "SeqNum": null, + "Signature": "0xbeef0004L", + "RefNum": null, + "EntryNum": null, + "LongName": "Office15", + "ExtentionBlockSize": 62, + "LocalizedName": null + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "DCF", + "Location": null, + "Comments": null, + "ModificationTime": "1601-01-01 00:00:00", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "FileReferenceInt": null, + "SeqNum": null, + "Signature": "0xbeef0004L", + "RefNum": null, + "EntryNum": null, + "LongName": "DCF", + "ExtentionBlockSize": 52, + "LocalizedName": null + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "SPREADSHEETCOMPARE.EXE", + "Location": null, + "Comments": null, + "ModificationTime": "1601-01-01 00:00:00", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "FileReferenceInt": null, + "SeqNum": null, + "Signature": "0xbeef0004L", + "RefNum": null, + "EntryNum": null, + "LongName": "SPREADSHEETCOMPARE.EXE", + "ExtentionBlockSize": 90, + "LocalizedName": null + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "DCF", + "ParentEntryNum": null, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 8, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "Compare versions of an Excel workbook.", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%SystemRoot%\\Installer\\{90150000-000F-0000-1000-0000000FF1CE}\\sscicons.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\114214..PowerPoint 2013.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": null, + "ParentRefStr": "None-None", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Program Files", + "Location": null, + "Comments": null, + "ModificationTime": "1601-01-01 00:00:00", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "FileReferenceInt": null, + "SeqNum": null, + "Signature": "0xbeef0004L", + "RefNum": null, + "EntryNum": null, + "LongName": "Program Files", + "ExtentionBlockSize": 72, + "LocalizedName": null + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Microsoft Office", + "Location": null, + "Comments": null, + "ModificationTime": "1601-01-01 00:00:00", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "FileReferenceInt": null, + "SeqNum": null, + "Signature": "0xbeef0004L", + "RefNum": null, + "EntryNum": null, + "LongName": "Microsoft Office", + "ExtentionBlockSize": 78, + "LocalizedName": null + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Office15", + "Location": null, + "Comments": null, + "ModificationTime": "1601-01-01 00:00:00", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "FileReferenceInt": null, + "SeqNum": null, + "Signature": "0xbeef0004L", + "RefNum": null, + "EntryNum": null, + "LongName": "Office15", + "ExtentionBlockSize": 62, + "LocalizedName": null + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "POWERPNT.EXE", + "Location": null, + "Comments": null, + "ModificationTime": "1601-01-01 00:00:00", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "FileReferenceInt": null, + "SeqNum": null, + "Signature": "0xbeef0004L", + "RefNum": null, + "EntryNum": null, + "LongName": "POWERPNT.EXE", + "ExtentionBlockSize": 70, + "LocalizedName": null + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "Office15", + "ParentEntryNum": null, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 7, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "Design and deliver beautiful presentations with ease and confidence.", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%SystemRoot%\\Installer\\{90150000-000F-0000-1000-0000000FF1CE}\\pptico.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\114216..Publisher 2013.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": null, + "ParentRefStr": "None-None", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Program Files", + "Location": null, + "Comments": null, + "ModificationTime": "1601-01-01 00:00:00", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "FileReferenceInt": null, + "SeqNum": null, + "Signature": "0xbeef0004L", + "RefNum": null, + "EntryNum": null, + "LongName": "Program Files", + "ExtentionBlockSize": 72, + "LocalizedName": null + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Microsoft Office", + "Location": null, + "Comments": null, + "ModificationTime": "1601-01-01 00:00:00", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "FileReferenceInt": null, + "SeqNum": null, + "Signature": "0xbeef0004L", + "RefNum": null, + "EntryNum": null, + "LongName": "Microsoft Office", + "ExtentionBlockSize": 78, + "LocalizedName": null + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Office15", + "Location": null, + "Comments": null, + "ModificationTime": "1601-01-01 00:00:00", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "FileReferenceInt": null, + "SeqNum": null, + "Signature": "0xbeef0004L", + "RefNum": null, + "EntryNum": null, + "LongName": "Office15", + "ExtentionBlockSize": 62, + "LocalizedName": null + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "MSPUB.EXE", + "Location": null, + "Comments": null, + "ModificationTime": "1601-01-01 00:00:00", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "FileReferenceInt": null, + "SeqNum": null, + "Signature": "0xbeef0004L", + "RefNum": null, + "EntryNum": null, + "LongName": "MSPUB.EXE", + "ExtentionBlockSize": 64, + "LocalizedName": null + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "Office15", + "ParentEntryNum": null, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 7, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "Create professional-grade publications that make an impact.", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%SystemRoot%\\Installer\\{90150000-000F-0000-1000-0000000FF1CE}\\pubs.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\114217..Send to OneNote 2013.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": null, + "ParentRefStr": "None-None", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Program Files", + "Location": null, + "Comments": null, + "ModificationTime": "1601-01-01 00:00:00", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "FileReferenceInt": null, + "SeqNum": null, + "Signature": "0xbeef0004L", + "RefNum": null, + "EntryNum": null, + "LongName": "Program Files", + "ExtentionBlockSize": 72, + "LocalizedName": null + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Microsoft Office", + "Location": null, + "Comments": null, + "ModificationTime": "1601-01-01 00:00:00", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "FileReferenceInt": null, + "SeqNum": null, + "Signature": "0xbeef0004L", + "RefNum": null, + "EntryNum": null, + "LongName": "Microsoft Office", + "ExtentionBlockSize": 78, + "LocalizedName": null + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Office15", + "Location": null, + "Comments": null, + "ModificationTime": "1601-01-01 00:00:00", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "FileReferenceInt": null, + "SeqNum": null, + "Signature": "0xbeef0004L", + "RefNum": null, + "EntryNum": null, + "LongName": "Office15", + "ExtentionBlockSize": 62, + "LocalizedName": null + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "ONENOTEM.EXE", + "Location": null, + "Comments": null, + "ModificationTime": "1601-01-01 00:00:00", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "FileReferenceInt": null, + "SeqNum": null, + "Signature": "0xbeef0004L", + "RefNum": null, + "EntryNum": null, + "LongName": "ONENOTEM.EXE", + "ExtentionBlockSize": 70, + "LocalizedName": null + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "Office15", + "ParentEntryNum": null, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 7, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "Show the clipping panel (Windows+N) or take a screen clipping (Windows+S)", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%SystemRoot%\\Installer\\{90150000-000F-0000-1000-0000000FF1CE}\\joticon.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\114218..SkyDrive Pro 2013.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": null, + "ParentRefStr": "None-None", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Program Files", + "Location": null, + "Comments": null, + "ModificationTime": "1601-01-01 00:00:00", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "FileReferenceInt": null, + "SeqNum": null, + "Signature": "0xbeef0004L", + "RefNum": null, + "EntryNum": null, + "LongName": "Program Files", + "ExtentionBlockSize": 72, + "LocalizedName": null + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Microsoft Office", + "Location": null, + "Comments": null, + "ModificationTime": "1601-01-01 00:00:00", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "FileReferenceInt": null, + "SeqNum": null, + "Signature": "0xbeef0004L", + "RefNum": null, + "EntryNum": null, + "LongName": "Microsoft Office", + "ExtentionBlockSize": 78, + "LocalizedName": null + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Office15", + "Location": null, + "Comments": null, + "ModificationTime": "1601-01-01 00:00:00", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "FileReferenceInt": null, + "SeqNum": null, + "Signature": "0xbeef0004L", + "RefNum": null, + "EntryNum": null, + "LongName": "Office15", + "ExtentionBlockSize": 62, + "LocalizedName": null + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "GROOVE.EXE", + "Location": null, + "Comments": null, + "ModificationTime": "1601-01-01 00:00:00", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "FileReferenceInt": null, + "SeqNum": null, + "Signature": "0xbeef0004L", + "RefNum": null, + "EntryNum": null, + "LongName": "GROOVE.EXE", + "ExtentionBlockSize": 66, + "LocalizedName": null + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "Office15", + "ParentEntryNum": null, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 7, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "Sync SharePoint documents to your computer and work with the content as if you were connected using Microsoft SkyDrive Pro.", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%SystemRoot%\\Installer\\{90150000-000F-0000-1000-0000000FF1CE}\\grv_icons.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\114222..Word 2013.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": null, + "ParentRefStr": "None-None", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Program Files", + "Location": null, + "Comments": null, + "ModificationTime": "1601-01-01 00:00:00", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "FileReferenceInt": null, + "SeqNum": null, + "Signature": "0xbeef0004L", + "RefNum": null, + "EntryNum": null, + "LongName": "Program Files", + "ExtentionBlockSize": 72, + "LocalizedName": null + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Microsoft Office", + "Location": null, + "Comments": null, + "ModificationTime": "1601-01-01 00:00:00", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "FileReferenceInt": null, + "SeqNum": null, + "Signature": "0xbeef0004L", + "RefNum": null, + "EntryNum": null, + "LongName": "Microsoft Office", + "ExtentionBlockSize": 78, + "LocalizedName": null + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Office15", + "Location": null, + "Comments": null, + "ModificationTime": "1601-01-01 00:00:00", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "FileReferenceInt": null, + "SeqNum": null, + "Signature": "0xbeef0004L", + "RefNum": null, + "EntryNum": null, + "LongName": "Office15", + "ExtentionBlockSize": 62, + "LocalizedName": null + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "WINWORD.EXE", + "Location": null, + "Comments": null, + "ModificationTime": "1601-01-01 00:00:00", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "FileReferenceInt": null, + "SeqNum": null, + "Signature": "0xbeef0004L", + "RefNum": null, + "EntryNum": null, + "LongName": "WINWORD.EXE", + "ExtentionBlockSize": 68, + "LocalizedName": null + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "Office15", + "ParentEntryNum": null, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 7, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "Create beautiful documents, easily work with others, and enjoy the read.", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%SystemRoot%\\Installer\\{90150000-000F-0000-1000-0000000FF1CE}\\wordicon.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "firefox.exe", + "WorkingDir": "C:\\Program Files (x86)\\Mozilla Firefox", + "LocalPath": "C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe", + "ModificationDateTime": "07/30/2013 22:47:36.000000", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\114746..Mozilla Firefox.lnk", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "08/12/2013 00:52:24.737810", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 6, + "ParentRefStr": "114538-6", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~2", + "Location": null, + "Comments": null, + "ModificationTime": "08/12/2013 00:52:28.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files (x86)", + "ExtentionBlockSize": 124, + "LocalizedName": "@shell32.dll,-21817", + "SeqNum": 1, + "EntryNum": 3725, + "FileReferenceInt": 281474976714381, + "AccessTime": "08/12/2013 00:52:28.000000", + "CreationTime": "07/26/2012 05:38:00.000000", + "Signature": "0xbeef0004L", + "RefNum": "3725-1" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "MOZILL~1", + "Location": null, + "Comments": null, + "ModificationTime": "08/12/2013 00:52:28.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Mozilla Firefox", + "ExtentionBlockSize": 76, + "LocalizedName": null, + "SeqNum": 6, + "EntryNum": 114538, + "FileReferenceInt": 1688849860378474, + "AccessTime": "08/12/2013 00:52:28.000000", + "CreationTime": "08/12/2013 00:52:26.000000", + "Signature": "0xbeef0004L", + "RefNum": "114538-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "firefox.exe", + "Location": null, + "Comments": null, + "ModificationTime": "07/30/2013 22:47:36.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 276376, + "ExtentionBlocks": [ + { + "LongName": "firefox.exe", + "ExtentionBlockSize": 68, + "LocalizedName": null, + "SeqNum": 5, + "EntryNum": 114558, + "FileReferenceInt": 1407374883667838, + "AccessTime": "08/12/2013 00:52:26.000000", + "CreationTime": "08/12/2013 00:52:26.000000", + "Signature": "0xbeef0004L", + "RefNum": "114558-5" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "Mozilla Firefox", + "ParentEntryNum": 114538, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 6, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": "..\\..\\..\\..\\..\\Program Files (x86)\\Mozilla Firefox\\firefox.exe", + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 276376, + "CreationDateTime": "08/12/2013 00:52:24.737810", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "firefox.exe", + "WorkingDir": "C:\\Program Files (x86)\\Mozilla Firefox", + "LocalPath": "C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe", + "ModificationDateTime": "07/30/2013 22:47:36.000000", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\114748.Donald.Mozilla Firefox.lnk", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "08/12/2013 00:52:24.737810", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 6, + "ParentRefStr": "114538-6", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~2", + "Location": null, + "Comments": null, + "ModificationTime": "08/12/2013 00:52:28.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files (x86)", + "ExtentionBlockSize": 124, + "LocalizedName": "@shell32.dll,-21817", + "SeqNum": 1, + "EntryNum": 3725, + "FileReferenceInt": 281474976714381, + "AccessTime": "08/12/2013 00:52:28.000000", + "CreationTime": "07/26/2012 05:38:00.000000", + "Signature": "0xbeef0004L", + "RefNum": "3725-1" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "MOZILL~1", + "Location": null, + "Comments": null, + "ModificationTime": "08/12/2013 00:52:28.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Mozilla Firefox", + "ExtentionBlockSize": 76, + "LocalizedName": null, + "SeqNum": 6, + "EntryNum": 114538, + "FileReferenceInt": 1688849860378474, + "AccessTime": "08/12/2013 00:52:28.000000", + "CreationTime": "08/12/2013 00:52:26.000000", + "Signature": "0xbeef0004L", + "RefNum": "114538-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "firefox.exe", + "Location": null, + "Comments": null, + "ModificationTime": "07/30/2013 22:47:36.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 276376, + "ExtentionBlocks": [ + { + "LongName": "firefox.exe", + "ExtentionBlockSize": 68, + "LocalizedName": null, + "SeqNum": 5, + "EntryNum": 114558, + "FileReferenceInt": 1407374883667838, + "AccessTime": "08/12/2013 00:52:26.000000", + "CreationTime": "08/12/2013 00:52:26.000000", + "Signature": "0xbeef0004L", + "RefNum": "114558-5" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "Mozilla Firefox", + "ParentEntryNum": 114538, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 6, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": "..\\..\\..\\Program Files (x86)\\Mozilla Firefox\\firefox.exe", + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 276376, + "CreationDateTime": "08/12/2013 00:52:24.737810", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "Camera Roll", + "WorkingDir": null, + "LocalPath": "C:\\Users\\Donald\\SkyDrive\\Pictures\\Camera Roll", + "ModificationDateTime": "09/18/2013 17:56:32.887303", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\115668.Donald.Camera Roll.lnk", + "Flags": "", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "09/18/2013 17:56:32.887303", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "ParentLongName": "Pictures", + "DistinctTypesHex": "0x0L;0x31L;0x1fL", + "ParentSeqNum": 3, + "DistinctTypesStr": "item;root_folder;file_entry", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "LongName": "SkyDrive", + "ExtentionBlockSize": 62, + "LocalizedName": null, + "SeqNum": 2, + "EntryNum": 127384, + "FileReferenceInt": 562949953548696, + "AccessTime": "08/12/2013 01:11:02.000000", + "CreationTime": "08/12/2013 01:02:20.000000", + "Signature": "0xbeef0004L", + "RefNum": "127384-2" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Pictures", + "Location": null, + "Comments": null, + "ModificationTime": "08/12/2013 01:11:04.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Pictures", + "ExtentionBlockSize": 62, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 127278, + "FileReferenceInt": 844424930259246, + "AccessTime": "08/12/2013 01:11:04.000000", + "CreationTime": "08/12/2013 01:11:04.000000", + "Signature": "0xbeef0004L", + "RefNum": "127278-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "CAMERA~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/18/2013 17:56:34.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Camera Roll", + "ExtentionBlockSize": 68, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 127281, + "FileReferenceInt": 844424930259249, + "AccessTime": "09/18/2013 17:56:34.000000", + "CreationTime": "08/12/2013 01:11:04.000000", + "Signature": "0xbeef0004L", + "RefNum": "127281-3" + } + ] + } + ], + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 5, + "ParentRefStr": "127278-3", + "ParentEntryNum": 127278, + "RootFolder": [ + { + "ShellFolderId": "59031a47-3f72-44a7-89c5-5595fe6b30ee", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": "..\\..\\..\\..\\..\\SkyDrive\\Pictures\\Camera Roll", + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "", + "NetworkPath": null, + "FileSize": 8192, + "CreationDateTime": "08/12/2013 01:11:03.901405", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "chrome.exe", + "WorkingDir": "C:\\Program Files (x86)\\Google\\Chrome\\Application", + "LocalPath": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", + "ModificationDateTime": "10/09/2013 00:02:45.911328", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\116042.Donald.Google Chrome.lnk", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "10/18/2013 12:08:01.077878", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 4, + "ParentRefStr": "116035-4", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~2", + "Location": null, + "Comments": null, + "ModificationTime": "10/19/2013 20:05:50.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files (x86)", + "ExtentionBlockSize": 128, + "LocalizedName": "@shell32.dll,-21817", + "SeqNum": 3, + "EntryNum": 200140, + "FileReferenceInt": 844424930332108, + "AccessTime": "10/19/2013 20:05:50.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "200140-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Google", + "Location": null, + "Comments": null, + "ModificationTime": "08/12/2013 00:53:08.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Google", + "ExtentionBlockSize": 62, + "LocalizedName": null, + "SeqNum": 9, + "EntryNum": 115147, + "FileReferenceInt": 2533274790511051, + "AccessTime": "08/12/2013 00:53:08.000000", + "CreationTime": "08/12/2013 00:52:36.000000", + "Signature": "0xbeef0004L", + "RefNum": "115147-9" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Chrome", + "Location": null, + "Comments": null, + "ModificationTime": "10/19/2013 01:52:28.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Chrome", + "ExtentionBlockSize": 62, + "LocalizedName": null, + "SeqNum": 4, + "EntryNum": 115732, + "FileReferenceInt": 1125899906958356, + "AccessTime": "10/19/2013 01:52:28.000000", + "CreationTime": "08/12/2013 00:53:08.000000", + "Signature": "0xbeef0004L", + "RefNum": "115732-4" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "APPLIC~1", + "Location": null, + "Comments": null, + "ModificationTime": "10/19/2013 01:52:26.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Application", + "ExtentionBlockSize": 72, + "LocalizedName": null, + "SeqNum": 4, + "EntryNum": 116035, + "FileReferenceInt": 1125899906958659, + "AccessTime": "10/19/2013 01:52:26.000000", + "CreationTime": "08/12/2013 00:53:20.000000", + "Signature": "0xbeef0004L", + "RefNum": "116035-4" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "chrome.exe", + "Location": null, + "Comments": null, + "ModificationTime": "10/09/2013 00:02:46.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 844752, + "ExtentionBlocks": [ + { + "LongName": "chrome.exe", + "ExtentionBlockSize": 70, + "LocalizedName": null, + "SeqNum": 11, + "EntryNum": 4980, + "FileReferenceInt": 3096224743822196, + "AccessTime": "10/18/2013 12:08:02.000000", + "CreationTime": "08/12/2013 00:53:20.000000", + "Signature": "0xbeef0004L", + "RefNum": "4980-11" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "Application", + "ParentEntryNum": 116035, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 8, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "Access the Internet", + "RelativePath": "..\\..\\..\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", + "Codepage": "cp1252", + "IconLoc": "%ProgramFiles%\\Google\\Chrome\\Application\\chrome.exe", + "AppIdName": null, + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 844752, + "CreationDateTime": "08/12/2013 00:53:19.096107", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "chrome.exe", + "WorkingDir": "C:\\Program Files (x86)\\Google\\Chrome\\Application", + "LocalPath": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", + "ModificationDateTime": "09/17/2013 03:21:30.191694", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\116043.Donald.Google Chrome.lnk", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "09/21/2013 17:59:27.377294", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 4, + "ParentRefStr": "116035-4", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~2", + "Location": null, + "Comments": null, + "ModificationTime": "10/05/2013 20:35:36.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files (x86)", + "ExtentionBlockSize": 128, + "LocalizedName": "@shell32.dll,-21817", + "SeqNum": 3, + "EntryNum": 200140, + "FileReferenceInt": 844424930332108, + "AccessTime": "10/05/2013 20:35:36.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "200140-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Google", + "Location": null, + "Comments": null, + "ModificationTime": "08/12/2013 00:53:08.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Google", + "ExtentionBlockSize": 62, + "LocalizedName": null, + "SeqNum": 9, + "EntryNum": 115147, + "FileReferenceInt": 2533274790511051, + "AccessTime": "08/12/2013 00:53:08.000000", + "CreationTime": "08/12/2013 00:52:36.000000", + "Signature": "0xbeef0004L", + "RefNum": "115147-9" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Chrome", + "Location": null, + "Comments": null, + "ModificationTime": "10/05/2013 20:59:56.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Chrome", + "ExtentionBlockSize": 62, + "LocalizedName": null, + "SeqNum": 4, + "EntryNum": 115732, + "FileReferenceInt": 1125899906958356, + "AccessTime": "10/05/2013 20:59:56.000000", + "CreationTime": "08/12/2013 00:53:08.000000", + "Signature": "0xbeef0004L", + "RefNum": "115732-4" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "APPLIC~1", + "Location": null, + "Comments": null, + "ModificationTime": "10/05/2013 20:59:56.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Application", + "ExtentionBlockSize": 72, + "LocalizedName": null, + "SeqNum": 4, + "EntryNum": 116035, + "FileReferenceInt": 1125899906958659, + "AccessTime": "10/05/2013 20:59:56.000000", + "CreationTime": "08/12/2013 00:53:20.000000", + "Signature": "0xbeef0004L", + "RefNum": "116035-4" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "chrome.exe", + "Location": null, + "Comments": null, + "ModificationTime": "09/17/2013 03:21:32.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 829392, + "ExtentionBlocks": [ + { + "LongName": "chrome.exe", + "ExtentionBlockSize": 70, + "LocalizedName": null, + "SeqNum": 16, + "EntryNum": 127611, + "FileReferenceInt": 4503599627498107, + "AccessTime": "09/21/2013 17:59:28.000000", + "CreationTime": "08/12/2013 00:53:20.000000", + "Signature": "0xbeef0004L", + "RefNum": "127611-16" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "Application", + "ParentEntryNum": 116035, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 8, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "Access the Internet", + "RelativePath": "..\\..\\..\\..\\..\\..\\..\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", + "Codepage": "cp1252", + "IconLoc": "%ProgramFiles%\\Google\\Chrome\\Application\\chrome.exe", + "AppIdName": null, + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 829392, + "CreationDateTime": "08/12/2013 00:53:19.096107", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "chrome.exe", + "WorkingDir": "C:\\Program Files (x86)\\Google\\Chrome\\Application", + "LocalPath": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", + "ModificationDateTime": "10/09/2013 00:02:45.911328", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\116045..Google Chrome.lnk", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "10/18/2013 12:08:01.077878", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 4, + "ParentRefStr": "116035-4", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~2", + "Location": null, + "Comments": null, + "ModificationTime": "10/19/2013 20:05:50.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files (x86)", + "ExtentionBlockSize": 128, + "LocalizedName": "@shell32.dll,-21817", + "SeqNum": 3, + "EntryNum": 200140, + "FileReferenceInt": 844424930332108, + "AccessTime": "10/19/2013 20:05:50.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "200140-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Google", + "Location": null, + "Comments": null, + "ModificationTime": "08/12/2013 00:53:08.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Google", + "ExtentionBlockSize": 62, + "LocalizedName": null, + "SeqNum": 9, + "EntryNum": 115147, + "FileReferenceInt": 2533274790511051, + "AccessTime": "08/12/2013 00:53:08.000000", + "CreationTime": "08/12/2013 00:52:36.000000", + "Signature": "0xbeef0004L", + "RefNum": "115147-9" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Chrome", + "Location": null, + "Comments": null, + "ModificationTime": "10/19/2013 01:52:28.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Chrome", + "ExtentionBlockSize": 62, + "LocalizedName": null, + "SeqNum": 4, + "EntryNum": 115732, + "FileReferenceInt": 1125899906958356, + "AccessTime": "10/19/2013 01:52:28.000000", + "CreationTime": "08/12/2013 00:53:08.000000", + "Signature": "0xbeef0004L", + "RefNum": "115732-4" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "APPLIC~1", + "Location": null, + "Comments": null, + "ModificationTime": "10/19/2013 01:52:26.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Application", + "ExtentionBlockSize": 72, + "LocalizedName": null, + "SeqNum": 4, + "EntryNum": 116035, + "FileReferenceInt": 1125899906958659, + "AccessTime": "10/19/2013 01:52:26.000000", + "CreationTime": "08/12/2013 00:53:20.000000", + "Signature": "0xbeef0004L", + "RefNum": "116035-4" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "chrome.exe", + "Location": null, + "Comments": null, + "ModificationTime": "10/09/2013 00:02:46.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 844752, + "ExtentionBlocks": [ + { + "LongName": "chrome.exe", + "ExtentionBlockSize": 70, + "LocalizedName": null, + "SeqNum": 11, + "EntryNum": 4980, + "FileReferenceInt": 3096224743822196, + "AccessTime": "10/18/2013 12:08:02.000000", + "CreationTime": "08/12/2013 00:53:20.000000", + "Signature": "0xbeef0004L", + "RefNum": "4980-11" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "Application", + "ParentEntryNum": 116035, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 8, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "Access the Internet", + "RelativePath": "..\\..\\..\\..\\..\\..\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", + "Codepage": "cp1252", + "IconLoc": "%ProgramFiles%\\Google\\Chrome\\Application\\chrome.exe", + "AppIdName": null, + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 844752, + "CreationDateTime": "08/12/2013 00:53:19.096107", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "chrome.exe", + "WorkingDir": "C:\\Program Files (x86)\\Google\\Chrome\\Application", + "LocalPath": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", + "ModificationDateTime": "07/25/2013 00:49:49.016392", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\116046.Donald.Google Chrome.lnk", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "08/12/2013 00:53:19.096107", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 4, + "ParentRefStr": "116035-4", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~2", + "Location": null, + "Comments": null, + "ModificationTime": "08/12/2013 00:52:36.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files (x86)", + "ExtentionBlockSize": 124, + "LocalizedName": "@shell32.dll,-21817", + "SeqNum": 1, + "EntryNum": 3725, + "FileReferenceInt": 281474976714381, + "AccessTime": "08/12/2013 00:52:36.000000", + "CreationTime": "07/26/2012 05:38:00.000000", + "Signature": "0xbeef0004L", + "RefNum": "3725-1" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Google", + "Location": null, + "Comments": null, + "ModificationTime": "08/12/2013 00:53:08.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Google", + "ExtentionBlockSize": 58, + "LocalizedName": null, + "SeqNum": 9, + "EntryNum": 115147, + "FileReferenceInt": 2533274790511051, + "AccessTime": "08/12/2013 00:53:08.000000", + "CreationTime": "08/12/2013 00:52:36.000000", + "Signature": "0xbeef0004L", + "RefNum": "115147-9" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Chrome", + "Location": null, + "Comments": null, + "ModificationTime": "08/12/2013 00:53:20.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Chrome", + "ExtentionBlockSize": 58, + "LocalizedName": null, + "SeqNum": 4, + "EntryNum": 115732, + "FileReferenceInt": 1125899906958356, + "AccessTime": "08/12/2013 00:53:20.000000", + "CreationTime": "08/12/2013 00:53:08.000000", + "Signature": "0xbeef0004L", + "RefNum": "115732-4" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "APPLIC~1", + "Location": null, + "Comments": null, + "ModificationTime": "08/12/2013 00:53:20.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Application", + "ExtentionBlockSize": 68, + "LocalizedName": null, + "SeqNum": 4, + "EntryNum": 116035, + "FileReferenceInt": 1125899906958659, + "AccessTime": "08/12/2013 00:53:20.000000", + "CreationTime": "08/12/2013 00:53:20.000000", + "Signature": "0xbeef0004L", + "RefNum": "116035-4" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "chrome.exe", + "Location": null, + "Comments": null, + "ModificationTime": "07/25/2013 00:49:50.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 846288, + "ExtentionBlocks": [ + { + "LongName": "chrome.exe", + "ExtentionBlockSize": 66, + "LocalizedName": null, + "SeqNum": 4, + "EntryNum": 116036, + "FileReferenceInt": 1125899906958660, + "AccessTime": "08/12/2013 00:53:20.000000", + "CreationTime": "08/12/2013 00:53:20.000000", + "Signature": "0xbeef0004L", + "RefNum": "116036-4" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "Application", + "ParentEntryNum": 116035, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 8, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "Access the Internet", + "RelativePath": "..\\..\\..\\..\\..\\..\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", + "Codepage": "cp1252", + "IconLoc": "%ProgramFiles%\\Google\\Chrome\\Application\\chrome.exe", + "AppIdName": null, + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 846288, + "CreationDateTime": "08/12/2013 00:53:19.096107", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "IntelControlCenter.exe", + "WorkingDir": "C:\\Program Files (x86)\\Intel\\Intel Control Center", + "LocalPath": "C:\\Program Files (x86)\\Intel\\Intel Control Center\\IntelControlCenter.exe", + "ModificationDateTime": "05/04/2012 18:16:06.000000", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\117147..Intel Control Center.lnk", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "06/02/2013 03:37:19.167951", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 10, + "ParentRefStr": "139687-10", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~2", + "Location": null, + "Comments": null, + "ModificationTime": "06/02/2013 03:35:34.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files (x86)", + "ExtentionBlockSize": 124, + "LocalizedName": "@shell32.dll,-21817", + "SeqNum": 1, + "EntryNum": 3725, + "FileReferenceInt": 281474976714381, + "AccessTime": "06/02/2013 03:35:34.000000", + "CreationTime": "07/26/2012 05:38:00.000000", + "Signature": "0xbeef0004L", + "RefNum": "3725-1" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Intel", + "Location": null, + "Comments": null, + "ModificationTime": "06/02/2013 03:35:34.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Intel", + "ExtentionBlockSize": 56, + "LocalizedName": null, + "SeqNum": 2, + "EntryNum": 103656, + "FileReferenceInt": 562949953524968, + "AccessTime": "06/02/2013 03:35:34.000000", + "CreationTime": "06/02/2013 03:30:54.000000", + "Signature": "0xbeef0004L", + "RefNum": "103656-2" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "INTELC~1", + "Location": null, + "Comments": null, + "ModificationTime": "06/02/2013 03:37:20.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Intel Control Center", + "ExtentionBlockSize": 86, + "LocalizedName": null, + "SeqNum": 10, + "EntryNum": 139687, + "FileReferenceInt": 2814749767246247, + "AccessTime": "06/02/2013 03:37:20.000000", + "CreationTime": "06/02/2013 03:37:20.000000", + "Signature": "0xbeef0004L", + "RefNum": "139687-10" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "INTELC~1.EXE", + "Location": null, + "Comments": null, + "ModificationTime": "05/04/2012 18:16:06.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 512000, + "ExtentionBlocks": [ + { + "LongName": "IntelControlCenter.exe", + "ExtentionBlockSize": 90, + "LocalizedName": null, + "SeqNum": 5, + "EntryNum": 140890, + "FileReferenceInt": 1407374883694170, + "AccessTime": "06/02/2013 03:37:20.000000", + "CreationTime": "06/02/2013 03:37:20.000000", + "Signature": "0xbeef0004L", + "RefNum": "140890-5" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "Intel Control Center", + "ParentEntryNum": 139687, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 7, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "@C:\\Program Files (x86)\\Intel\\Intel Control Center\\Uninstaller\\SetupICC.exe,-102", + "RelativePath": "..\\..\\..\\..\\..\\..\\Program Files (x86)\\Intel\\Intel Control Center\\IntelControlCenter.exe", + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 512000, + "CreationDateTime": "06/02/2013 03:37:19.167951", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": "GfxUI.exe", + "WorkingDir": "C:\\WINDOWS\\system32", + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\117148..Intel(R) Graphics and Media Control Panel.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": null, + "ParentRefStr": "None-None", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "WINDOWS", + "Location": null, + "Comments": null, + "ModificationTime": "1601-01-01 00:00:00", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "FileReferenceInt": null, + "SeqNum": null, + "Signature": "0xbeef0004L", + "RefNum": null, + "EntryNum": null, + "LongName": "WINDOWS", + "ExtentionBlockSize": 64, + "LocalizedName": null + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "system32", + "Location": null, + "Comments": null, + "ModificationTime": "1601-01-01 00:00:00", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "FileReferenceInt": null, + "SeqNum": null, + "Signature": "0xbeef0004L", + "RefNum": null, + "EntryNum": null, + "LongName": "system32", + "ExtentionBlockSize": 66, + "LocalizedName": null + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "GfxUI.exe", + "Location": null, + "Comments": null, + "ModificationTime": "1601-01-01 00:00:00", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "FileReferenceInt": null, + "SeqNum": null, + "Signature": "0xbeef0004L", + "RefNum": null, + "EntryNum": null, + "LongName": "GfxUI.exe", + "ExtentionBlockSize": 68, + "LocalizedName": null + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "system32", + "ParentEntryNum": null, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 6, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": "..\\..\\..\\..\\..\\..\\WINDOWS\\system32\\GfxUI.exe", + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "IAStorUI.exe", + "WorkingDir": "C:\\Program Files (x86)\\Intel\\Intel(R) Rapid Storage Technology", + "LocalPath": "C:\\Program Files (x86)\\Intel\\Intel(R) Rapid Storage Technology\\IAStorUI.exe", + "ModificationDateTime": "09/02/2012 01:07:22.000000", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\117149..Intel(R) Rapid Storage Technology.lnk", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "06/02/2013 03:35:35.417575", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 6, + "ParentRefStr": "136837-6", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~2", + "Location": null, + "Comments": null, + "ModificationTime": "06/02/2013 03:35:34.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files (x86)", + "ExtentionBlockSize": 124, + "LocalizedName": "@shell32.dll,-21817", + "SeqNum": 1, + "EntryNum": 3725, + "FileReferenceInt": 281474976714381, + "AccessTime": "06/02/2013 03:35:34.000000", + "CreationTime": "07/26/2012 05:38:00.000000", + "Signature": "0xbeef0004L", + "RefNum": "3725-1" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Intel", + "Location": null, + "Comments": null, + "ModificationTime": "06/02/2013 03:35:34.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Intel", + "ExtentionBlockSize": 56, + "LocalizedName": null, + "SeqNum": 2, + "EntryNum": 103656, + "FileReferenceInt": 562949953524968, + "AccessTime": "06/02/2013 03:35:34.000000", + "CreationTime": "06/02/2013 03:30:54.000000", + "Signature": "0xbeef0004L", + "RefNum": "103656-2" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "INTEL(~3", + "Location": null, + "Comments": null, + "ModificationTime": "06/02/2013 03:35:38.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Intel(R) Rapid Storage Technology", + "ExtentionBlockSize": 112, + "LocalizedName": null, + "SeqNum": 6, + "EntryNum": 136837, + "FileReferenceInt": 1688849860400773, + "AccessTime": "06/02/2013 03:35:38.000000", + "CreationTime": "06/02/2013 03:35:34.000000", + "Signature": "0xbeef0004L", + "RefNum": "136837-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "IAStorUI.exe", + "Location": null, + "Comments": null, + "ModificationTime": "09/02/2012 01:07:22.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 632376, + "ExtentionBlocks": [ + { + "LongName": "IAStorUI.exe", + "ExtentionBlockSize": 70, + "LocalizedName": null, + "SeqNum": 6, + "EntryNum": 139010, + "FileReferenceInt": 1688849860402946, + "AccessTime": "06/02/2013 03:35:36.000000", + "CreationTime": "06/02/2013 03:35:36.000000", + "Signature": "0xbeef0004L", + "RefNum": "139010-6" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "Intel(R) Rapid Storage Technology", + "ParentEntryNum": 136837, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 7, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "@C:\\Program Files (x86)\\Intel\\Intel(R) Rapid Storage Technology\\uninstall\\Setup.exe,-2553", + "RelativePath": "..\\..\\..\\..\\..\\..\\Program Files (x86)\\Intel\\Intel(R) Rapid Storage Technology\\IAStorUI.exe", + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 632376, + "CreationDateTime": "06/02/2013 03:35:35.417575", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "SugarSyncManager.exe", + "WorkingDir": "C:\\Program Files (x86)\\SugarSync", + "LocalPath": "C:\\Program Files (x86)\\SugarSync\\SugarSyncManager.exe", + "ModificationDateTime": "05/14/2012 17:50:14.000000", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\117151..Lenovo Cloud Storage by SugarSync.lnk", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "06/02/2013 03:52:04.583932", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 4, + "ParentRefStr": "94077-4", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~2", + "Location": null, + "Comments": null, + "ModificationTime": "06/02/2013 03:52:06.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files (x86)", + "ExtentionBlockSize": 124, + "LocalizedName": "@shell32.dll,-21817", + "SeqNum": 1, + "EntryNum": 3725, + "FileReferenceInt": 281474976714381, + "AccessTime": "06/02/2013 03:52:06.000000", + "CreationTime": "07/26/2012 05:38:00.000000", + "Signature": "0xbeef0004L", + "RefNum": "3725-1" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "SUGARS~1", + "Location": null, + "Comments": null, + "ModificationTime": "06/02/2013 03:52:10.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "SugarSync", + "ExtentionBlockSize": 64, + "LocalizedName": null, + "SeqNum": 4, + "EntryNum": 94077, + "FileReferenceInt": 1125899906936701, + "AccessTime": "06/02/2013 03:52:10.000000", + "CreationTime": "06/02/2013 03:52:06.000000", + "Signature": "0xbeef0004L", + "RefNum": "94077-4" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "SUGARS~1.EXE", + "Location": null, + "Comments": null, + "ModificationTime": "05/14/2012 17:50:14.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 9413712, + "ExtentionBlocks": [ + { + "LongName": "SugarSyncManager.exe", + "ExtentionBlockSize": 86, + "LocalizedName": null, + "SeqNum": 4, + "EntryNum": 94081, + "FileReferenceInt": 1125899906936705, + "AccessTime": "06/02/2013 03:52:06.000000", + "CreationTime": "05/14/2012 17:50:14.000000", + "Signature": "0xbeef0004L", + "RefNum": "94081-4" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "SugarSync", + "ParentEntryNum": 94077, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 6, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": "..\\..\\..\\..\\..\\Program Files (x86)\\SugarSync\\SugarSyncManager.exe", + "Codepage": "cp1252", + "IconLoc": "%ProgramFiles%\\SugarSync\\SugarSyncManager.exe", + "AppIdName": null, + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 9413712, + "CreationDateTime": "05/14/2012 17:50:14.000000", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "Lenovo Transition.exe", + "WorkingDir": "C:\\Program Files (x86)\\Lenovo\\Lenovo Transition\\", + "LocalPath": "C:\\Program Files (x86)\\Lenovo\\Lenovo Transition\\Lenovo Transition.exe", + "ModificationDateTime": "06/02/2013 03:54:09.522036", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\117153..Lenovo Transition.lnk", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "06/02/2013 03:54:09.522036", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 1, + "ParentRefStr": "158234-1", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~2", + "Location": null, + "Comments": null, + "ModificationTime": "06/02/2013 03:52:54.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files (x86)", + "ExtentionBlockSize": 124, + "LocalizedName": "@shell32.dll,-21817", + "SeqNum": 1, + "EntryNum": 3725, + "FileReferenceInt": 281474976714381, + "AccessTime": "06/02/2013 03:52:54.000000", + "CreationTime": "07/26/2012 05:38:00.000000", + "Signature": "0xbeef0004L", + "RefNum": "3725-1" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Lenovo", + "Location": null, + "Comments": null, + "ModificationTime": "06/02/2013 03:54:10.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Lenovo", + "ExtentionBlockSize": 58, + "LocalizedName": null, + "SeqNum": 5, + "EntryNum": 147637, + "FileReferenceInt": 1407374883700917, + "AccessTime": "06/02/2013 03:54:10.000000", + "CreationTime": "06/02/2013 03:48:44.000000", + "Signature": "0xbeef0004L", + "RefNum": "147637-5" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "LENOVO~1", + "Location": null, + "Comments": null, + "ModificationTime": "06/02/2013 03:54:16.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Lenovo Transition", + "ExtentionBlockSize": 80, + "LocalizedName": null, + "SeqNum": 1, + "EntryNum": 158234, + "FileReferenceInt": 281474976868890, + "AccessTime": "06/02/2013 03:54:16.000000", + "CreationTime": "06/02/2013 03:54:10.000000", + "Signature": "0xbeef0004L", + "RefNum": "158234-1" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "LENOVO~1.EXE", + "Location": null, + "Comments": null, + "ModificationTime": "06/02/2013 03:54:10.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 209488, + "ExtentionBlocks": [ + { + "LongName": "Lenovo Transition.exe", + "ExtentionBlockSize": 88, + "LocalizedName": null, + "SeqNum": 1, + "EntryNum": 158264, + "FileReferenceInt": 281474976868920, + "AccessTime": "06/02/2013 03:54:10.000000", + "CreationTime": "06/02/2013 03:54:10.000000", + "Signature": "0xbeef0004L", + "RefNum": "158264-1" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "Lenovo Transition", + "ParentEntryNum": 158234, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 7, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": "..\\..\\..\\..\\..\\..\\..\\Program Files (x86)\\Lenovo\\Lenovo Transition\\Lenovo Transition.exe", + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 209488, + "CreationDateTime": "06/02/2013 03:54:09.522036", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "MotionControl.exe", + "WorkingDir": "C:\\Program Files (x86)\\Lenovo\\MotionControl\\", + "LocalPath": "C:\\Program Files (x86)\\Lenovo\\MotionControl\\MotionControl.exe", + "ModificationDateTime": "06/02/2013 03:52:37.533489", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\117155..Motion Control.lnk", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "06/02/2013 03:52:37.533489", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 1, + "ParentRefStr": "156333-1", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~2", + "Location": null, + "Comments": null, + "ModificationTime": "06/02/2013 03:52:06.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files (x86)", + "ExtentionBlockSize": 124, + "LocalizedName": "@shell32.dll,-21817", + "SeqNum": 1, + "EntryNum": 3725, + "FileReferenceInt": 281474976714381, + "AccessTime": "06/02/2013 03:52:06.000000", + "CreationTime": "07/26/2012 05:38:00.000000", + "Signature": "0xbeef0004L", + "RefNum": "3725-1" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Lenovo", + "Location": null, + "Comments": null, + "ModificationTime": "06/02/2013 03:52:38.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Lenovo", + "ExtentionBlockSize": 58, + "LocalizedName": null, + "SeqNum": 5, + "EntryNum": 147637, + "FileReferenceInt": 1407374883700917, + "AccessTime": "06/02/2013 03:52:38.000000", + "CreationTime": "06/02/2013 03:48:44.000000", + "Signature": "0xbeef0004L", + "RefNum": "147637-5" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "MOTION~1", + "Location": null, + "Comments": null, + "ModificationTime": "06/02/2013 03:52:38.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "MotionControl", + "ExtentionBlockSize": 72, + "LocalizedName": null, + "SeqNum": 1, + "EntryNum": 156333, + "FileReferenceInt": 281474976866989, + "AccessTime": "06/02/2013 03:52:38.000000", + "CreationTime": "06/02/2013 03:52:38.000000", + "Signature": "0xbeef0004L", + "RefNum": "156333-1" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "MOTION~1.EXE", + "Location": null, + "Comments": null, + "ModificationTime": "06/02/2013 03:52:38.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 172112, + "ExtentionBlocks": [ + { + "LongName": "MotionControl.exe", + "ExtentionBlockSize": 80, + "LocalizedName": null, + "SeqNum": 1, + "EntryNum": 156477, + "FileReferenceInt": 281474976867133, + "AccessTime": "06/02/2013 03:52:38.000000", + "CreationTime": "06/02/2013 03:52:38.000000", + "Signature": "0xbeef0004L", + "RefNum": "156477-1" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "MotionControl", + "ParentEntryNum": 156333, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 7, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": "..\\..\\..\\..\\..\\..\\..\\Program Files (x86)\\Lenovo\\MotionControl\\MotionControl.exe", + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 172112, + "CreationDateTime": "06/02/2013 03:52:37.533489", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "OneKey Recovery.exe", + "WorkingDir": "C:\\Program Files\\Lenovo\\OneKey App\\OneKey Recovery", + "LocalPath": "C:\\Program Files\\Lenovo\\OneKey App\\OneKey Recovery\\OneKey Recovery.exe", + "ModificationDateTime": "12/19/2012 16:50:52.000000", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\117166..OneKey Recovery.lnk", + "Flags": "Normal;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "06/02/2013 03:56:35.181028", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 2, + "ParentRefStr": "159472-2", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~1", + "Location": null, + "Comments": null, + "ModificationTime": "06/02/2013 03:56:30.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files", + "ExtentionBlockSize": 112, + "LocalizedName": "@shell32.dll,-21781", + "SeqNum": 1, + "EntryNum": 76, + "FileReferenceInt": 281474976710732, + "AccessTime": "06/02/2013 03:56:30.000000", + "CreationTime": "07/26/2012 05:38:00.000000", + "Signature": "0xbeef0004L", + "RefNum": "76-1" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Lenovo", + "Location": null, + "Comments": null, + "ModificationTime": "06/02/2013 03:56:30.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Lenovo", + "ExtentionBlockSize": 58, + "LocalizedName": null, + "SeqNum": 2, + "EntryNum": 159470, + "FileReferenceInt": 562949953580782, + "AccessTime": "06/02/2013 03:56:30.000000", + "CreationTime": "06/02/2013 03:56:30.000000", + "Signature": "0xbeef0004L", + "RefNum": "159470-2" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "ONEKEY~1", + "Location": null, + "Comments": null, + "ModificationTime": "06/02/2013 03:56:30.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "OneKey App", + "ExtentionBlockSize": 66, + "LocalizedName": null, + "SeqNum": 2, + "EntryNum": 159471, + "FileReferenceInt": 562949953580783, + "AccessTime": "06/02/2013 03:56:30.000000", + "CreationTime": "06/02/2013 03:56:30.000000", + "Signature": "0xbeef0004L", + "RefNum": "159471-2" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "ONEKEY~1", + "Location": null, + "Comments": null, + "ModificationTime": "06/02/2013 03:56:44.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "OneKey Recovery", + "ExtentionBlockSize": 76, + "LocalizedName": null, + "SeqNum": 2, + "EntryNum": 159472, + "FileReferenceInt": 562949953580784, + "AccessTime": "06/02/2013 03:56:44.000000", + "CreationTime": "06/02/2013 03:56:30.000000", + "Signature": "0xbeef0004L", + "RefNum": "159472-2" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "ONEKEY~1.EXE", + "Location": null, + "Comments": null, + "ModificationTime": "12/19/2012 16:50:52.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 3370608, + "ExtentionBlocks": [ + { + "LongName": "OneKey Recovery.exe", + "ExtentionBlockSize": 84, + "LocalizedName": null, + "SeqNum": 1, + "EntryNum": 159842, + "FileReferenceInt": 281474976870498, + "AccessTime": "06/02/2013 03:56:36.000000", + "CreationTime": "12/19/2012 16:50:52.000000", + "Signature": "0xbeef0004L", + "RefNum": "159842-1" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "OneKey Recovery", + "ParentEntryNum": 159472, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 8, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": "..\\..\\..\\..\\..\\..\\Program Files\\Lenovo\\OneKey App\\OneKey Recovery\\OneKey Recovery.exe", + "Codepage": "cp1252", + "IconLoc": "%SystemDrive%\\Program Files\\Lenovo\\OneKey App\\OneKey Recovery\\OneKey Recovery.ico", + "AppIdName": null, + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 3370608, + "CreationDateTime": "12/19/2012 16:50:52.000000", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "MotionControl.exe", + "WorkingDir": "C:\\Program Files (x86)\\Lenovo\\MotionControl\\", + "LocalPath": "C:\\Program Files (x86)\\Lenovo\\MotionControl\\MotionControl.exe", + "ModificationDateTime": "06/02/2013 03:52:37.533489", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\117168..Motion Control.lnk", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "06/02/2013 03:52:37.533489", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 1, + "ParentRefStr": "156333-1", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~2", + "Location": null, + "Comments": null, + "ModificationTime": "06/02/2013 03:52:06.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files (x86)", + "ExtentionBlockSize": 124, + "LocalizedName": "@shell32.dll,-21817", + "SeqNum": 1, + "EntryNum": 3725, + "FileReferenceInt": 281474976714381, + "AccessTime": "06/02/2013 03:52:06.000000", + "CreationTime": "07/26/2012 05:38:00.000000", + "Signature": "0xbeef0004L", + "RefNum": "3725-1" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Lenovo", + "Location": null, + "Comments": null, + "ModificationTime": "06/02/2013 03:52:38.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Lenovo", + "ExtentionBlockSize": 58, + "LocalizedName": null, + "SeqNum": 5, + "EntryNum": 147637, + "FileReferenceInt": 1407374883700917, + "AccessTime": "06/02/2013 03:52:38.000000", + "CreationTime": "06/02/2013 03:48:44.000000", + "Signature": "0xbeef0004L", + "RefNum": "147637-5" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "MOTION~1", + "Location": null, + "Comments": null, + "ModificationTime": "06/02/2013 03:52:38.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "MotionControl", + "ExtentionBlockSize": 72, + "LocalizedName": null, + "SeqNum": 1, + "EntryNum": 156333, + "FileReferenceInt": 281474976866989, + "AccessTime": "06/02/2013 03:52:38.000000", + "CreationTime": "06/02/2013 03:52:38.000000", + "Signature": "0xbeef0004L", + "RefNum": "156333-1" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "MOTION~1.EXE", + "Location": null, + "Comments": null, + "ModificationTime": "06/02/2013 03:52:38.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 172112, + "ExtentionBlocks": [ + { + "LongName": "MotionControl.exe", + "ExtentionBlockSize": 80, + "LocalizedName": null, + "SeqNum": 1, + "EntryNum": 156477, + "FileReferenceInt": 281474976867133, + "AccessTime": "06/02/2013 03:52:38.000000", + "CreationTime": "06/02/2013 03:52:38.000000", + "Signature": "0xbeef0004L", + "RefNum": "156477-1" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "MotionControl", + "ParentEntryNum": 156333, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 7, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": "..\\..\\..\\..\\..\\..\\Program Files (x86)\\Lenovo\\MotionControl\\MotionControl.exe", + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 172112, + "CreationDateTime": "06/02/2013 03:52:37.533489", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "iCloud.exe", + "WorkingDir": null, + "LocalPath": "C:\\Program Files (x86)\\Common Files\\Apple\\Internet Services\\iCloud.exe", + "ModificationDateTime": "09/14/2013 07:50:04.000000", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\118450..iCloud.lnk", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "09/23/2013 20:51:42.863109", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 9, + "ParentRefStr": "115276-9", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~2", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:10:16.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files (x86)", + "ExtentionBlockSize": 128, + "LocalizedName": "@shell32.dll,-21817", + "SeqNum": 3, + "EntryNum": 200140, + "FileReferenceInt": 844424930332108, + "AccessTime": "09/23/2013 20:10:16.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "200140-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "COMMON~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:23:20.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Common Files", + "ExtentionBlockSize": 74, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 200141, + "FileReferenceInt": 844424930332109, + "AccessTime": "09/23/2013 20:23:20.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "200141-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Apple", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:51:40.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Apple", + "ExtentionBlockSize": 60, + "LocalizedName": null, + "SeqNum": 2, + "EntryNum": 172150, + "FileReferenceInt": 562949953593462, + "AccessTime": "09/23/2013 20:51:40.000000", + "CreationTime": "09/03/2013 02:11:00.000000", + "Signature": "0xbeef0004L", + "RefNum": "172150-2" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "INTERN~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:51:46.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Internet Services", + "ExtentionBlockSize": 84, + "LocalizedName": null, + "SeqNum": 9, + "EntryNum": 115276, + "FileReferenceInt": 2533274790511180, + "AccessTime": "09/23/2013 20:51:46.000000", + "CreationTime": "09/23/2013 20:51:40.000000", + "Signature": "0xbeef0004L", + "RefNum": "115276-9" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "iCloud.exe", + "Location": null, + "Comments": null, + "ModificationTime": "09/14/2013 07:50:04.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 346440, + "ExtentionBlocks": [ + { + "LongName": "iCloud.exe", + "ExtentionBlockSize": 70, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 117312, + "FileReferenceInt": 844424930249280, + "AccessTime": "09/23/2013 20:51:44.000000", + "CreationTime": "09/14/2013 07:50:04.000000", + "Signature": "0xbeef0004L", + "RefNum": "117312-3" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "Internet Services", + "ParentEntryNum": 115276, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 8, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": "..\\..\\..\\..\\..\\..\\Program Files (x86)\\Common Files\\Apple\\Internet Services\\iCloud.exe", + "Codepage": "cp1252", + "IconLoc": "%SystemRoot%\\Installer\\{EAFB2AD8-D92B-464C-8D97-B9CB94703C4A}\\iCloudIcon.exe", + "AppIdName": null, + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 346440, + "CreationDateTime": "09/14/2013 07:50:04.000000", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "iCloudWeb.exe", + "WorkingDir": null, + "LocalPath": "C:\\Program Files (x86)\\Common Files\\Apple\\Internet Services\\iCloudWeb.exe", + "ModificationDateTime": "09/14/2013 07:38:54.000000", + "CmdArgs": "mail", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\118451..Mail.lnk", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "09/23/2013 20:51:43.896736", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 9, + "ParentRefStr": "115276-9", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~2", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:10:16.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files (x86)", + "ExtentionBlockSize": 128, + "LocalizedName": "@shell32.dll,-21817", + "SeqNum": 3, + "EntryNum": 200140, + "FileReferenceInt": 844424930332108, + "AccessTime": "09/23/2013 20:10:16.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "200140-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "COMMON~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:23:20.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Common Files", + "ExtentionBlockSize": 74, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 200141, + "FileReferenceInt": 844424930332109, + "AccessTime": "09/23/2013 20:23:20.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "200141-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Apple", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:51:40.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Apple", + "ExtentionBlockSize": 60, + "LocalizedName": null, + "SeqNum": 2, + "EntryNum": 172150, + "FileReferenceInt": 562949953593462, + "AccessTime": "09/23/2013 20:51:40.000000", + "CreationTime": "09/03/2013 02:11:00.000000", + "Signature": "0xbeef0004L", + "RefNum": "172150-2" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "INTERN~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:51:46.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Internet Services", + "ExtentionBlockSize": 84, + "LocalizedName": null, + "SeqNum": 9, + "EntryNum": 115276, + "FileReferenceInt": 2533274790511180, + "AccessTime": "09/23/2013 20:51:46.000000", + "CreationTime": "09/23/2013 20:51:40.000000", + "Signature": "0xbeef0004L", + "RefNum": "115276-9" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "ICLOUD~2.EXE", + "Location": null, + "Comments": null, + "ModificationTime": "09/14/2013 07:38:54.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 15176, + "ExtentionBlocks": [ + { + "LongName": "iCloudWeb.exe", + "ExtentionBlockSize": 76, + "LocalizedName": null, + "SeqNum": 5, + "EntryNum": 117968, + "FileReferenceInt": 1407374883671248, + "AccessTime": "09/23/2013 20:51:44.000000", + "CreationTime": "09/14/2013 07:38:54.000000", + "Signature": "0xbeef0004L", + "RefNum": "117968-5" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "Internet Services", + "ParentEntryNum": 115276, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 8, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": "..\\..\\..\\..\\..\\..\\Program Files (x86)\\Common Files\\Apple\\Internet Services\\iCloudWeb.exe", + "Codepage": "cp1252", + "IconLoc": "%SystemRoot%\\Installer\\{EAFB2AD8-D92B-464C-8D97-B9CB94703C4A}\\MailIcon.exe", + "AppIdName": null, + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 15176, + "CreationDateTime": "09/14/2013 07:38:54.000000", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "iCloudWeb.exe", + "WorkingDir": null, + "LocalPath": "C:\\Program Files (x86)\\Common Files\\Apple\\Internet Services\\iCloudWeb.exe", + "ModificationDateTime": "09/14/2013 07:38:54.000000", + "CmdArgs": "contacts", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\118452..Contacts.lnk", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "09/23/2013 20:51:43.896736", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 9, + "ParentRefStr": "115276-9", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~2", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:10:16.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files (x86)", + "ExtentionBlockSize": 128, + "LocalizedName": "@shell32.dll,-21817", + "SeqNum": 3, + "EntryNum": 200140, + "FileReferenceInt": 844424930332108, + "AccessTime": "09/23/2013 20:10:16.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "200140-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "COMMON~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:23:20.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Common Files", + "ExtentionBlockSize": 74, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 200141, + "FileReferenceInt": 844424930332109, + "AccessTime": "09/23/2013 20:23:20.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "200141-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Apple", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:51:40.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Apple", + "ExtentionBlockSize": 60, + "LocalizedName": null, + "SeqNum": 2, + "EntryNum": 172150, + "FileReferenceInt": 562949953593462, + "AccessTime": "09/23/2013 20:51:40.000000", + "CreationTime": "09/03/2013 02:11:00.000000", + "Signature": "0xbeef0004L", + "RefNum": "172150-2" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "INTERN~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:51:46.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Internet Services", + "ExtentionBlockSize": 84, + "LocalizedName": null, + "SeqNum": 9, + "EntryNum": 115276, + "FileReferenceInt": 2533274790511180, + "AccessTime": "09/23/2013 20:51:46.000000", + "CreationTime": "09/23/2013 20:51:40.000000", + "Signature": "0xbeef0004L", + "RefNum": "115276-9" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "ICLOUD~2.EXE", + "Location": null, + "Comments": null, + "ModificationTime": "09/14/2013 07:38:54.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 15176, + "ExtentionBlocks": [ + { + "LongName": "iCloudWeb.exe", + "ExtentionBlockSize": 76, + "LocalizedName": null, + "SeqNum": 5, + "EntryNum": 117968, + "FileReferenceInt": 1407374883671248, + "AccessTime": "09/23/2013 20:51:44.000000", + "CreationTime": "09/14/2013 07:38:54.000000", + "Signature": "0xbeef0004L", + "RefNum": "117968-5" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "Internet Services", + "ParentEntryNum": 115276, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 8, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": "..\\..\\..\\..\\..\\..\\Program Files (x86)\\Common Files\\Apple\\Internet Services\\iCloudWeb.exe", + "Codepage": "cp1252", + "IconLoc": "%SystemRoot%\\Installer\\{EAFB2AD8-D92B-464C-8D97-B9CB94703C4A}\\ContactsIcon.exe", + "AppIdName": null, + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 15176, + "CreationDateTime": "09/14/2013 07:38:54.000000", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "iCloudWeb.exe", + "WorkingDir": null, + "LocalPath": "C:\\Program Files (x86)\\Common Files\\Apple\\Internet Services\\iCloudWeb.exe", + "ModificationDateTime": "09/14/2013 07:38:54.000000", + "CmdArgs": "calendar", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\118453..Calendar.lnk", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "09/23/2013 20:51:43.896736", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 9, + "ParentRefStr": "115276-9", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~2", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:10:16.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files (x86)", + "ExtentionBlockSize": 128, + "LocalizedName": "@shell32.dll,-21817", + "SeqNum": 3, + "EntryNum": 200140, + "FileReferenceInt": 844424930332108, + "AccessTime": "09/23/2013 20:10:16.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "200140-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "COMMON~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:23:20.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Common Files", + "ExtentionBlockSize": 74, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 200141, + "FileReferenceInt": 844424930332109, + "AccessTime": "09/23/2013 20:23:20.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "200141-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Apple", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:51:40.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Apple", + "ExtentionBlockSize": 60, + "LocalizedName": null, + "SeqNum": 2, + "EntryNum": 172150, + "FileReferenceInt": 562949953593462, + "AccessTime": "09/23/2013 20:51:40.000000", + "CreationTime": "09/03/2013 02:11:00.000000", + "Signature": "0xbeef0004L", + "RefNum": "172150-2" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "INTERN~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:51:46.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Internet Services", + "ExtentionBlockSize": 84, + "LocalizedName": null, + "SeqNum": 9, + "EntryNum": 115276, + "FileReferenceInt": 2533274790511180, + "AccessTime": "09/23/2013 20:51:46.000000", + "CreationTime": "09/23/2013 20:51:40.000000", + "Signature": "0xbeef0004L", + "RefNum": "115276-9" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "ICLOUD~2.EXE", + "Location": null, + "Comments": null, + "ModificationTime": "09/14/2013 07:38:54.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 15176, + "ExtentionBlocks": [ + { + "LongName": "iCloudWeb.exe", + "ExtentionBlockSize": 76, + "LocalizedName": null, + "SeqNum": 5, + "EntryNum": 117968, + "FileReferenceInt": 1407374883671248, + "AccessTime": "09/23/2013 20:51:44.000000", + "CreationTime": "09/14/2013 07:38:54.000000", + "Signature": "0xbeef0004L", + "RefNum": "117968-5" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "Internet Services", + "ParentEntryNum": 115276, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 8, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": "..\\..\\..\\..\\..\\..\\Program Files (x86)\\Common Files\\Apple\\Internet Services\\iCloudWeb.exe", + "Codepage": "cp1252", + "IconLoc": "%SystemRoot%\\Installer\\{EAFB2AD8-D92B-464C-8D97-B9CB94703C4A}\\CalendarIcon.exe", + "AppIdName": null, + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 15176, + "CreationDateTime": "09/14/2013 07:38:54.000000", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "iCloudWeb.exe", + "WorkingDir": null, + "LocalPath": "C:\\Program Files (x86)\\Common Files\\Apple\\Internet Services\\iCloudWeb.exe", + "ModificationDateTime": "09/14/2013 07:38:54.000000", + "CmdArgs": "find", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\118454..Find My iPhone.lnk", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "09/23/2013 20:51:43.896736", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 9, + "ParentRefStr": "115276-9", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~2", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:10:16.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files (x86)", + "ExtentionBlockSize": 128, + "LocalizedName": "@shell32.dll,-21817", + "SeqNum": 3, + "EntryNum": 200140, + "FileReferenceInt": 844424930332108, + "AccessTime": "09/23/2013 20:10:16.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "200140-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "COMMON~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:23:20.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Common Files", + "ExtentionBlockSize": 74, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 200141, + "FileReferenceInt": 844424930332109, + "AccessTime": "09/23/2013 20:23:20.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "200141-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Apple", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:51:40.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Apple", + "ExtentionBlockSize": 60, + "LocalizedName": null, + "SeqNum": 2, + "EntryNum": 172150, + "FileReferenceInt": 562949953593462, + "AccessTime": "09/23/2013 20:51:40.000000", + "CreationTime": "09/03/2013 02:11:00.000000", + "Signature": "0xbeef0004L", + "RefNum": "172150-2" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "INTERN~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:51:46.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Internet Services", + "ExtentionBlockSize": 84, + "LocalizedName": null, + "SeqNum": 9, + "EntryNum": 115276, + "FileReferenceInt": 2533274790511180, + "AccessTime": "09/23/2013 20:51:46.000000", + "CreationTime": "09/23/2013 20:51:40.000000", + "Signature": "0xbeef0004L", + "RefNum": "115276-9" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "ICLOUD~2.EXE", + "Location": null, + "Comments": null, + "ModificationTime": "09/14/2013 07:38:54.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 15176, + "ExtentionBlocks": [ + { + "LongName": "iCloudWeb.exe", + "ExtentionBlockSize": 76, + "LocalizedName": null, + "SeqNum": 5, + "EntryNum": 117968, + "FileReferenceInt": 1407374883671248, + "AccessTime": "09/23/2013 20:51:44.000000", + "CreationTime": "09/14/2013 07:38:54.000000", + "Signature": "0xbeef0004L", + "RefNum": "117968-5" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "Internet Services", + "ParentEntryNum": 115276, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 8, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": "..\\..\\..\\..\\..\\..\\Program Files (x86)\\Common Files\\Apple\\Internet Services\\iCloudWeb.exe", + "Codepage": "cp1252", + "IconLoc": "%SystemRoot%\\Installer\\{EAFB2AD8-D92B-464C-8D97-B9CB94703C4A}\\FindMyiPhoneIcon.exe", + "AppIdName": null, + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 15176, + "CreationDateTime": "09/14/2013 07:38:54.000000", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "iCloudWeb.exe", + "WorkingDir": null, + "LocalPath": "C:\\Program Files (x86)\\Common Files\\Apple\\Internet Services\\iCloudWeb.exe", + "ModificationDateTime": "09/14/2013 07:38:54.000000", + "CmdArgs": "notes", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\118455..Notes.lnk", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "09/23/2013 20:51:43.896736", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 9, + "ParentRefStr": "115276-9", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~2", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:10:16.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files (x86)", + "ExtentionBlockSize": 128, + "LocalizedName": "@shell32.dll,-21817", + "SeqNum": 3, + "EntryNum": 200140, + "FileReferenceInt": 844424930332108, + "AccessTime": "09/23/2013 20:10:16.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "200140-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "COMMON~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:23:20.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Common Files", + "ExtentionBlockSize": 74, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 200141, + "FileReferenceInt": 844424930332109, + "AccessTime": "09/23/2013 20:23:20.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "200141-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Apple", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:51:40.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Apple", + "ExtentionBlockSize": 60, + "LocalizedName": null, + "SeqNum": 2, + "EntryNum": 172150, + "FileReferenceInt": 562949953593462, + "AccessTime": "09/23/2013 20:51:40.000000", + "CreationTime": "09/03/2013 02:11:00.000000", + "Signature": "0xbeef0004L", + "RefNum": "172150-2" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "INTERN~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:51:46.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Internet Services", + "ExtentionBlockSize": 84, + "LocalizedName": null, + "SeqNum": 9, + "EntryNum": 115276, + "FileReferenceInt": 2533274790511180, + "AccessTime": "09/23/2013 20:51:46.000000", + "CreationTime": "09/23/2013 20:51:40.000000", + "Signature": "0xbeef0004L", + "RefNum": "115276-9" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "ICLOUD~2.EXE", + "Location": null, + "Comments": null, + "ModificationTime": "09/14/2013 07:38:54.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 15176, + "ExtentionBlocks": [ + { + "LongName": "iCloudWeb.exe", + "ExtentionBlockSize": 76, + "LocalizedName": null, + "SeqNum": 5, + "EntryNum": 117968, + "FileReferenceInt": 1407374883671248, + "AccessTime": "09/23/2013 20:51:44.000000", + "CreationTime": "09/14/2013 07:38:54.000000", + "Signature": "0xbeef0004L", + "RefNum": "117968-5" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "Internet Services", + "ParentEntryNum": 115276, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 8, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": "..\\..\\..\\..\\..\\..\\Program Files (x86)\\Common Files\\Apple\\Internet Services\\iCloudWeb.exe", + "Codepage": "cp1252", + "IconLoc": "%SystemRoot%\\Installer\\{EAFB2AD8-D92B-464C-8D97-B9CB94703C4A}\\NotesIcon.exe", + "AppIdName": null, + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 15176, + "CreationDateTime": "09/14/2013 07:38:54.000000", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "iCloudWeb.exe", + "WorkingDir": null, + "LocalPath": "C:\\Program Files (x86)\\Common Files\\Apple\\Internet Services\\iCloudWeb.exe", + "ModificationDateTime": "09/14/2013 07:38:54.000000", + "CmdArgs": "reminders", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\118456..Reminders.lnk", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "09/23/2013 20:51:43.896736", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 9, + "ParentRefStr": "115276-9", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~2", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:10:16.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files (x86)", + "ExtentionBlockSize": 128, + "LocalizedName": "@shell32.dll,-21817", + "SeqNum": 3, + "EntryNum": 200140, + "FileReferenceInt": 844424930332108, + "AccessTime": "09/23/2013 20:10:16.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "200140-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "COMMON~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:23:20.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Common Files", + "ExtentionBlockSize": 74, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 200141, + "FileReferenceInt": 844424930332109, + "AccessTime": "09/23/2013 20:23:20.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "200141-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Apple", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:51:40.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Apple", + "ExtentionBlockSize": 60, + "LocalizedName": null, + "SeqNum": 2, + "EntryNum": 172150, + "FileReferenceInt": 562949953593462, + "AccessTime": "09/23/2013 20:51:40.000000", + "CreationTime": "09/03/2013 02:11:00.000000", + "Signature": "0xbeef0004L", + "RefNum": "172150-2" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "INTERN~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:51:46.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Internet Services", + "ExtentionBlockSize": 84, + "LocalizedName": null, + "SeqNum": 9, + "EntryNum": 115276, + "FileReferenceInt": 2533274790511180, + "AccessTime": "09/23/2013 20:51:46.000000", + "CreationTime": "09/23/2013 20:51:40.000000", + "Signature": "0xbeef0004L", + "RefNum": "115276-9" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "ICLOUD~2.EXE", + "Location": null, + "Comments": null, + "ModificationTime": "09/14/2013 07:38:54.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 15176, + "ExtentionBlocks": [ + { + "LongName": "iCloudWeb.exe", + "ExtentionBlockSize": 76, + "LocalizedName": null, + "SeqNum": 5, + "EntryNum": 117968, + "FileReferenceInt": 1407374883671248, + "AccessTime": "09/23/2013 20:51:44.000000", + "CreationTime": "09/14/2013 07:38:54.000000", + "Signature": "0xbeef0004L", + "RefNum": "117968-5" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "Internet Services", + "ParentEntryNum": 115276, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 8, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": "..\\..\\..\\..\\..\\..\\Program Files (x86)\\Common Files\\Apple\\Internet Services\\iCloudWeb.exe", + "Codepage": "cp1252", + "IconLoc": "%SystemRoot%\\Installer\\{EAFB2AD8-D92B-464C-8D97-B9CB94703C4A}\\RemindersIcon.exe", + "AppIdName": null, + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 15176, + "CreationDateTime": "09/14/2013 07:38:54.000000", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "ShellStreamsShortcut.exe", + "WorkingDir": null, + "LocalPath": "C:\\Program Files (x86)\\Common Files\\Apple\\Internet Services\\ShellStreamsShortcut.exe", + "ModificationDateTime": "09/15/2013 18:34:12.000000", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\118457..iCloud Photos.lnk", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "09/23/2013 20:51:44.568518", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 9, + "ParentRefStr": "115276-9", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~2", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:10:16.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files (x86)", + "ExtentionBlockSize": 128, + "LocalizedName": "@shell32.dll,-21817", + "SeqNum": 3, + "EntryNum": 200140, + "FileReferenceInt": 844424930332108, + "AccessTime": "09/23/2013 20:10:16.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "200140-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "COMMON~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:23:20.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Common Files", + "ExtentionBlockSize": 74, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 200141, + "FileReferenceInt": 844424930332109, + "AccessTime": "09/23/2013 20:23:20.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "200141-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Apple", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:51:40.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Apple", + "ExtentionBlockSize": 60, + "LocalizedName": null, + "SeqNum": 2, + "EntryNum": 172150, + "FileReferenceInt": 562949953593462, + "AccessTime": "09/23/2013 20:51:40.000000", + "CreationTime": "09/03/2013 02:11:00.000000", + "Signature": "0xbeef0004L", + "RefNum": "172150-2" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "INTERN~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:51:46.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Internet Services", + "ExtentionBlockSize": 84, + "LocalizedName": null, + "SeqNum": 9, + "EntryNum": 115276, + "FileReferenceInt": 2533274790511180, + "AccessTime": "09/23/2013 20:51:46.000000", + "CreationTime": "09/23/2013 20:51:40.000000", + "Signature": "0xbeef0004L", + "RefNum": "115276-9" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "SHELLS~1.EXE", + "Location": null, + "Comments": null, + "ModificationTime": "09/15/2013 18:34:12.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 313672, + "ExtentionBlocks": [ + { + "LongName": "ShellStreamsShortcut.exe", + "ExtentionBlockSize": 98, + "LocalizedName": null, + "SeqNum": 5, + "EntryNum": 118058, + "FileReferenceInt": 1407374883671338, + "AccessTime": "09/23/2013 20:51:46.000000", + "CreationTime": "09/15/2013 18:34:12.000000", + "Signature": "0xbeef0004L", + "RefNum": "118058-5" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "Internet Services", + "ParentEntryNum": 115276, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 8, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": "..\\..\\..\\..\\..\\..\\Program Files (x86)\\Common Files\\Apple\\Internet Services\\ShellStreamsShortcut.exe", + "Codepage": "cp1252", + "IconLoc": "%SystemRoot%\\Installer\\{EAFB2AD8-D92B-464C-8D97-B9CB94703C4A}\\ShellStreamsShortcut.exe", + "AppIdName": null, + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 313672, + "CreationDateTime": "09/15/2013 18:34:12.000000", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": "QTPlayer.ico", + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\122402..QuickTime Player.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 3, + "ParentRefStr": "122395-3", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Windows", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:13:24.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Windows", + "ExtentionBlockSize": 64, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 200365, + "FileReferenceInt": 844424930332333, + "AccessTime": "09/23/2013 20:13:24.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "200365-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "INSTAL~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/26/2013 17:51:52.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Installer", + "ExtentionBlockSize": 68, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 201141, + "FileReferenceInt": 844424930333109, + "AccessTime": "09/26/2013 17:51:52.000000", + "CreationTime": "08/22/2013 15:36:32.000000", + "Signature": "0xbeef0004L", + "RefNum": "201141-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "{B67BA~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/26/2013 17:51:52.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "{B67BAFBA-4C9F-48FA-9496-933E3B255044}", + "ExtentionBlockSize": 126, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 122395, + "FileReferenceInt": 844424930254363, + "AccessTime": "09/26/2013 17:51:52.000000", + "CreationTime": "09/26/2013 17:51:52.000000", + "Signature": "0xbeef0004L", + "RefNum": "122395-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "QTPlayer.ico", + "Location": null, + "Comments": null, + "ModificationTime": "09/26/2013 17:51:52.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 22486, + "ExtentionBlocks": [ + { + "LongName": "QTPlayer.ico", + "ExtentionBlockSize": 74, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 122397, + "FileReferenceInt": 844424930254365, + "AccessTime": "09/26/2013 17:51:52.000000", + "CreationTime": "09/26/2013 17:51:52.000000", + "Signature": "0xbeef0004L", + "RefNum": "122397-3" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "{B67BAFBA-4C9F-48FA-9496-933E3B255044}", + "ParentEntryNum": 122395, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 7, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": "..\\..\\..\\..\\..\\..\\Windows\\Installer\\{B67BAFBA-4C9F-48FA-9496-933E3B255044}\\QTPlayer.ico", + "Codepage": "cp1252", + "IconLoc": "%SystemRoot%\\Installer\\{B67BAFBA-4C9F-48FA-9496-933E3B255044}\\QTPlayer.ico", + "AppIdName": null, + "FileExt": "ico", + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": "PictureViewer.ico", + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\122403..PictureViewer.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 3, + "ParentRefStr": "122395-3", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Windows", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:13:24.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Windows", + "ExtentionBlockSize": 64, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 200365, + "FileReferenceInt": 844424930332333, + "AccessTime": "09/23/2013 20:13:24.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "200365-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "INSTAL~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/26/2013 17:51:52.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Installer", + "ExtentionBlockSize": 68, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 201141, + "FileReferenceInt": 844424930333109, + "AccessTime": "09/26/2013 17:51:52.000000", + "CreationTime": "08/22/2013 15:36:32.000000", + "Signature": "0xbeef0004L", + "RefNum": "201141-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "{B67BA~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/26/2013 17:51:52.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "{B67BAFBA-4C9F-48FA-9496-933E3B255044}", + "ExtentionBlockSize": 126, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 122395, + "FileReferenceInt": 844424930254363, + "AccessTime": "09/26/2013 17:51:52.000000", + "CreationTime": "09/26/2013 17:51:52.000000", + "Signature": "0xbeef0004L", + "RefNum": "122395-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "PICTUR~1.ICO", + "Location": null, + "Comments": null, + "ModificationTime": "09/26/2013 17:51:52.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 22486, + "ExtentionBlocks": [ + { + "LongName": "PictureViewer.ico", + "ExtentionBlockSize": 84, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 122398, + "FileReferenceInt": 844424930254366, + "AccessTime": "09/26/2013 17:51:52.000000", + "CreationTime": "09/26/2013 17:51:52.000000", + "Signature": "0xbeef0004L", + "RefNum": "122398-3" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "{B67BAFBA-4C9F-48FA-9496-933E3B255044}", + "ParentEntryNum": 122395, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 7, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": "..\\..\\..\\..\\..\\..\\Windows\\Installer\\{B67BAFBA-4C9F-48FA-9496-933E3B255044}\\PictureViewer.ico", + "Codepage": "cp1252", + "IconLoc": "%SystemRoot%\\Installer\\{B67BAFBA-4C9F-48FA-9496-933E3B255044}\\PictureViewer.ico", + "AppIdName": null, + "FileExt": "ico", + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": "RichText.ico", + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\122404..About QuickTime.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 3, + "ParentRefStr": "122395-3", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Windows", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:13:24.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Windows", + "ExtentionBlockSize": 64, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 200365, + "FileReferenceInt": 844424930332333, + "AccessTime": "09/23/2013 20:13:24.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "200365-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "INSTAL~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/26/2013 17:51:52.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Installer", + "ExtentionBlockSize": 68, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 201141, + "FileReferenceInt": 844424930333109, + "AccessTime": "09/26/2013 17:51:52.000000", + "CreationTime": "08/22/2013 15:36:32.000000", + "Signature": "0xbeef0004L", + "RefNum": "201141-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "{B67BA~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/26/2013 17:51:52.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "{B67BAFBA-4C9F-48FA-9496-933E3B255044}", + "ExtentionBlockSize": 126, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 122395, + "FileReferenceInt": 844424930254363, + "AccessTime": "09/26/2013 17:51:52.000000", + "CreationTime": "09/26/2013 17:51:52.000000", + "Signature": "0xbeef0004L", + "RefNum": "122395-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "RichText.ico", + "Location": null, + "Comments": null, + "ModificationTime": "09/26/2013 17:51:52.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 766, + "ExtentionBlocks": [ + { + "LongName": "RichText.ico", + "ExtentionBlockSize": 74, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 122400, + "FileReferenceInt": 844424930254368, + "AccessTime": "09/26/2013 17:51:52.000000", + "CreationTime": "09/26/2013 17:51:52.000000", + "Signature": "0xbeef0004L", + "RefNum": "122400-3" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "{B67BAFBA-4C9F-48FA-9496-933E3B255044}", + "ParentEntryNum": 122395, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 7, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": "..\\..\\..\\..\\..\\..\\Windows\\Installer\\{B67BAFBA-4C9F-48FA-9496-933E3B255044}\\RichText.ico", + "Codepage": "cp1252", + "IconLoc": "%SystemRoot%\\Installer\\{B67BAFBA-4C9F-48FA-9496-933E3B255044}\\RichText.ico", + "AppIdName": null, + "FileExt": "ico", + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "QuickTimePlayer.exe", + "WorkingDir": null, + "LocalPath": "C:\\Program Files (x86)\\QuickTime\\QuickTimePlayer.exe", + "ModificationDateTime": "05/01/2013 08:44:26.000000", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\122405.Donald.QuickTime Player.lnk", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "09/26/2013 17:51:47.336201", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 4, + "ParentRefStr": "98206-4", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~2", + "Location": null, + "Comments": null, + "ModificationTime": "09/26/2013 17:51:48.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files (x86)", + "ExtentionBlockSize": 128, + "LocalizedName": "@shell32.dll,-21817", + "SeqNum": 3, + "EntryNum": 200140, + "FileReferenceInt": 844424930332108, + "AccessTime": "09/26/2013 17:51:48.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "200140-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "QUICKT~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/26/2013 17:51:52.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "QuickTime", + "ExtentionBlockSize": 68, + "LocalizedName": null, + "SeqNum": 4, + "EntryNum": 98206, + "FileReferenceInt": 1125899906940830, + "AccessTime": "09/26/2013 17:51:52.000000", + "CreationTime": "09/26/2013 17:51:48.000000", + "Signature": "0xbeef0004L", + "RefNum": "98206-4" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "QUICKT~1.EXE", + "Location": null, + "Comments": null, + "ModificationTime": "05/01/2013 08:44:26.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 1235288, + "ExtentionBlocks": [ + { + "LongName": "QuickTimePlayer.exe", + "ExtentionBlockSize": 88, + "LocalizedName": null, + "SeqNum": 4, + "EntryNum": 98216, + "FileReferenceInt": 1125899906940840, + "AccessTime": "09/26/2013 17:51:48.000000", + "CreationTime": "05/01/2013 08:44:26.000000", + "Signature": "0xbeef0004L", + "RefNum": "98216-4" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "QuickTime", + "ParentEntryNum": 98206, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 6, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": "..\\..\\..\\Program Files (x86)\\QuickTime\\QuickTimePlayer.exe", + "Codepage": "cp1252", + "IconLoc": "%SystemRoot%\\Installer\\{B67BAFBA-4C9F-48FA-9496-933E3B255044}\\QTPlayer.ico", + "AppIdName": null, + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 1235288, + "CreationDateTime": "05/01/2013 08:44:26.000000", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "msiexec.exe", + "WorkingDir": null, + "LocalPath": "C:\\Windows\\SysWOW64\\msiexec.exe", + "ModificationDateTime": "08/22/2013 03:56:51.356723", + "CmdArgs": "/i {B67BAFBA-4C9F-48FA-9496-933E3B255044} /qf", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\122406..Uninstall QuickTime.lnk", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "08/22/2013 03:56:51.466109", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 3, + "ParentRefStr": "203387-3", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Windows", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:13:24.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Windows", + "ExtentionBlockSize": 64, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 200365, + "FileReferenceInt": 844424930332333, + "AccessTime": "09/23/2013 20:13:24.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "200365-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "SysWOW64", + "Location": null, + "Comments": null, + "ModificationTime": "09/26/2013 17:51:48.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "SysWOW64", + "ExtentionBlockSize": 66, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 203387, + "FileReferenceInt": 844424930335355, + "AccessTime": "09/26/2013 17:51:48.000000", + "CreationTime": "08/22/2013 13:36:18.000000", + "Signature": "0xbeef0004L", + "RefNum": "203387-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "msiexec.exe", + "Location": null, + "Comments": null, + "ModificationTime": "08/22/2013 03:56:52.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 55808, + "ExtentionBlocks": [ + { + "LongName": "msiexec.exe", + "ExtentionBlockSize": 72, + "LocalizedName": null, + "SeqNum": 1, + "EntryNum": 251469, + "FileReferenceInt": 281474976962125, + "AccessTime": "08/22/2013 03:56:52.000000", + "CreationTime": "08/22/2013 03:56:52.000000", + "Signature": "0xbeef0004L", + "RefNum": "251469-1" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "SysWOW64", + "ParentEntryNum": 203387, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 6, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": "..\\..\\..\\..\\..\\..\\Windows\\SysWOW64\\msiexec.exe", + "Codepage": "cp1252", + "IconLoc": "%SystemRoot%\\Installer\\{B67BAFBA-4C9F-48FA-9496-933E3B255044}\\QTUninstaller.ico", + "AppIdName": null, + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 55808, + "CreationDateTime": "08/22/2013 03:56:51.466109", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "WACC Calc Spreadsheet -SECRET.xls", + "WorkingDir": "C:\\Users\\Donald\\SkyDrive\\Documents", + "LocalPath": "C:\\Users\\Donald\\SkyDrive\\Documents\\WACC Calc Spreadsheet -SECRET.xls", + "ModificationDateTime": "08/12/2013 03:39:17.381000", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\125633.Donald.WACC Calc Spreadsheet -SECRET.lnk", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "08/12/2013 01:11:08.000000", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "ParentLongName": "Documents", + "DistinctTypesHex": "0x0L;0x31L;0x32L;0x1fL", + "ParentSeqNum": 3, + "DistinctTypesStr": "item;root_folder;file_entry", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "LongName": "SkyDrive", + "ExtentionBlockSize": 62, + "LocalizedName": null, + "SeqNum": 2, + "EntryNum": 127384, + "FileReferenceInt": 562949953548696, + "AccessTime": "08/12/2013 01:11:02.000000", + "CreationTime": "08/12/2013 01:02:20.000000", + "Signature": "0xbeef0004L", + "RefNum": "127384-2" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "DOCUME~1", + "Location": null, + "Comments": null, + "ModificationTime": "08/12/2013 01:11:14.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Documents", + "ExtentionBlockSize": 64, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 127282, + "FileReferenceInt": 844424930259250, + "AccessTime": "08/12/2013 01:11:14.000000", + "CreationTime": "08/12/2013 01:11:04.000000", + "Signature": "0xbeef0004L", + "RefNum": "127282-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "WACCCA~1.XLS", + "Location": null, + "Comments": null, + "ModificationTime": "08/12/2013 01:12:16.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 16384, + "ExtentionBlocks": [ + { + "LongName": "WACC Calc Spreadsheet -SECRET.xls", + "ExtentionBlockSize": 112, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 127299, + "FileReferenceInt": 844424930259267, + "AccessTime": "08/12/2013 01:11:08.000000", + "CreationTime": "08/08/2013 03:53:04.000000", + "Signature": "0xbeef0004L", + "RefNum": "127299-3" + } + ] + } + ], + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 5, + "ParentRefStr": "127282-3", + "ParentEntryNum": 127282, + "RootFolder": [ + { + "ShellFolderId": "59031a47-3f72-44a7-89c5-5595fe6b30ee", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": "..\\..\\..\\..\\..\\SkyDrive\\Documents\\WACC Calc Spreadsheet -SECRET.xls", + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "xls", + "NetworkPath": null, + "FileSize": 16384, + "CreationDateTime": "08/08/2013 03:53:03.420000", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "Firedam.xlsx", + "WorkingDir": "C:\\Users\\Donald\\Documents", + "LocalPath": "C:\\Users\\Donald\\Documents\\Firedam.xlsx", + "ModificationDateTime": "08/12/2013 03:39:56.756092", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\125639.Donald.Firedam (2).lnk", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "08/12/2013 03:39:56.724839", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x0L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ExtentionListing": "", + "ItemCount": 5, + "ParentRefStr": null, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "031e4825-7b94-4dc3-b131-e946b44c8dd5", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": "..\\..\\..\\..\\..\\Documents\\Firedam.xlsx", + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "xlsx", + "NetworkPath": null, + "FileSize": 12556, + "CreationDateTime": "08/12/2013 03:39:56.724839", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "iexplore.exe", + "WorkingDir": "%HOMEDRIVE%%HOMEPATH%", + "LocalPath": "C:\\Program Files\\Internet Explorer\\iexplore.exe", + "ModificationDateTime": "08/22/2013 12:34:04.110966", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\128196.Donald.Internet Explorer.lnk", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "08/22/2013 08:52:25.004329", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 6, + "ParentRefStr": "197705-6", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 19:20:24.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files", + "ExtentionBlockSize": 116, + "LocalizedName": "@shell32.dll,-21781", + "SeqNum": 6, + "EntryNum": 197634, + "FileReferenceInt": 1688849860461570, + "AccessTime": "09/23/2013 19:20:24.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "197634-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "INTERN~1", + "Location": null, + "Comments": null, + "ModificationTime": "08/22/2013 19:09:54.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Internet Explorer", + "ExtentionBlockSize": 84, + "LocalizedName": null, + "SeqNum": 6, + "EntryNum": 197705, + "FileReferenceInt": 1688849860461641, + "AccessTime": "08/22/2013 19:09:54.000000", + "CreationTime": "08/22/2013 15:36:32.000000", + "Signature": "0xbeef0004L", + "RefNum": "197705-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "iexplore.exe", + "Location": null, + "Comments": null, + "ModificationTime": "08/22/2013 12:34:06.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 804464, + "ExtentionBlocks": [ + { + "LongName": "iexplore.exe", + "ExtentionBlockSize": 74, + "LocalizedName": null, + "SeqNum": 1, + "EntryNum": 217849, + "FileReferenceInt": 281474976928505, + "AccessTime": "08/22/2013 08:52:26.000000", + "CreationTime": "08/22/2013 08:52:26.000000", + "Signature": "0xbeef0004L", + "RefNum": "217849-1" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "Internet Explorer", + "ParentEntryNum": 197705, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 6, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "@\"%windir%\\System32\\ie4uinit.exe\",-732", + "RelativePath": "..\\..\\..\\..\\..\\..\\..\\..\\Program Files\\Internet Explorer\\iexplore.exe", + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 804464, + "CreationDateTime": "08/22/2013 08:52:25.004329", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": "SkypeIcon.exe", + "WorkingDir": "C:\\Program Files (x86)\\Skype\\", + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\150166.Donald.Skype.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 11, + "ParentRefStr": "150164-11", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Windows", + "Location": null, + "Comments": null, + "ModificationTime": "08/12/2013 03:07:06.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Windows", + "ExtentionBlockSize": 60, + "LocalizedName": null, + "SeqNum": 1, + "EntryNum": 4069, + "FileReferenceInt": 281474976714725, + "AccessTime": "08/12/2013 03:07:06.000000", + "CreationTime": "07/26/2012 05:38:00.000000", + "Signature": "0xbeef0004L", + "RefNum": "4069-1" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "INSTAL~1", + "Location": null, + "Comments": null, + "ModificationTime": "08/31/2013 20:34:04.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Installer", + "ExtentionBlockSize": 64, + "LocalizedName": null, + "SeqNum": 1, + "EntryNum": 5098, + "FileReferenceInt": 281474976715754, + "AccessTime": "08/31/2013 20:34:04.000000", + "CreationTime": "07/26/2012 08:13:00.000000", + "Signature": "0xbeef0004L", + "RefNum": "5098-1" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "{4E76F~1", + "Location": null, + "Comments": null, + "ModificationTime": "08/31/2013 20:34:04.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "{4E76FF7E-AEBA-4C87-B788-CD47E5425B9D}", + "ExtentionBlockSize": 122, + "LocalizedName": null, + "SeqNum": 11, + "EntryNum": 150164, + "FileReferenceInt": 3096224743967380, + "AccessTime": "08/31/2013 20:34:04.000000", + "CreationTime": "08/31/2013 20:34:04.000000", + "Signature": "0xbeef0004L", + "RefNum": "150164-11" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "SKYPEI~1.EXE", + "Location": null, + "Comments": null, + "ModificationTime": "08/31/2013 20:34:04.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 145760, + "ExtentionBlocks": [ + { + "LongName": "SkypeIcon.exe", + "ExtentionBlockSize": 72, + "LocalizedName": null, + "SeqNum": 11, + "EntryNum": 150165, + "FileReferenceInt": 3096224743967381, + "AccessTime": "08/31/2013 20:34:04.000000", + "CreationTime": "08/31/2013 20:34:04.000000", + "Signature": "0xbeef0004L", + "RefNum": "150165-11" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "{4E76FF7E-AEBA-4C87-B788-CD47E5425B9D}", + "ParentEntryNum": 150164, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 7, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "Launch Skype", + "RelativePath": "..\\..\\..\\Windows\\Installer\\{4E76FF7E-AEBA-4C87-B788-CD47E5425B9D}\\SkypeIcon.exe", + "Codepage": "cp1252", + "IconLoc": "%SystemRoot%\\Installer\\{4E76FF7E-AEBA-4C87-B788-CD47E5425B9D}\\SkypeIcon.exe", + "AppIdName": null, + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "Skype.exe", + "WorkingDir": "C:\\Program Files (x86)\\Skype\\", + "LocalPath": "C:\\Program Files (x86)\\Skype\\Phone\\Skype.exe", + "ModificationDateTime": "07/25/2013 12:58:22.000000", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\150168..Skype for desktop.lnk", + "Flags": "Read-Only;Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "08/31/2013 20:34:03.599720", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 11, + "ParentRefStr": "150153-11", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~2", + "Location": null, + "Comments": null, + "ModificationTime": "08/31/2013 20:34:04.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files (x86)", + "ExtentionBlockSize": 124, + "LocalizedName": "@shell32.dll,-21817", + "SeqNum": 1, + "EntryNum": 3725, + "FileReferenceInt": 281474976714381, + "AccessTime": "08/31/2013 20:34:04.000000", + "CreationTime": "07/26/2012 05:38:00.000000", + "Signature": "0xbeef0004L", + "RefNum": "3725-1" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Skype", + "Location": null, + "Comments": null, + "ModificationTime": "08/31/2013 20:34:04.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Skype", + "ExtentionBlockSize": 56, + "LocalizedName": null, + "SeqNum": 11, + "EntryNum": 150152, + "FileReferenceInt": 3096224743967368, + "AccessTime": "08/31/2013 20:34:04.000000", + "CreationTime": "08/31/2013 20:34:04.000000", + "Signature": "0xbeef0004L", + "RefNum": "150152-11" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Phone", + "Location": null, + "Comments": null, + "ModificationTime": "08/31/2013 20:34:04.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Phone", + "ExtentionBlockSize": 56, + "LocalizedName": null, + "SeqNum": 11, + "EntryNum": 150153, + "FileReferenceInt": 3096224743967369, + "AccessTime": "08/31/2013 20:34:04.000000", + "CreationTime": "08/31/2013 20:34:04.000000", + "Signature": "0xbeef0004L", + "RefNum": "150153-11" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "Skype.exe", + "Location": null, + "Comments": null, + "ModificationTime": "07/25/2013 12:58:22.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 20684656, + "ExtentionBlocks": [ + { + "LongName": "Skype.exe", + "ExtentionBlockSize": 64, + "LocalizedName": null, + "SeqNum": 11, + "EntryNum": 150154, + "FileReferenceInt": 3096224743967370, + "AccessTime": "08/31/2013 20:34:04.000000", + "CreationTime": "07/25/2013 12:58:22.000000", + "Signature": "0xbeef0004L", + "RefNum": "150154-11" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "Phone", + "ParentEntryNum": 150153, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 7, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "Launch Skype", + "RelativePath": "..\\..\\..\\..\\..\\..\\Program Files (x86)\\Skype\\Phone\\Skype.exe", + "Codepage": "cp1252", + "IconLoc": "%SystemRoot%\\Installer\\{4E76FF7E-AEBA-4C87-B788-CD47E5425B9D}\\SkypeIcon.exe", + "AppIdName": null, + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 20684656, + "CreationDateTime": "07/25/2013 12:58:22.000000", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "Skype.exe", + "WorkingDir": "C:\\Program Files (x86)\\Skype\\", + "LocalPath": "C:\\Program Files (x86)\\Skype\\Phone\\Skype.exe", + "ModificationDateTime": "07/25/2013 12:58:22.000000", + "CmdArgs": "/sendto:", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\150169.Donald.Skype.lnk", + "Flags": "Read-Only;Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "08/31/2013 20:34:03.599720", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 11, + "ParentRefStr": "150153-11", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~2", + "Location": null, + "Comments": null, + "ModificationTime": "08/31/2013 20:34:04.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files (x86)", + "ExtentionBlockSize": 124, + "LocalizedName": "@shell32.dll,-21817", + "SeqNum": 1, + "EntryNum": 3725, + "FileReferenceInt": 281474976714381, + "AccessTime": "08/31/2013 20:34:04.000000", + "CreationTime": "07/26/2012 05:38:00.000000", + "Signature": "0xbeef0004L", + "RefNum": "3725-1" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Skype", + "Location": null, + "Comments": null, + "ModificationTime": "08/31/2013 20:34:04.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Skype", + "ExtentionBlockSize": 56, + "LocalizedName": null, + "SeqNum": 11, + "EntryNum": 150152, + "FileReferenceInt": 3096224743967368, + "AccessTime": "08/31/2013 20:34:04.000000", + "CreationTime": "08/31/2013 20:34:04.000000", + "Signature": "0xbeef0004L", + "RefNum": "150152-11" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Phone", + "Location": null, + "Comments": null, + "ModificationTime": "08/31/2013 20:34:04.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Phone", + "ExtentionBlockSize": 56, + "LocalizedName": null, + "SeqNum": 11, + "EntryNum": 150153, + "FileReferenceInt": 3096224743967369, + "AccessTime": "08/31/2013 20:34:04.000000", + "CreationTime": "08/31/2013 20:34:04.000000", + "Signature": "0xbeef0004L", + "RefNum": "150153-11" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "Skype.exe", + "Location": null, + "Comments": null, + "ModificationTime": "07/25/2013 12:58:22.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 20684656, + "ExtentionBlocks": [ + { + "LongName": "Skype.exe", + "ExtentionBlockSize": 64, + "LocalizedName": null, + "SeqNum": 11, + "EntryNum": 150154, + "FileReferenceInt": 3096224743967370, + "AccessTime": "08/31/2013 20:34:04.000000", + "CreationTime": "07/25/2013 12:58:22.000000", + "Signature": "0xbeef0004L", + "RefNum": "150154-11" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "Phone", + "ParentEntryNum": 150153, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 7, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "Launch Skype", + "RelativePath": "..\\..\\..\\..\\..\\..\\..\\Program Files (x86)\\Skype\\Phone\\Skype.exe", + "Codepage": "cp1252", + "IconLoc": "%SystemRoot%\\Installer\\{4E76FF7E-AEBA-4C87-B788-CD47E5425B9D}\\SkypeIcon.exe", + "AppIdName": null, + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 20684656, + "CreationDateTime": "07/25/2013 12:58:22.000000", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\150746.Donald.windowsphone.App.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "2db807b1-39bd-49f7-8e52-dc77e9dd4fd0.jpg", + "WorkingDir": "C:\\Users\\Donald\\Pictures\\Funnies", + "LocalPath": "C:\\Users\\Donald\\Pictures\\Funnies\\2db807b1-39bd-49f7-8e52-dc77e9dd4fd0.jpg", + "ModificationDateTime": "09/20/2013 18:34:40.685914", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\153582.Donald.2db807b1-39bd-49f7-8e52-dc77e9dd4fd0.lnk", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "09/20/2013 18:34:40.546797", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x0L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ExtentionListing": "", + "ItemCount": 6, + "ParentRefStr": null, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "031e4825-7b94-4dc3-b131-e946b44c8dd5", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": "..\\..\\..\\..\\..\\Pictures\\Funnies\\2db807b1-39bd-49f7-8e52-dc77e9dd4fd0.jpg", + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "jpg", + "NetworkPath": null, + "FileSize": 48934, + "CreationDateTime": "09/20/2013 18:34:40.223549", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "iTunes.exe", + "WorkingDir": null, + "LocalPath": "C:\\Program Files (x86)\\iTunes\\iTunes.exe", + "ModificationDateTime": "10/01/2013 06:23:14.000000", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\15601..iTunes.lnk", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "10/05/2013 20:35:36.709993", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 11, + "ParentRefStr": "8341-11", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~2", + "Location": null, + "Comments": null, + "ModificationTime": "10/05/2013 20:35:36.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files (x86)", + "ExtentionBlockSize": 128, + "LocalizedName": "@shell32.dll,-21817", + "SeqNum": 3, + "EntryNum": 200140, + "FileReferenceInt": 844424930332108, + "AccessTime": "10/05/2013 20:35:36.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "200140-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "iTunes", + "Location": null, + "Comments": null, + "ModificationTime": "10/05/2013 20:35:52.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "iTunes", + "ExtentionBlockSize": 62, + "LocalizedName": null, + "SeqNum": 11, + "EntryNum": 8341, + "FileReferenceInt": 3096224743825557, + "AccessTime": "10/05/2013 20:35:52.000000", + "CreationTime": "10/05/2013 20:35:36.000000", + "Signature": "0xbeef0004L", + "RefNum": "8341-11" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "iTunes.exe", + "Location": null, + "Comments": null, + "ModificationTime": "10/01/2013 06:23:14.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 9789256, + "ExtentionBlocks": [ + { + "LongName": "iTunes.exe", + "ExtentionBlockSize": 70, + "LocalizedName": null, + "SeqNum": 283, + "EntryNum": 9600, + "FileReferenceInt": 79657418409125248, + "AccessTime": "10/05/2013 20:35:38.000000", + "CreationTime": "10/01/2013 06:23:14.000000", + "Signature": "0xbeef0004L", + "RefNum": "9600-283" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "iTunes", + "ParentEntryNum": 8341, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 6, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": "..\\..\\..\\..\\..\\..\\Program Files (x86)\\iTunes\\iTunes.exe", + "Codepage": "cp1252", + "IconLoc": "%SystemRoot%\\Installer\\{A535111D-95C8-487F-869E-CE4C239972D2}\\iTunesIco.exe", + "AppIdName": null, + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 9789256, + "CreationDateTime": "10/01/2013 06:23:14.000000", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "iTunes.exe", + "WorkingDir": null, + "LocalPath": "C:\\Program Files (x86)\\iTunes\\iTunes.exe", + "ModificationDateTime": "10/01/2013 06:23:14.000000", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\15602.Donald.iTunes.lnk", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "10/05/2013 20:35:36.709993", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 11, + "ParentRefStr": "8341-11", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~2", + "Location": null, + "Comments": null, + "ModificationTime": "10/05/2013 20:35:36.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files (x86)", + "ExtentionBlockSize": 128, + "LocalizedName": "@shell32.dll,-21817", + "SeqNum": 3, + "EntryNum": 200140, + "FileReferenceInt": 844424930332108, + "AccessTime": "10/05/2013 20:35:36.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "200140-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "iTunes", + "Location": null, + "Comments": null, + "ModificationTime": "10/05/2013 20:35:52.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "iTunes", + "ExtentionBlockSize": 62, + "LocalizedName": null, + "SeqNum": 11, + "EntryNum": 8341, + "FileReferenceInt": 3096224743825557, + "AccessTime": "10/05/2013 20:35:52.000000", + "CreationTime": "10/05/2013 20:35:36.000000", + "Signature": "0xbeef0004L", + "RefNum": "8341-11" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "iTunes.exe", + "Location": null, + "Comments": null, + "ModificationTime": "10/01/2013 06:23:14.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 9789256, + "ExtentionBlocks": [ + { + "LongName": "iTunes.exe", + "ExtentionBlockSize": 70, + "LocalizedName": null, + "SeqNum": 283, + "EntryNum": 9600, + "FileReferenceInt": 79657418409125248, + "AccessTime": "10/05/2013 20:35:38.000000", + "CreationTime": "10/01/2013 06:23:14.000000", + "Signature": "0xbeef0004L", + "RefNum": "9600-283" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "iTunes", + "ParentEntryNum": 8341, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 6, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": "..\\..\\..\\Program Files (x86)\\iTunes\\iTunes.exe", + "Codepage": "cp1252", + "IconLoc": "%SystemRoot%\\Installer\\{A535111D-95C8-487F-869E-CE4C239972D2}\\iTunesIco.exe", + "AppIdName": null, + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 9789256, + "CreationDateTime": "10/01/2013 06:23:14.000000", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "About iTunes.rtf", + "WorkingDir": null, + "LocalPath": "C:\\Program Files (x86)\\iTunes\\iTunes.Resources\\en.lproj\\About iTunes.rtf", + "ModificationDateTime": "10/01/2013 06:38:14.000000", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\15603..About iTunes.lnk", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "10/05/2013 20:35:39.662280", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 2, + "ParentRefStr": "12164-2", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~2", + "Location": null, + "Comments": null, + "ModificationTime": "10/05/2013 20:35:36.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files (x86)", + "ExtentionBlockSize": 128, + "LocalizedName": "@shell32.dll,-21817", + "SeqNum": 3, + "EntryNum": 200140, + "FileReferenceInt": 844424930332108, + "AccessTime": "10/05/2013 20:35:36.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "200140-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "iTunes", + "Location": null, + "Comments": null, + "ModificationTime": "10/05/2013 20:35:52.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "iTunes", + "ExtentionBlockSize": 62, + "LocalizedName": null, + "SeqNum": 11, + "EntryNum": 8341, + "FileReferenceInt": 3096224743825557, + "AccessTime": "10/05/2013 20:35:52.000000", + "CreationTime": "10/05/2013 20:35:36.000000", + "Signature": "0xbeef0004L", + "RefNum": "8341-11" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "ITUNES~1.RES", + "Location": null, + "Comments": null, + "ModificationTime": "10/05/2013 20:35:52.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "iTunes.Resources", + "ExtentionBlockSize": 82, + "LocalizedName": null, + "SeqNum": 282, + "EntryNum": 9601, + "FileReferenceInt": 79375943432414593, + "AccessTime": "10/05/2013 20:35:52.000000", + "CreationTime": "10/05/2013 20:35:38.000000", + "Signature": "0xbeef0004L", + "RefNum": "9601-282" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "EN1EEC~1.LPR", + "Location": null, + "Comments": null, + "ModificationTime": "10/05/2013 20:35:42.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "en.lproj", + "ExtentionBlockSize": 66, + "LocalizedName": null, + "SeqNum": 2, + "EntryNum": 12164, + "FileReferenceInt": 562949953433476, + "AccessTime": "10/05/2013 20:35:42.000000", + "CreationTime": "10/05/2013 20:35:40.000000", + "Signature": "0xbeef0004L", + "RefNum": "12164-2" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "ABOUTI~1.RTF", + "Location": null, + "Comments": null, + "ModificationTime": "10/01/2013 06:38:14.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 7299, + "ExtentionBlocks": [ + { + "LongName": "About iTunes.rtf", + "ExtentionBlockSize": 82, + "LocalizedName": null, + "SeqNum": 2, + "EntryNum": 12166, + "FileReferenceInt": 562949953433478, + "AccessTime": "10/05/2013 20:35:40.000000", + "CreationTime": "10/01/2013 06:38:14.000000", + "Signature": "0xbeef0004L", + "RefNum": "12166-2" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "en.lproj", + "ParentEntryNum": 12164, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 8, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": "..\\..\\..\\..\\..\\..\\Program Files (x86)\\iTunes\\iTunes.Resources\\en.lproj\\About iTunes.rtf", + "Codepage": "cp1252", + "IconLoc": "%SystemRoot%\\Installer\\{A535111D-95C8-487F-869E-CE4C239972D2}\\RichText.ico", + "AppIdName": null, + "FileExt": "rtf", + "NetworkPath": null, + "FileSize": 7299, + "CreationDateTime": "10/01/2013 06:38:14.000000", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\15873.Donald.txt_1341012731_en-US.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "ismagent.exe", + "WorkingDir": "C:\\Program Files (x86)\\Intel\\IntelAppStore\\bin", + "LocalPath": "C:\\Program Files (x86)\\Intel\\IntelAppStore\\bin\\ismagent.exe", + "ModificationDateTime": "06/19/2013 18:10:47.000000", + "CmdArgs": "--domain-id F0399437-FD0C-4A48-B101-F0314A6172E4", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\159347..ismagent.lnk", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "06/19/2013 18:11:11.000000", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 1, + "ParentRefStr": "159087-1", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~2", + "Location": null, + "Comments": null, + "ModificationTime": "08/12/2013 01:02:20.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files (x86)", + "ExtentionBlockSize": 124, + "LocalizedName": "@shell32.dll,-21817", + "SeqNum": 1, + "EntryNum": 3725, + "FileReferenceInt": 281474976714381, + "AccessTime": "08/12/2013 01:02:20.000000", + "CreationTime": "07/26/2012 05:38:00.000000", + "Signature": "0xbeef0004L", + "RefNum": "3725-1" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Intel", + "Location": null, + "Comments": null, + "ModificationTime": "06/02/2013 03:55:42.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Intel", + "ExtentionBlockSize": 56, + "LocalizedName": null, + "SeqNum": 2, + "EntryNum": 103656, + "FileReferenceInt": 562949953524968, + "AccessTime": "06/02/2013 03:55:42.000000", + "CreationTime": "06/02/2013 03:30:54.000000", + "Signature": "0xbeef0004L", + "RefNum": "103656-2" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "INTELA~1", + "Location": null, + "Comments": null, + "ModificationTime": "08/12/2013 03:38:08.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "IntelAppStore", + "ExtentionBlockSize": 72, + "LocalizedName": null, + "SeqNum": 1, + "EntryNum": 159077, + "FileReferenceInt": 281474976869733, + "AccessTime": "08/12/2013 03:38:08.000000", + "CreationTime": "06/02/2013 03:55:42.000000", + "Signature": "0xbeef0004L", + "RefNum": "159077-1" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "bin", + "Location": null, + "Comments": null, + "ModificationTime": "08/12/2013 03:38:04.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "bin", + "ExtentionBlockSize": 52, + "LocalizedName": null, + "SeqNum": 1, + "EntryNum": 159087, + "FileReferenceInt": 281474976869743, + "AccessTime": "08/12/2013 03:38:04.000000", + "CreationTime": "06/02/2013 03:55:42.000000", + "Signature": "0xbeef0004L", + "RefNum": "159087-1" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "ismagent.exe", + "Location": null, + "Comments": null, + "ModificationTime": "06/19/2013 18:10:48.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 156000, + "ExtentionBlocks": [ + { + "LongName": "ismagent.exe", + "ExtentionBlockSize": 70, + "LocalizedName": null, + "SeqNum": 5, + "EntryNum": 92948, + "FileReferenceInt": 1407374883646228, + "AccessTime": "06/19/2013 18:11:12.000000", + "CreationTime": "06/02/2013 03:55:42.000000", + "Signature": "0xbeef0004L", + "RefNum": "92948-5" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "bin", + "ParentEntryNum": 159087, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 8, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "Intel Services Manager", + "RelativePath": "..\\Program Files (x86)\\Intel\\IntelAppStore\\bin\\ismagent.exe", + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 156000, + "CreationDateTime": "06/02/2013 03:55:41.266412", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "AppUp.exe", + "WorkingDir": "C:\\Program Files (x86)\\Intel\\IntelAppStore\\bin", + "LocalPath": "C:\\Program Files (x86)\\Intel\\IntelAppStore\\bin\\AppUp.exe", + "ModificationDateTime": "06/19/2013 18:10:45.000000", + "CmdArgs": "--domain F0399437-FD0C-4A48-B101-F0314A6172E4 --openmode inapppurchase", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\159349..AppUpInApp.lnk", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "06/19/2013 18:11:10.000000", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 1, + "ParentRefStr": "159087-1", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~2", + "Location": null, + "Comments": null, + "ModificationTime": "08/12/2013 01:02:20.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files (x86)", + "ExtentionBlockSize": 124, + "LocalizedName": "@shell32.dll,-21817", + "SeqNum": 1, + "EntryNum": 3725, + "FileReferenceInt": 281474976714381, + "AccessTime": "08/12/2013 01:02:20.000000", + "CreationTime": "07/26/2012 05:38:00.000000", + "Signature": "0xbeef0004L", + "RefNum": "3725-1" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Intel", + "Location": null, + "Comments": null, + "ModificationTime": "06/02/2013 03:55:42.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Intel", + "ExtentionBlockSize": 56, + "LocalizedName": null, + "SeqNum": 2, + "EntryNum": 103656, + "FileReferenceInt": 562949953524968, + "AccessTime": "06/02/2013 03:55:42.000000", + "CreationTime": "06/02/2013 03:30:54.000000", + "Signature": "0xbeef0004L", + "RefNum": "103656-2" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "INTELA~1", + "Location": null, + "Comments": null, + "ModificationTime": "08/12/2013 03:38:08.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "IntelAppStore", + "ExtentionBlockSize": 72, + "LocalizedName": null, + "SeqNum": 1, + "EntryNum": 159077, + "FileReferenceInt": 281474976869733, + "AccessTime": "08/12/2013 03:38:08.000000", + "CreationTime": "06/02/2013 03:55:42.000000", + "Signature": "0xbeef0004L", + "RefNum": "159077-1" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "bin", + "Location": null, + "Comments": null, + "ModificationTime": "08/12/2013 03:38:10.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "bin", + "ExtentionBlockSize": 52, + "LocalizedName": null, + "SeqNum": 1, + "EntryNum": 159087, + "FileReferenceInt": 281474976869743, + "AccessTime": "08/12/2013 03:38:10.000000", + "CreationTime": "06/02/2013 03:55:42.000000", + "Signature": "0xbeef0004L", + "RefNum": "159087-1" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "AppUp.exe", + "Location": null, + "Comments": null, + "ModificationTime": "06/19/2013 18:10:46.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 921808, + "ExtentionBlocks": [ + { + "LongName": "AppUp.exe", + "ExtentionBlockSize": 64, + "LocalizedName": null, + "SeqNum": 5, + "EntryNum": 93082, + "FileReferenceInt": 1407374883646362, + "AccessTime": "06/19/2013 18:11:10.000000", + "CreationTime": "06/02/2013 03:55:44.000000", + "Signature": "0xbeef0004L", + "RefNum": "93082-5" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "bin", + "ParentEntryNum": 159087, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 8, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "Intel AppUp Center", + "RelativePath": "..\\Program Files (x86)\\Intel\\IntelAppStore\\bin\\AppUp.exe", + "Codepage": "cp1252", + "IconLoc": "%SystemDrive%/PROGRA~2/Intel/INTELA~1/bin/appup.ico", + "AppIdName": null, + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 921808, + "CreationDateTime": "06/02/2013 03:55:42.453973", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\15973.Donald.Shared with Everyone.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x0L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ExtentionListing": "", + "ItemCount": 7, + "ParentRefStr": null, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "b28aa736-876b-46da-b3a8-84c5e30ba492", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "GROOVE.EXE", + "WorkingDir": null, + "LocalPath": "C:\\Program Files\\Microsoft Office 15\\root\\office15\\GROOVE.EXE", + "ModificationDateTime": "09/23/2013 20:29:22.797642", + "CmdArgs": "/RunFolderSync /TrayOnly", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\15975.Donald.SkyDrive Pro.lnk", + "Flags": "Sparse File;Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "09/23/2013 20:29:19.310598", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 6, + "ParentRefStr": "5225-6", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~1", + "Location": null, + "Comments": null, + "ModificationTime": "10/05/2013 20:35:38.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files", + "ExtentionBlockSize": 116, + "LocalizedName": "@shell32.dll,-21781", + "SeqNum": 6, + "EntryNum": 197634, + "FileReferenceInt": 1688849860461570, + "AccessTime": "10/05/2013 20:35:38.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "197634-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "MICROS~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:24:20.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Microsoft Office 15", + "ExtentionBlockSize": 88, + "LocalizedName": null, + "SeqNum": 15, + "EntryNum": 4229, + "FileReferenceInt": 4222124650664069, + "AccessTime": "09/23/2013 20:24:20.000000", + "CreationTime": "09/23/2013 20:23:56.000000", + "Signature": "0xbeef0004L", + "RefNum": "4229-15" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "root", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:24:22.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "root", + "ExtentionBlockSize": 58, + "LocalizedName": null, + "SeqNum": 9, + "EntryNum": 5190, + "FileReferenceInt": 2533274790401094, + "AccessTime": "09/23/2013 20:24:22.000000", + "CreationTime": "09/23/2013 20:24:08.000000", + "Signature": "0xbeef0004L", + "RefNum": "5190-9" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "office15", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:40:10.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "office15", + "ExtentionBlockSize": 66, + "LocalizedName": null, + "SeqNum": 6, + "EntryNum": 5225, + "FileReferenceInt": 1688849860269161, + "AccessTime": "09/23/2013 20:40:10.000000", + "CreationTime": "09/23/2013 20:24:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "5225-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "GROOVE.EXE", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:29:24.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 13067952, + "ExtentionBlocks": [ + { + "LongName": "GROOVE.EXE", + "ExtentionBlockSize": 70, + "LocalizedName": null, + "SeqNum": 14, + "EntryNum": 3978, + "FileReferenceInt": 3940649673953162, + "AccessTime": "09/23/2013 20:29:20.000000", + "CreationTime": "09/23/2013 20:24:22.000000", + "Signature": "0xbeef0004L", + "RefNum": "3978-14" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "office15", + "ParentEntryNum": 5225, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 8, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": "..\\..\\..\\..\\..\\..\\..\\..\\..\\Program Files\\Microsoft Office 15\\root\\office15\\GROOVE.EXE", + "Codepage": "cp1252", + "IconLoc": "%ProgramFiles%\\Microsoft Office 15\\Root\\Office15\\1033\\GrooveIntlResource.dll", + "AppIdName": null, + "FileExt": "EXE", + "NetworkPath": null, + "FileSize": 13067952, + "CreationDateTime": "09/23/2013 20:24:21.118407", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\1700.Donald.txt_251605546_en-US.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "Pictures.library-ms", + "WorkingDir": null, + "LocalPath": "C:\\Users\\Donald\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\Pictures.library-ms", + "ModificationDateTime": "08/12/2013 02:52:09.970782", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\170810.Donald.Pictures.lnk", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "08/12/2013 02:52:09.970782", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x0L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 2, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "ExtentionBlockSize": 42, + "Signature": "0xbeef0000L" + }, + { + "ExtentionBlockSize": 42, + "Signature": "0xbeef0019L" + } + ] + } + ], + "ExtentionListing": "0xbeef0000L;0xbeef0019L", + "ItemCount": 3, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "031e4825-7b94-4dc3-b131-e946b44c8dd5", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": "..\\Libraries\\Pictures.library-ms", + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "library-ms", + "NetworkPath": null, + "FileSize": 3455, + "CreationDateTime": "08/10/2013 03:04:17.917069", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": "About Bonjour.rtf", + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\172848..About Bonjour.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": null, + "ParentRefStr": "None-None", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Program Files", + "Location": null, + "Comments": null, + "ModificationTime": "1601-01-01 00:00:00", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "FileReferenceInt": null, + "SeqNum": null, + "Signature": "0xbeef0004L", + "RefNum": null, + "EntryNum": null, + "LongName": "Program Files", + "ExtentionBlockSize": 72, + "LocalizedName": null + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Bonjour", + "Location": null, + "Comments": null, + "ModificationTime": "1601-01-01 00:00:00", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "FileReferenceInt": null, + "SeqNum": null, + "Signature": "0xbeef0004L", + "RefNum": null, + "EntryNum": null, + "LongName": "Bonjour", + "ExtentionBlockSize": 60, + "LocalizedName": null + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Bonjour.Resources", + "Location": null, + "Comments": null, + "ModificationTime": "1601-01-01 00:00:00", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "FileReferenceInt": null, + "SeqNum": null, + "Signature": "0xbeef0004L", + "RefNum": null, + "EntryNum": null, + "LongName": "Bonjour.Resources", + "ExtentionBlockSize": 80, + "LocalizedName": null + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "en.lproj", + "Location": null, + "Comments": null, + "ModificationTime": "1601-01-01 00:00:00", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "FileReferenceInt": null, + "SeqNum": null, + "Signature": "0xbeef0004L", + "RefNum": null, + "EntryNum": null, + "LongName": "en.lproj", + "ExtentionBlockSize": 62, + "LocalizedName": null + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "About Bonjour.rtf", + "Location": null, + "Comments": null, + "ModificationTime": "1601-01-01 00:00:00", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "FileReferenceInt": null, + "SeqNum": null, + "Signature": "0xbeef0004L", + "RefNum": null, + "EntryNum": null, + "LongName": "About Bonjour.rtf", + "ExtentionBlockSize": 80, + "LocalizedName": null + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "en.lproj", + "ParentEntryNum": null, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 8, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": ".\\Bonjour.Resources\\en.lproj\\About Bonjour.rtf", + "Codepage": "cp1252", + "IconLoc": "%SystemRoot%\\Installer\\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}\\RichText.ico", + "AppIdName": null, + "FileExt": "rtf", + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "About Bonjour.rtf", + "WorkingDir": null, + "LocalPath": "C:\\Program Files (x86)\\Bonjour\\Bonjour.Resources\\en.lproj\\About Bonjour.rtf", + "ModificationDateTime": "09/15/2011 15:20:16.000000", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\172849..About Bonjour.lnk", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "09/03/2013 02:11:08.959725", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 2, + "ParentRefStr": "172797-2", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~2", + "Location": null, + "Comments": null, + "ModificationTime": "09/03/2013 02:11:10.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files (x86)", + "ExtentionBlockSize": 124, + "LocalizedName": "@shell32.dll,-21817", + "SeqNum": 1, + "EntryNum": 3725, + "FileReferenceInt": 281474976714381, + "AccessTime": "09/03/2013 02:11:10.000000", + "CreationTime": "07/26/2012 05:38:00.000000", + "Signature": "0xbeef0004L", + "RefNum": "3725-1" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Bonjour", + "Location": null, + "Comments": null, + "ModificationTime": "09/03/2013 02:11:10.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Bonjour", + "ExtentionBlockSize": 60, + "LocalizedName": null, + "SeqNum": 4, + "EntryNum": 172339, + "FileReferenceInt": 1125899907014963, + "AccessTime": "09/03/2013 02:11:10.000000", + "CreationTime": "09/03/2013 02:11:10.000000", + "Signature": "0xbeef0004L", + "RefNum": "172339-4" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "BONJOU~1.RES", + "Location": null, + "Comments": null, + "ModificationTime": "09/03/2013 02:11:10.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Bonjour.Resources", + "ExtentionBlockSize": 80, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 172343, + "FileReferenceInt": 844424930304311, + "AccessTime": "09/03/2013 02:11:10.000000", + "CreationTime": "09/03/2013 02:11:10.000000", + "Signature": "0xbeef0004L", + "RefNum": "172343-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "EN1EEC~1.LPR", + "Location": null, + "Comments": null, + "ModificationTime": "09/03/2013 02:11:10.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "en.lproj", + "ExtentionBlockSize": 62, + "LocalizedName": null, + "SeqNum": 2, + "EntryNum": 172797, + "FileReferenceInt": 562949953594109, + "AccessTime": "09/03/2013 02:11:10.000000", + "CreationTime": "09/03/2013 02:11:10.000000", + "Signature": "0xbeef0004L", + "RefNum": "172797-2" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "ABOUTB~1.RTF", + "Location": null, + "Comments": null, + "ModificationTime": "09/15/2011 15:20:16.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 3671, + "ExtentionBlocks": [ + { + "LongName": "About Bonjour.rtf", + "ExtentionBlockSize": 80, + "LocalizedName": null, + "SeqNum": 2, + "EntryNum": 172798, + "FileReferenceInt": 562949953594110, + "AccessTime": "09/03/2013 02:11:10.000000", + "CreationTime": "09/15/2011 15:20:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "172798-2" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "en.lproj", + "ParentEntryNum": 172797, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 8, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": ".\\Bonjour.Resources\\en.lproj\\About Bonjour.rtf", + "Codepage": "cp1252", + "IconLoc": "%SystemRoot%\\Installer\\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}\\RichText.ico", + "AppIdName": null, + "FileExt": "rtf", + "NetworkPath": null, + "FileSize": 3671, + "CreationDateTime": "09/15/2011 15:20:16.000000", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": "AppleSoftwareUpdateIco.exe", + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\173552..Apple Software Update.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 2, + "ParentRefStr": "173549-2", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Windows", + "Location": null, + "Comments": null, + "ModificationTime": "08/12/2013 03:07:06.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Windows", + "ExtentionBlockSize": 60, + "LocalizedName": null, + "SeqNum": 1, + "EntryNum": 4069, + "FileReferenceInt": 281474976714725, + "AccessTime": "08/12/2013 03:07:06.000000", + "CreationTime": "07/26/2012 05:38:00.000000", + "Signature": "0xbeef0004L", + "RefNum": "4069-1" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "INSTAL~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/03/2013 02:12:08.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Installer", + "ExtentionBlockSize": 64, + "LocalizedName": null, + "SeqNum": 1, + "EntryNum": 5098, + "FileReferenceInt": 281474976715754, + "AccessTime": "09/03/2013 02:12:08.000000", + "CreationTime": "07/26/2012 08:13:00.000000", + "Signature": "0xbeef0004L", + "RefNum": "5098-1" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "{789A5~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/03/2013 02:12:08.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}", + "ExtentionBlockSize": 122, + "LocalizedName": null, + "SeqNum": 2, + "EntryNum": 173549, + "FileReferenceInt": 562949953594861, + "AccessTime": "09/03/2013 02:12:08.000000", + "CreationTime": "09/03/2013 02:12:08.000000", + "Signature": "0xbeef0004L", + "RefNum": "173549-2" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "APPLES~1.EXE", + "Location": null, + "Comments": null, + "ModificationTime": "09/03/2013 02:12:08.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 27136, + "ExtentionBlocks": [ + { + "LongName": "AppleSoftwareUpdateIco.exe", + "ExtentionBlockSize": 98, + "LocalizedName": null, + "SeqNum": 2, + "EntryNum": 173551, + "FileReferenceInt": 562949953594863, + "AccessTime": "09/03/2013 02:12:08.000000", + "CreationTime": "09/03/2013 02:12:08.000000", + "Signature": "0xbeef0004L", + "RefNum": "173551-2" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}", + "ParentEntryNum": 173549, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 7, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": "..\\..\\..\\..\\..\\Windows\\Installer\\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}\\AppleSoftwareUpdateIco.exe", + "Codepage": "cp1252", + "IconLoc": "%SystemRoot%\\Installer\\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}\\AppleSoftwareUpdateIco.exe", + "AppIdName": null, + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "firefox.exe", + "WorkingDir": "C:\\Program Files (x86)\\Mozilla Firefox", + "LocalPath": "C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe", + "ModificationDateTime": "07/30/2013 22:47:36.000000", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\1762.Donald.Mozilla Firefox.lnk", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "08/12/2013 00:52:24.737810", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 6, + "ParentRefStr": "114538-6", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~2", + "Location": null, + "Comments": null, + "ModificationTime": "08/12/2013 00:52:28.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files (x86)", + "ExtentionBlockSize": 124, + "LocalizedName": "@shell32.dll,-21817", + "SeqNum": 1, + "EntryNum": 3725, + "FileReferenceInt": 281474976714381, + "AccessTime": "08/12/2013 00:52:28.000000", + "CreationTime": "07/26/2012 05:38:00.000000", + "Signature": "0xbeef0004L", + "RefNum": "3725-1" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "MOZILL~1", + "Location": null, + "Comments": null, + "ModificationTime": "08/12/2013 00:52:28.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Mozilla Firefox", + "ExtentionBlockSize": 76, + "LocalizedName": null, + "SeqNum": 6, + "EntryNum": 114538, + "FileReferenceInt": 1688849860378474, + "AccessTime": "08/12/2013 00:52:28.000000", + "CreationTime": "08/12/2013 00:52:26.000000", + "Signature": "0xbeef0004L", + "RefNum": "114538-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "firefox.exe", + "Location": null, + "Comments": null, + "ModificationTime": "07/30/2013 22:47:36.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 276376, + "ExtentionBlocks": [ + { + "LongName": "firefox.exe", + "ExtentionBlockSize": 68, + "LocalizedName": null, + "SeqNum": 5, + "EntryNum": 114558, + "FileReferenceInt": 1407374883667838, + "AccessTime": "08/12/2013 00:52:26.000000", + "CreationTime": "08/12/2013 00:52:26.000000", + "Signature": "0xbeef0004L", + "RefNum": "114558-5" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "Mozilla Firefox", + "ParentEntryNum": 114538, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 6, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": "..\\..\\..\\..\\..\\Program Files (x86)\\Mozilla Firefox\\firefox.exe", + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 276376, + "CreationDateTime": "08/12/2013 00:52:24.737810", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "AcroRd32.exe", + "WorkingDir": null, + "LocalPath": "C:\\Program Files (x86)\\Adobe\\Reader 11.0\\Reader\\AcroRd32.exe", + "ModificationDateTime": "05/11/2013 10:37:30.000000", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\178283.Donald.Adobe Reader XI.lnk", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "09/03/2013 02:19:29.826673", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 3, + "ParentRefStr": "177811-3", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~2", + "Location": null, + "Comments": null, + "ModificationTime": "09/03/2013 02:19:26.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files (x86)", + "ExtentionBlockSize": 124, + "LocalizedName": "@shell32.dll,-21817", + "SeqNum": 1, + "EntryNum": 3725, + "FileReferenceInt": 281474976714381, + "AccessTime": "09/03/2013 02:19:26.000000", + "CreationTime": "07/26/2012 05:38:00.000000", + "Signature": "0xbeef0004L", + "RefNum": "3725-1" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Adobe", + "Location": null, + "Comments": null, + "ModificationTime": "09/03/2013 02:19:26.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Adobe", + "ExtentionBlockSize": 56, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 177809, + "FileReferenceInt": 844424930309777, + "AccessTime": "09/03/2013 02:19:26.000000", + "CreationTime": "09/03/2013 02:19:26.000000", + "Signature": "0xbeef0004L", + "RefNum": "177809-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "READER~1.0", + "Location": null, + "Comments": null, + "ModificationTime": "09/03/2013 02:19:30.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Reader 11.0", + "ExtentionBlockSize": 68, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 177810, + "FileReferenceInt": 844424930309778, + "AccessTime": "09/03/2013 02:19:30.000000", + "CreationTime": "09/03/2013 02:19:26.000000", + "Signature": "0xbeef0004L", + "RefNum": "177810-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Reader", + "Location": null, + "Comments": null, + "ModificationTime": "09/03/2013 02:19:32.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Reader", + "ExtentionBlockSize": 58, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 177811, + "FileReferenceInt": 844424930309779, + "AccessTime": "09/03/2013 02:19:32.000000", + "CreationTime": "09/03/2013 02:19:26.000000", + "Signature": "0xbeef0004L", + "RefNum": "177811-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "AcroRd32.exe", + "Location": null, + "Comments": null, + "ModificationTime": "05/11/2013 10:37:30.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 1402440, + "ExtentionBlocks": [ + { + "LongName": "AcroRd32.exe", + "ExtentionBlockSize": 70, + "LocalizedName": null, + "SeqNum": 11, + "EntryNum": 178064, + "FileReferenceInt": 3096224743995280, + "AccessTime": "09/03/2013 02:19:30.000000", + "CreationTime": "05/11/2013 10:37:30.000000", + "Signature": "0xbeef0004L", + "RefNum": "178064-11" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "Reader", + "ParentEntryNum": 177811, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 8, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": "..\\..\\..\\Program Files (x86)\\Adobe\\Reader 11.0\\Reader\\AcroRd32.exe", + "Codepage": "cp1252", + "IconLoc": "%SystemRoot%\\Installer\\{AC76BA86-7AD7-1033-7B44-AB0000000001}\\SC_Reader.ico", + "AppIdName": null, + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 1402440, + "CreationDateTime": "05/11/2013 10:37:30.000000", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "chrome.exe", + "WorkingDir": "C:\\Program Files (x86)\\Google\\Chrome\\Application", + "LocalPath": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", + "ModificationDateTime": "07/25/2013 00:49:49.016392", + "CmdArgs": "--show-app-list", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\178517.Donald.Chrome App Launcher.lnk", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "08/12/2013 00:53:19.096107", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 4, + "ParentRefStr": "116035-4", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~2", + "Location": null, + "Comments": null, + "ModificationTime": "09/03/2013 02:19:26.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files (x86)", + "ExtentionBlockSize": 124, + "LocalizedName": "@shell32.dll,-21817", + "SeqNum": 1, + "EntryNum": 3725, + "FileReferenceInt": 281474976714381, + "AccessTime": "09/03/2013 02:19:26.000000", + "CreationTime": "07/26/2012 05:38:00.000000", + "Signature": "0xbeef0004L", + "RefNum": "3725-1" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Google", + "Location": null, + "Comments": null, + "ModificationTime": "08/12/2013 00:53:08.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Google", + "ExtentionBlockSize": 58, + "LocalizedName": null, + "SeqNum": 9, + "EntryNum": 115147, + "FileReferenceInt": 2533274790511051, + "AccessTime": "08/12/2013 00:53:08.000000", + "CreationTime": "08/12/2013 00:52:36.000000", + "Signature": "0xbeef0004L", + "RefNum": "115147-9" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Chrome", + "Location": null, + "Comments": null, + "ModificationTime": "08/12/2013 00:53:20.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Chrome", + "ExtentionBlockSize": 58, + "LocalizedName": null, + "SeqNum": 4, + "EntryNum": 115732, + "FileReferenceInt": 1125899906958356, + "AccessTime": "08/12/2013 00:53:20.000000", + "CreationTime": "08/12/2013 00:53:08.000000", + "Signature": "0xbeef0004L", + "RefNum": "115732-4" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "APPLIC~1", + "Location": null, + "Comments": null, + "ModificationTime": "08/12/2013 00:53:20.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Application", + "ExtentionBlockSize": 68, + "LocalizedName": null, + "SeqNum": 4, + "EntryNum": 116035, + "FileReferenceInt": 1125899906958659, + "AccessTime": "08/12/2013 00:53:20.000000", + "CreationTime": "08/12/2013 00:53:20.000000", + "Signature": "0xbeef0004L", + "RefNum": "116035-4" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "chrome.exe", + "Location": null, + "Comments": null, + "ModificationTime": "07/25/2013 00:49:50.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 846288, + "ExtentionBlocks": [ + { + "LongName": "chrome.exe", + "ExtentionBlockSize": 66, + "LocalizedName": null, + "SeqNum": 4, + "EntryNum": 116036, + "FileReferenceInt": 1125899906958660, + "AccessTime": "08/12/2013 00:53:20.000000", + "CreationTime": "08/12/2013 00:53:20.000000", + "Signature": "0xbeef0004L", + "RefNum": "116036-4" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "Application", + "ParentEntryNum": 116035, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 8, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "Chrome App Launcher", + "RelativePath": "..\\..\\..\\..\\..\\..\\..\\..\\..\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", + "Codepage": "cp1252", + "IconLoc": "%ProgramFiles%\\Google\\Chrome\\Application\\chrome.exe", + "AppIdName": null, + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 846288, + "CreationDateTime": "08/12/2013 00:53:19.096107", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "chrome.exe", + "WorkingDir": "C:\\Program Files (x86)\\Google\\Chrome\\Application", + "LocalPath": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", + "ModificationDateTime": "07/25/2013 00:49:49.016392", + "CmdArgs": "--show-app-list", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\178518.Donald.Chrome App Launcher.lnk", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "08/12/2013 00:53:19.096107", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 4, + "ParentRefStr": "116035-4", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~2", + "Location": null, + "Comments": null, + "ModificationTime": "09/03/2013 02:19:26.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files (x86)", + "ExtentionBlockSize": 124, + "LocalizedName": "@shell32.dll,-21817", + "SeqNum": 1, + "EntryNum": 3725, + "FileReferenceInt": 281474976714381, + "AccessTime": "09/03/2013 02:19:26.000000", + "CreationTime": "07/26/2012 05:38:00.000000", + "Signature": "0xbeef0004L", + "RefNum": "3725-1" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Google", + "Location": null, + "Comments": null, + "ModificationTime": "08/12/2013 00:53:08.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Google", + "ExtentionBlockSize": 58, + "LocalizedName": null, + "SeqNum": 9, + "EntryNum": 115147, + "FileReferenceInt": 2533274790511051, + "AccessTime": "08/12/2013 00:53:08.000000", + "CreationTime": "08/12/2013 00:52:36.000000", + "Signature": "0xbeef0004L", + "RefNum": "115147-9" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Chrome", + "Location": null, + "Comments": null, + "ModificationTime": "08/12/2013 00:53:20.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Chrome", + "ExtentionBlockSize": 58, + "LocalizedName": null, + "SeqNum": 4, + "EntryNum": 115732, + "FileReferenceInt": 1125899906958356, + "AccessTime": "08/12/2013 00:53:20.000000", + "CreationTime": "08/12/2013 00:53:08.000000", + "Signature": "0xbeef0004L", + "RefNum": "115732-4" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "APPLIC~1", + "Location": null, + "Comments": null, + "ModificationTime": "08/12/2013 00:53:20.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Application", + "ExtentionBlockSize": 68, + "LocalizedName": null, + "SeqNum": 4, + "EntryNum": 116035, + "FileReferenceInt": 1125899906958659, + "AccessTime": "08/12/2013 00:53:20.000000", + "CreationTime": "08/12/2013 00:53:20.000000", + "Signature": "0xbeef0004L", + "RefNum": "116035-4" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "chrome.exe", + "Location": null, + "Comments": null, + "ModificationTime": "07/25/2013 00:49:50.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 846288, + "ExtentionBlocks": [ + { + "LongName": "chrome.exe", + "ExtentionBlockSize": 66, + "LocalizedName": null, + "SeqNum": 4, + "EntryNum": 116036, + "FileReferenceInt": 1125899906958660, + "AccessTime": "08/12/2013 00:53:20.000000", + "CreationTime": "08/12/2013 00:53:20.000000", + "Signature": "0xbeef0004L", + "RefNum": "116036-4" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "Application", + "ParentEntryNum": 116035, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 8, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "Chrome App Launcher", + "RelativePath": "..\\..\\..\\..\\..\\..\\..\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", + "Codepage": "cp1252", + "IconLoc": "%ProgramFiles%\\Google\\Chrome\\Application\\chrome.exe", + "AppIdName": null, + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 846288, + "CreationDateTime": "08/12/2013 00:53:19.096107", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "chrome.exe", + "WorkingDir": "C:\\Program Files (x86)\\Google\\Chrome\\Application", + "LocalPath": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", + "ModificationDateTime": "07/25/2013 00:49:49.016392", + "CmdArgs": "--show-app-list", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\178519.Donald.Chrome App Launcher.lnk", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "08/12/2013 00:53:19.096107", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 4, + "ParentRefStr": "116035-4", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~2", + "Location": null, + "Comments": null, + "ModificationTime": "09/03/2013 02:19:26.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files (x86)", + "ExtentionBlockSize": 124, + "LocalizedName": "@shell32.dll,-21817", + "SeqNum": 1, + "EntryNum": 3725, + "FileReferenceInt": 281474976714381, + "AccessTime": "09/03/2013 02:19:26.000000", + "CreationTime": "07/26/2012 05:38:00.000000", + "Signature": "0xbeef0004L", + "RefNum": "3725-1" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Google", + "Location": null, + "Comments": null, + "ModificationTime": "08/12/2013 00:53:08.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Google", + "ExtentionBlockSize": 58, + "LocalizedName": null, + "SeqNum": 9, + "EntryNum": 115147, + "FileReferenceInt": 2533274790511051, + "AccessTime": "08/12/2013 00:53:08.000000", + "CreationTime": "08/12/2013 00:52:36.000000", + "Signature": "0xbeef0004L", + "RefNum": "115147-9" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Chrome", + "Location": null, + "Comments": null, + "ModificationTime": "08/12/2013 00:53:20.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Chrome", + "ExtentionBlockSize": 58, + "LocalizedName": null, + "SeqNum": 4, + "EntryNum": 115732, + "FileReferenceInt": 1125899906958356, + "AccessTime": "08/12/2013 00:53:20.000000", + "CreationTime": "08/12/2013 00:53:08.000000", + "Signature": "0xbeef0004L", + "RefNum": "115732-4" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "APPLIC~1", + "Location": null, + "Comments": null, + "ModificationTime": "08/12/2013 00:53:20.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Application", + "ExtentionBlockSize": 68, + "LocalizedName": null, + "SeqNum": 4, + "EntryNum": 116035, + "FileReferenceInt": 1125899906958659, + "AccessTime": "08/12/2013 00:53:20.000000", + "CreationTime": "08/12/2013 00:53:20.000000", + "Signature": "0xbeef0004L", + "RefNum": "116035-4" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "chrome.exe", + "Location": null, + "Comments": null, + "ModificationTime": "07/25/2013 00:49:50.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 846288, + "ExtentionBlocks": [ + { + "LongName": "chrome.exe", + "ExtentionBlockSize": 66, + "LocalizedName": null, + "SeqNum": 4, + "EntryNum": 116036, + "FileReferenceInt": 1125899906958660, + "AccessTime": "08/12/2013 00:53:20.000000", + "CreationTime": "08/12/2013 00:53:20.000000", + "Signature": "0xbeef0004L", + "RefNum": "116036-4" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "Application", + "ParentEntryNum": 116035, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 8, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "Chrome App Launcher", + "RelativePath": "..\\..\\..\\..\\..\\..\\..\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", + "Codepage": "cp1252", + "IconLoc": "%ProgramFiles%\\Google\\Chrome\\Application\\chrome.exe", + "AppIdName": null, + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 846288, + "CreationDateTime": "08/12/2013 00:53:19.096107", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "chrome.exe", + "WorkingDir": "C:\\Program Files (x86)\\Google\\Chrome\\Application", + "LocalPath": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", + "ModificationDateTime": "07/25/2013 00:49:49.016392", + "CmdArgs": " --profile-directory=Default --app-id=gebjgjhbjedcomcajgpodjgfjgkepgpl", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\178535.Donald.The Economist.lnk", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "08/12/2013 00:53:19.096107", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 4, + "ParentRefStr": "116035-4", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~2", + "Location": null, + "Comments": null, + "ModificationTime": "09/03/2013 02:19:26.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files (x86)", + "ExtentionBlockSize": 124, + "LocalizedName": "@shell32.dll,-21817", + "SeqNum": 1, + "EntryNum": 3725, + "FileReferenceInt": 281474976714381, + "AccessTime": "09/03/2013 02:19:26.000000", + "CreationTime": "07/26/2012 05:38:00.000000", + "Signature": "0xbeef0004L", + "RefNum": "3725-1" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Google", + "Location": null, + "Comments": null, + "ModificationTime": "08/12/2013 00:53:08.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Google", + "ExtentionBlockSize": 58, + "LocalizedName": null, + "SeqNum": 9, + "EntryNum": 115147, + "FileReferenceInt": 2533274790511051, + "AccessTime": "08/12/2013 00:53:08.000000", + "CreationTime": "08/12/2013 00:52:36.000000", + "Signature": "0xbeef0004L", + "RefNum": "115147-9" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Chrome", + "Location": null, + "Comments": null, + "ModificationTime": "08/12/2013 00:53:20.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Chrome", + "ExtentionBlockSize": 58, + "LocalizedName": null, + "SeqNum": 4, + "EntryNum": 115732, + "FileReferenceInt": 1125899906958356, + "AccessTime": "08/12/2013 00:53:20.000000", + "CreationTime": "08/12/2013 00:53:08.000000", + "Signature": "0xbeef0004L", + "RefNum": "115732-4" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "APPLIC~1", + "Location": null, + "Comments": null, + "ModificationTime": "08/12/2013 00:53:20.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Application", + "ExtentionBlockSize": 68, + "LocalizedName": null, + "SeqNum": 4, + "EntryNum": 116035, + "FileReferenceInt": 1125899906958659, + "AccessTime": "08/12/2013 00:53:20.000000", + "CreationTime": "08/12/2013 00:53:20.000000", + "Signature": "0xbeef0004L", + "RefNum": "116035-4" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "chrome.exe", + "Location": null, + "Comments": null, + "ModificationTime": "07/25/2013 00:49:50.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 846288, + "ExtentionBlocks": [ + { + "LongName": "chrome.exe", + "ExtentionBlockSize": 66, + "LocalizedName": null, + "SeqNum": 4, + "EntryNum": 116036, + "FileReferenceInt": 1125899906958660, + "AccessTime": "08/12/2013 00:53:20.000000", + "CreationTime": "08/12/2013 00:53:20.000000", + "Signature": "0xbeef0004L", + "RefNum": "116036-4" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "Application", + "ParentEntryNum": 116035, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 8, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "Free to download, and includes free access to the editor's picks, a selection of articles from each week's edition of The Economist.", + "RelativePath": "..\\..\\..\\..\\..\\..\\..\\..\\..\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", + "Codepage": "cp1252", + "IconLoc": "%USERPROFILE%\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Applications\\_crx_gebjgjhbjedcomcajgpodjgfjgkepgpl\\The Economist.ico", + "AppIdName": null, + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 846288, + "CreationDateTime": "08/12/2013 00:53:19.096107", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "My Outlook Data File(1).pst", + "WorkingDir": "C:\\Users\\Donald\\Documents\\Outlook Files", + "LocalPath": "C:\\Users\\Donald\\Documents\\Outlook Files\\My Outlook Data File(1).pst", + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\182563.Donald.My Outlook Data File(1).lnk", + "Flags": "", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 69, + "ParentRefStr": "54683-69", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Users", + "Location": null, + "Comments": null, + "ModificationTime": "08/10/2013 03:03:24.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Users", + "ExtentionBlockSize": 56, + "LocalizedName": null, + "SeqNum": 1, + "EntryNum": 3915, + "FileReferenceInt": 281474976714571, + "AccessTime": "08/10/2013 03:03:24.000000", + "CreationTime": "07/26/2012 05:38:00.000000", + "Signature": "0xbeef0004L", + "RefNum": "3915-1" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Donald", + "Location": null, + "Comments": null, + "ModificationTime": "08/12/2013 01:02:20.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Donald", + "ExtentionBlockSize": 58, + "LocalizedName": null, + "SeqNum": 2, + "EntryNum": 4007, + "FileReferenceInt": 562949953425319, + "AccessTime": "08/12/2013 01:02:20.000000", + "CreationTime": "08/10/2013 03:03:24.000000", + "Signature": "0xbeef0004L", + "RefNum": "4007-2" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "DOCUME~1", + "Location": null, + "Comments": null, + "ModificationTime": "08/12/2013 02:34:18.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Documents", + "ExtentionBlockSize": 104, + "LocalizedName": "@shell32.dll,-21770", + "SeqNum": 2, + "EntryNum": 4017, + "FileReferenceInt": 562949953425329, + "AccessTime": "08/12/2013 02:34:18.000000", + "CreationTime": "08/10/2013 03:03:24.000000", + "Signature": "0xbeef0004L", + "RefNum": "4017-2" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "OUTLOO~1", + "Location": null, + "Comments": null, + "ModificationTime": "08/12/2013 02:34:18.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Outlook Files", + "ExtentionBlockSize": 72, + "LocalizedName": null, + "SeqNum": 69, + "EntryNum": 54683, + "FileReferenceInt": 19421773393089947, + "AccessTime": "08/12/2013 02:34:18.000000", + "CreationTime": "08/12/2013 02:34:18.000000", + "Signature": "0xbeef0004L", + "RefNum": "54683-69" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "My Outlook Data File(1).pst", + "Location": null, + "Comments": null, + "ModificationTime": "1601-01-01 00:00:00", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "FileReferenceInt": null, + "SeqNum": null, + "Signature": "0xbeef0004L", + "RefNum": null, + "EntryNum": null, + "LongName": "My Outlook Data File(1).pst", + "ExtentionBlockSize": 100, + "LocalizedName": null + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "Outlook Files", + "ParentEntryNum": 54683, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 8, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": "..\\..\\..\\..\\..\\Documents\\Outlook Files\\My Outlook Data File(1).pst", + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "pst", + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "SEC-NFLX-1065280-13-8.pdf", + "WorkingDir": "C:\\Users\\Donald\\Documents\\NETFLIX SEC Filings", + "LocalPath": "C:\\Users\\Donald\\Documents\\NETFLIX SEC Filings\\SEC-NFLX-1065280-13-8.pdf", + "ModificationDateTime": "09/01/2013 16:43:12.085785", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\184422.Donald.SEC-NFLX-1065280-13-8.lnk", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "09/01/2013 16:42:51.084632", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x0L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ExtentionListing": "", + "ItemCount": 6, + "ParentRefStr": null, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "031e4825-7b94-4dc3-b131-e946b44c8dd5", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": "..\\..\\..\\..\\..\\Documents\\NETFLIX SEC Filings\\SEC-NFLX-1065280-13-8.pdf", + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "pdf", + "NetworkPath": null, + "FileSize": 800922, + "CreationDateTime": "09/01/2013 16:43:11.792509", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": "SC_Reader.ico", + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\184599..Adobe Reader XI.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 6, + "ParentRefStr": "178159-6", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Windows", + "Location": null, + "Comments": null, + "ModificationTime": "08/12/2013 03:07:06.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Windows", + "ExtentionBlockSize": 60, + "LocalizedName": null, + "SeqNum": 1, + "EntryNum": 4069, + "FileReferenceInt": 281474976714725, + "AccessTime": "08/12/2013 03:07:06.000000", + "CreationTime": "07/26/2012 05:38:00.000000", + "Signature": "0xbeef0004L", + "RefNum": "4069-1" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "INSTAL~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/10/2013 17:44:24.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Installer", + "ExtentionBlockSize": 64, + "LocalizedName": null, + "SeqNum": 1, + "EntryNum": 5098, + "FileReferenceInt": 281474976715754, + "AccessTime": "09/10/2013 17:44:24.000000", + "CreationTime": "07/26/2012 08:13:00.000000", + "Signature": "0xbeef0004L", + "RefNum": "5098-1" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "{AC76B~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/10/2013 17:44:30.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "{AC76BA86-7AD7-1033-7B44-AB0000000001}", + "ExtentionBlockSize": 122, + "LocalizedName": null, + "SeqNum": 6, + "EntryNum": 178159, + "FileReferenceInt": 1688849860442095, + "AccessTime": "09/10/2013 17:44:30.000000", + "CreationTime": "09/03/2013 02:19:36.000000", + "Signature": "0xbeef0004L", + "RefNum": "178159-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "SC_REA~1.ICO", + "Location": null, + "Comments": null, + "ModificationTime": "09/10/2013 17:44:30.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 292878, + "ExtentionBlocks": [ + { + "LongName": "SC_Reader.ico", + "ExtentionBlockSize": 72, + "LocalizedName": null, + "SeqNum": 41, + "EntryNum": 184488, + "FileReferenceInt": 11540474045321384, + "AccessTime": "09/10/2013 17:44:30.000000", + "CreationTime": "09/03/2013 02:19:36.000000", + "Signature": "0xbeef0004L", + "RefNum": "184488-41" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "{AC76BA86-7AD7-1033-7B44-AB0000000001}", + "ParentEntryNum": 178159, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 7, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": "..\\..\\..\\..\\..\\Windows\\Installer\\{AC76BA86-7AD7-1033-7B44-AB0000000001}\\SC_Reader.ico", + "Codepage": "cp1252", + "IconLoc": "%SystemRoot%\\Installer\\{AC76BA86-7AD7-1033-7B44-AB0000000001}\\SC_Reader.ico", + "AppIdName": null, + "FileExt": "ico", + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "Signatures", + "WorkingDir": null, + "LocalPath": "C:\\Users\\Donald\\AppData\\Roaming\\Microsoft\\Signatures", + "ModificationDateTime": "09/11/2013 16:19:56.617718", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\185044.Donald.Signatures.lnk", + "Flags": "", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "09/11/2013 16:19:56.617718", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "ParentLongName": "Microsoft", + "DistinctTypesHex": "0x0L;0x31L;0x1fL", + "ParentSeqNum": 8, + "DistinctTypesStr": "item;root_folder;file_entry", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "LongName": "AppData", + "ExtentionBlockSize": 60, + "LocalizedName": null, + "SeqNum": 2, + "EntryNum": 4019, + "FileReferenceInt": 562949953425331, + "AccessTime": "08/10/2013 03:03:24.000000", + "CreationTime": "08/10/2013 03:03:24.000000", + "Signature": "0xbeef0004L", + "RefNum": "4019-2" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Roaming", + "Location": null, + "Comments": null, + "ModificationTime": "09/03/2013 02:12:48.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Roaming", + "ExtentionBlockSize": 60, + "LocalizedName": null, + "SeqNum": 8, + "EntryNum": 5093, + "FileReferenceInt": 2251799813690341, + "AccessTime": "09/03/2013 02:12:48.000000", + "CreationTime": "08/10/2013 03:03:24.000000", + "Signature": "0xbeef0004L", + "RefNum": "5093-8" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "MICROS~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/10/2013 01:30:00.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Microsoft", + "ExtentionBlockSize": 64, + "LocalizedName": null, + "SeqNum": 8, + "EntryNum": 5094, + "FileReferenceInt": 2251799813690342, + "AccessTime": "09/10/2013 01:30:00.000000", + "CreationTime": "08/10/2013 03:03:24.000000", + "Signature": "0xbeef0004L", + "RefNum": "5094-8" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "SIGNAT~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/11/2013 16:19:58.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Signatures", + "ExtentionBlockSize": 66, + "LocalizedName": null, + "SeqNum": 5, + "EntryNum": 188595, + "FileReferenceInt": 1407374883741875, + "AccessTime": "09/11/2013 16:19:58.000000", + "CreationTime": "08/12/2013 02:39:44.000000", + "Signature": "0xbeef0004L", + "RefNum": "188595-5" + } + ] + } + ], + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 6, + "ParentRefStr": "5094-8", + "ParentEntryNum": 5094, + "RootFolder": [ + { + "ShellFolderId": "59031a47-3f72-44a7-89c5-5595fe6b30ee", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": "..\\..\\Signatures", + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "", + "NetworkPath": null, + "FileSize": 4096, + "CreationDateTime": "08/12/2013 02:39:42.831628", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "Asgard.htm", + "WorkingDir": "C:\\Users\\Donald\\AppData\\Roaming\\Microsoft\\Signatures", + "LocalPath": "C:\\Users\\Donald\\AppData\\Roaming\\Microsoft\\Signatures\\Asgard.htm", + "ModificationDateTime": "09/11/2013 16:19:56.420087", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\185068.Donald.Asgard.lnk", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "09/11/2013 16:19:56.403076", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "ParentLongName": "Signatures", + "DistinctTypesHex": "0x0L;0x31L;0x32L;0x1fL", + "ParentSeqNum": 5, + "DistinctTypesStr": "item;root_folder;file_entry", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "LongName": "AppData", + "ExtentionBlockSize": 60, + "LocalizedName": null, + "SeqNum": 2, + "EntryNum": 4019, + "FileReferenceInt": 562949953425331, + "AccessTime": "08/10/2013 03:03:24.000000", + "CreationTime": "08/10/2013 03:03:24.000000", + "Signature": "0xbeef0004L", + "RefNum": "4019-2" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Roaming", + "Location": null, + "Comments": null, + "ModificationTime": "09/03/2013 02:12:48.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Roaming", + "ExtentionBlockSize": 60, + "LocalizedName": null, + "SeqNum": 8, + "EntryNum": 5093, + "FileReferenceInt": 2251799813690341, + "AccessTime": "09/03/2013 02:12:48.000000", + "CreationTime": "08/10/2013 03:03:24.000000", + "Signature": "0xbeef0004L", + "RefNum": "5093-8" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "MICROS~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/10/2013 01:30:00.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Microsoft", + "ExtentionBlockSize": 64, + "LocalizedName": null, + "SeqNum": 8, + "EntryNum": 5094, + "FileReferenceInt": 2251799813690342, + "AccessTime": "09/10/2013 01:30:00.000000", + "CreationTime": "08/10/2013 03:03:24.000000", + "Signature": "0xbeef0004L", + "RefNum": "5094-8" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "SIGNAT~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/11/2013 16:19:58.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Signatures", + "ExtentionBlockSize": 66, + "LocalizedName": null, + "SeqNum": 5, + "EntryNum": 188595, + "FileReferenceInt": 1407374883741875, + "AccessTime": "09/11/2013 16:19:58.000000", + "CreationTime": "08/12/2013 02:39:44.000000", + "Signature": "0xbeef0004L", + "RefNum": "188595-5" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "Asgard.htm", + "Location": null, + "Comments": null, + "ModificationTime": "09/11/2013 16:18:16.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 38728, + "ExtentionBlocks": [ + { + "LongName": "Asgard.htm", + "ExtentionBlockSize": 66, + "LocalizedName": null, + "SeqNum": 4, + "EntryNum": 185044, + "FileReferenceInt": 1125899907027668, + "AccessTime": "09/11/2013 16:18:16.000000", + "CreationTime": "09/11/2013 16:18:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "185044-4" + } + ] + } + ], + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 7, + "ParentRefStr": "188595-5", + "ParentEntryNum": 188595, + "RootFolder": [ + { + "ShellFolderId": "59031a47-3f72-44a7-89c5-5595fe6b30ee", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": "..\\..\\Signatures\\Asgard.htm", + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "htm", + "NetworkPath": null, + "FileSize": 39471, + "CreationDateTime": "09/11/2013 16:18:15.661166", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\185693.Donald.https--www.facebook.com-confirmcontact.phpc=239539&gfid=AQAiLDTpb-8LHLWv.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x61L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x61L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ExtentionListing": "", + "ItemCount": 3, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "871c5380-42a0-1069-a2ea-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "outlook.exe", + "WorkingDir": null, + "LocalPath": "C:\\Program Files\\Microsoft Office 15\\root\\office15\\outlook.exe", + "ModificationDateTime": "08/12/2013 01:00:45.366110", + "CmdArgs": "/recycle", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\188436.Donald.Microsoft Outlook.lnk", + "Flags": "Sparse File;Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "08/12/2013 01:00:44.866088", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 6, + "ParentRefStr": "115215-6", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~1", + "Location": null, + "Comments": null, + "ModificationTime": "08/12/2013 01:00:08.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files", + "ExtentionBlockSize": 112, + "LocalizedName": "@shell32.dll,-21781", + "SeqNum": 1, + "EntryNum": 76, + "FileReferenceInt": 281474976710732, + "AccessTime": "08/12/2013 01:00:08.000000", + "CreationTime": "07/26/2012 05:38:00.000000", + "Signature": "0xbeef0004L", + "RefNum": "76-1" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "MICROS~1", + "Location": null, + "Comments": null, + "ModificationTime": "08/12/2013 01:00:14.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Microsoft Office 15", + "ExtentionBlockSize": 84, + "LocalizedName": null, + "SeqNum": 6, + "EntryNum": 114741, + "FileReferenceInt": 1688849860378677, + "AccessTime": "08/12/2013 01:00:14.000000", + "CreationTime": "08/12/2013 01:00:08.000000", + "Signature": "0xbeef0004L", + "RefNum": "114741-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "root", + "Location": null, + "Comments": null, + "ModificationTime": "08/12/2013 01:01:10.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "root", + "ExtentionBlockSize": 54, + "LocalizedName": null, + "SeqNum": 6, + "EntryNum": 115209, + "FileReferenceInt": 1688849860379145, + "AccessTime": "08/12/2013 01:01:10.000000", + "CreationTime": "08/12/2013 01:00:14.000000", + "Signature": "0xbeef0004L", + "RefNum": "115209-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "office15", + "Location": null, + "Comments": null, + "ModificationTime": "08/12/2013 01:01:18.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "office15", + "ExtentionBlockSize": 62, + "LocalizedName": null, + "SeqNum": 6, + "EntryNum": 115215, + "FileReferenceInt": 1688849860379151, + "AccessTime": "08/12/2013 01:01:18.000000", + "CreationTime": "08/12/2013 01:00:14.000000", + "Signature": "0xbeef0004L", + "RefNum": "115215-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "outlook.exe", + "Location": null, + "Comments": null, + "ModificationTime": "08/12/2013 01:00:46.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 18376832, + "ExtentionBlocks": [ + { + "LongName": "outlook.exe", + "ExtentionBlockSize": 68, + "LocalizedName": null, + "SeqNum": 6, + "EntryNum": 116541, + "FileReferenceInt": 1688849860380477, + "AccessTime": "08/12/2013 01:00:46.000000", + "CreationTime": "08/12/2013 01:00:20.000000", + "Signature": "0xbeef0004L", + "RefNum": "116541-6" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "office15", + "ParentEntryNum": 115215, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 8, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": "..\\..\\..\\..\\..\\..\\..\\Program Files\\Microsoft Office 15\\root\\office15\\outlook.exe", + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 18376832, + "CreationDateTime": "08/12/2013 01:00:19.514504", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": "", + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "07/22/2013 05:01:21.000000", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\194370.Donald.target.lnk", + "Flags": "", + "DriveType": "DRIVE_UNKNOWN;", + "AccessDateTime": "07/22/2013 05:01:21.000000", + "DriveSerialNumber": "0000-0000", + "AppIdCode": null, + "LnkTrgData": null, + "Description": "\\\\asgardventurecapital.sharepoint.com@SSL\\DavWWWRoot", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "", + "NetworkPath": "\\\\ASGARDVENTURECAPITAL.SHAREPOINT.COM@SSL\\DAVWWWROOT", + "FileSize": 0, + "CreationDateTime": "07/22/2013 04:59:56.000000", + "EnvVarLoc": "\\\\asgardventurecapital.sharepoint.com@SSL\\DavWWWRoot" + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "SuperProject_Solved.xls", + "WorkingDir": "C:\\Users\\Donald\\SkyDrive\\Documents", + "LocalPath": "C:\\Users\\Donald\\SkyDrive\\Documents\\SuperProject_Solved.xls", + "ModificationDateTime": "08/08/2013 03:48:04.000000", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\19519.Donald.SuperProject_Solved.lnk", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "09/23/2013 19:48:48.000000", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "ParentLongName": "Documents", + "DistinctTypesHex": "0x32L;0x31L;0x1fL", + "ParentSeqNum": 3, + "DistinctTypesStr": "root_folder;file_entry", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "DOCUME~1", + "Location": null, + "Comments": null, + "ModificationTime": "10/21/2013 18:50:46.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Documents", + "ExtentionBlockSize": 68, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 127282, + "FileReferenceInt": 844424930259250, + "AccessTime": "10/21/2013 18:50:46.000000", + "CreationTime": "08/12/2013 01:11:04.000000", + "Signature": "0xbeef0004L", + "RefNum": "127282-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "SUPERP~1.XLS", + "Location": null, + "Comments": null, + "ModificationTime": "08/08/2013 03:48:04.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 36864, + "ExtentionBlocks": [ + { + "LongName": "SuperProject_Solved.xls", + "ExtentionBlockSize": 96, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 127305, + "FileReferenceInt": 844424930259273, + "AccessTime": "09/23/2013 19:48:48.000000", + "CreationTime": "08/08/2013 03:52:48.000000", + "Signature": "0xbeef0004L", + "RefNum": "127305-3" + } + ] + } + ], + "ExtentionListing": "0xbeef0025L;0xbeef0004L;0xbeef0004L", + "ItemCount": 4, + "ParentRefStr": "127282-3", + "ParentEntryNum": 127282, + "RootFolder": [ + { + "ShellFolderId": "8e74d236-7f35-4720-b138-1fed0b85ea75", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "ExtentionBlockSize": 30, + "Signature": "0xbeef0025L" + } + ] + } + ] + }, + "Description": null, + "RelativePath": "..\\..\\..\\..\\..\\SkyDrive\\Documents\\SuperProject_Solved.xls", + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "xls", + "NetworkPath": "\\\\BIFROST\\SkyDrive\\Documents\\SuperProject_Solved.xls", + "FileSize": 36864, + "CreationDateTime": "08/08/2013 03:52:46.900000", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "SharePoint", + "WorkingDir": null, + "LocalPath": "C:\\Users\\Donald\\SharePoint", + "ModificationDateTime": "10/07/2013 11:36:18.065975", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\1990.Donald.SharePoint.lnk", + "Flags": "Read-Only;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "10/07/2013 11:36:18.061969", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x0L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "LongName": "SharePoint", + "ExtentionBlockSize": 70, + "LocalizedName": null, + "SeqNum": 17, + "EntryNum": 3976, + "FileReferenceInt": 4785074604085128, + "AccessTime": "10/07/2013 11:36:20.000000", + "CreationTime": "10/07/2013 11:36:18.000000", + "Signature": "0xbeef0004L", + "RefNum": "3976-17" + } + ] + } + ], + "ExtentionListing": "0xbeef0025L;0xbeef0004L", + "ItemCount": 3, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "59031a47-3f72-44a7-89c5-5595fe6b30ee", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "ExtentionBlockSize": 30, + "Signature": "0xbeef0025L" + } + ] + } + ] + }, + "Description": null, + "RelativePath": "..\\SharePoint", + "Codepage": "cp1252", + "IconLoc": "%ProgramFiles%\\Microsoft Office 15\\root\\office15\\1033\\GrooveIntlResource.dll", + "AppIdName": null, + "FileExt": "", + "NetworkPath": "\\\\BIFROST\\Users\\Donald\\SharePoint", + "FileSize": 0, + "CreationDateTime": "10/07/2013 11:36:16.905207", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "Mini Patisserie Business Plan2.docx", + "WorkingDir": "C:\\Users\\Donald\\Documents", + "LocalPath": "C:\\Users\\Donald\\Documents\\Mini Patisserie Business Plan2.docx", + "ModificationDateTime": "10/21/2013 19:35:44.705541", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\19920.Donald.Mini Patisserie Business Plan2.lnk", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "10/21/2013 19:35:42.595515", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x0L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ExtentionListing": "", + "ItemCount": 5, + "ParentRefStr": null, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "031e4825-7b94-4dc3-b131-e946b44c8dd5", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": "..\\..\\..\\..\\..\\Documents\\Mini Patisserie Business Plan2.docx", + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "docx", + "NetworkPath": "\\\\BIFROST\\Users\\Donald\\Documents\\Mini Patisserie Business Plan2.docx", + "FileSize": 2026868, + "CreationDateTime": "10/21/2013 19:35:39.813921", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "Skype Transfer Files", + "WorkingDir": null, + "LocalPath": "C:\\Users\\Donald\\SkyDrive\\Documents\\Skype Transfer Files", + "ModificationDateTime": "10/17/2013 21:06:26.198894", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\19950.Donald.Skype Transfer Files.lnk", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "10/17/2013 21:06:26.198894", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "ParentLongName": "Documents", + "DistinctTypesHex": "0x31L;0x1fL", + "ParentSeqNum": 3, + "DistinctTypesStr": "root_folder;file_entry", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "DOCUME~1", + "Location": null, + "Comments": null, + "ModificationTime": "10/17/2013 20:54:56.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Documents", + "ExtentionBlockSize": 68, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 127282, + "FileReferenceInt": 844424930259250, + "AccessTime": "10/17/2013 20:54:56.000000", + "CreationTime": "08/12/2013 01:11:04.000000", + "Signature": "0xbeef0004L", + "RefNum": "127282-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "SKYPET~1", + "Location": null, + "Comments": null, + "ModificationTime": "10/17/2013 19:20:54.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Skype Transfer Files", + "ExtentionBlockSize": 90, + "LocalizedName": null, + "SeqNum": 8, + "EntryNum": 19940, + "FileReferenceInt": 2251799813705188, + "AccessTime": "10/17/2013 19:20:54.000000", + "CreationTime": "10/17/2013 19:20:44.000000", + "Signature": "0xbeef0004L", + "RefNum": "19940-8" + } + ] + } + ], + "ExtentionListing": "0xbeef0025L;0xbeef0004L;0xbeef0004L", + "ItemCount": 4, + "ParentRefStr": "127282-3", + "ParentEntryNum": 127282, + "RootFolder": [ + { + "ShellFolderId": "8e74d236-7f35-4720-b138-1fed0b85ea75", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "ExtentionBlockSize": 30, + "Signature": "0xbeef0025L" + } + ] + } + ] + }, + "Description": null, + "RelativePath": "..\\..\\..\\..\\..\\SkyDrive\\Documents\\Skype Transfer Files", + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "", + "NetworkPath": "\\\\BIFROST\\SkyDrive\\Documents\\Skype Transfer Files", + "FileSize": 4096, + "CreationDateTime": "10/17/2013 19:20:43.783167", + "EnvVarLoc": null + }, + { + "VolumeLabel": "USB", + "BaseName": "Business Plan for a Startup Business_0.doc", + "WorkingDir": "F:\\", + "LocalPath": "F:\\Business Plan for a Startup Business_0.doc", + "ModificationDateTime": "10/13/2013 12:45:02.000000", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\19961.Donald.Business Plan for a Startup Business_0.lnk", + "Flags": "Archive;", + "DriveType": "DRIVE_REMOVABLE;", + "AccessDateTime": "10/21/2013 04:00:00.000000", + "DriveSerialNumber": "39c7-1beb", + "AppIdCode": null, + "LnkTrgData": { + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "F:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": null, + "DistinctTypesHex": "0x32L;0x2fL;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "volume;root_folder;file_entry", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "BUSINE~1.DOC", + "Location": null, + "Comments": null, + "ModificationTime": "10/13/2013 12:45:02.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 235520, + "ExtentionBlocks": [ + { + "LongName": "Business Plan for a Startup Business_0.doc", + "ExtentionBlockSize": 134, + "LocalizedName": null, + "SeqNum": 0, + "EntryNum": 250944, + "FileReferenceInt": 250944, + "AccessTime": "10/21/2013 04:00:00.000000", + "CreationTime": "10/21/2013 18:53:02.000000", + "Signature": "0xbeef0004L", + "RefNum": "250944-0" + } + ] + } + ], + "ExtentionListing": "0xbeef0004L", + "ItemCount": 4, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "doc", + "NetworkPath": null, + "FileSize": 235520, + "CreationDateTime": "10/21/2013 18:53:00.900000", + "EnvVarLoc": null + }, + { + "VolumeLabel": "PHOTOS BACK", + "BaseName": "WP_20130803_001.jpg", + "WorkingDir": "E:\\", + "LocalPath": "E:\\WP_20130803_001.jpg", + "ModificationDateTime": "08/03/2013 19:28:58.000000", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\20063.Donald.WP_20130803_001.lnk", + "Flags": "Archive;", + "DriveType": "DRIVE_REMOVABLE;", + "AccessDateTime": "10/17/2013 04:00:00.000000", + "DriveSerialNumber": "440f-17ad", + "AppIdCode": null, + "LnkTrgData": { + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "E:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": null, + "DistinctTypesHex": "0x32L;0x2fL;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "volume;root_folder;file_entry", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "WP_201~2.JPG", + "Location": null, + "Comments": null, + "ModificationTime": "08/03/2013 19:28:58.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 284260, + "ExtentionBlocks": [ + { + "LongName": "WP_20130803_001.jpg", + "ExtentionBlockSize": 88, + "LocalizedName": null, + "SeqNum": 0, + "EntryNum": 66112, + "FileReferenceInt": 66112, + "AccessTime": "10/17/2013 04:00:00.000000", + "CreationTime": "10/17/2013 19:29:04.000000", + "Signature": "0xbeef0004L", + "RefNum": "66112-0" + } + ] + } + ], + "ExtentionListing": "0xbeef0004L", + "ItemCount": 4, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "jpg", + "NetworkPath": null, + "FileSize": 284260, + "CreationDateTime": "10/17/2013 19:29:03.860000", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "imagesCA13Y4D8.jpg", + "WorkingDir": "C:\\Users\\Donald\\Pictures", + "LocalPath": "C:\\Users\\Donald\\Pictures\\imagesCA13Y4D8.jpg", + "ModificationDateTime": "07/27/2013 18:26:21.000000", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\20089.Donald.imagesCA13Y4D8.lnk", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "08/12/2013 01:11:08.000000", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x0L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ExtentionListing": "", + "ItemCount": 5, + "ParentRefStr": null, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "031e4825-7b94-4dc3-b131-e946b44c8dd5", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": "..\\..\\..\\..\\..\\Pictures\\imagesCA13Y4D8.jpg", + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "jpg", + "NetworkPath": "\\\\BIFROST\\Users\\Donald\\Pictures\\imagesCA13Y4D8.jpg", + "FileSize": 9317, + "CreationDateTime": "08/12/2013 01:11:07.620377", + "EnvVarLoc": null + }, + { + "VolumeLabel": "PHOTOS BACK", + "BaseName": "imagesCAL5YVMT.jpg", + "WorkingDir": "E:\\From Donald's Windows Phone\\Saved pictures", + "LocalPath": "E:\\From Donald's Windows Phone\\Saved pictures\\imagesCAL5YVMT.jpg", + "ModificationDateTime": "09/02/2013 20:02:28.000000", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\20096.Donald.imagesCAL5YVMT.lnk", + "Flags": "Archive;", + "DriveType": "DRIVE_REMOVABLE;", + "AccessDateTime": "10/17/2013 04:00:00.000000", + "DriveSerialNumber": "440f-17ad", + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 0, + "ParentRefStr": "4309184-0", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "FROMDO~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/02/2013 20:02:26.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "From Donald's Windows Phone", + "ExtentionBlockSize": 104, + "LocalizedName": null, + "SeqNum": 0, + "EntryNum": 66912, + "FileReferenceInt": 66912, + "AccessTime": "10/17/2013 04:00:00.000000", + "CreationTime": "10/17/2013 19:29:06.000000", + "Signature": "0xbeef0004L", + "RefNum": "66912-0" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "SAVEDP~1", + "Location": null, + "Comments": null, + "ModificationTime": "10/12/2013 17:35:30.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Saved pictures", + "ExtentionBlockSize": 78, + "LocalizedName": null, + "SeqNum": 0, + "EntryNum": 4309184, + "FileReferenceInt": 4309184, + "AccessTime": "10/17/2013 04:00:00.000000", + "CreationTime": "10/17/2013 19:29:12.000000", + "Signature": "0xbeef0004L", + "RefNum": "4309184-0" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "IMAGES~2.JPG", + "Location": null, + "Comments": null, + "ModificationTime": "09/02/2013 20:02:28.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 4263, + "ExtentionBlocks": [ + { + "LongName": "imagesCAL5YVMT.jpg", + "ExtentionBlockSize": 86, + "LocalizedName": null, + "SeqNum": 0, + "EntryNum": 50176224, + "FileReferenceInt": 50176224, + "AccessTime": "10/17/2013 04:00:00.000000", + "CreationTime": "10/17/2013 19:29:12.000000", + "Signature": "0xbeef0004L", + "RefNum": "50176224-0" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "E:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "Saved pictures", + "ParentEntryNum": 4309184, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 6, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "jpg", + "NetworkPath": null, + "FileSize": 4263, + "CreationDateTime": "10/17/2013 19:29:10.410000", + "EnvVarLoc": null + }, + { + "VolumeLabel": "PHOTOS BACK", + "BaseName": "Saved pictures", + "WorkingDir": null, + "LocalPath": "E:\\From Donald's Windows Phone\\Saved pictures", + "ModificationDateTime": "10/12/2013 17:35:30.000000", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\20097.Donald.Saved pictures.lnk", + "Flags": "", + "DriveType": "DRIVE_REMOVABLE;", + "AccessDateTime": "10/17/2013 04:00:00.000000", + "DriveSerialNumber": "440f-17ad", + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x2fL;0x1fL;0x31L", + "ParentSeqNum": 0, + "ParentRefStr": "66912-0", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "FROMDO~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/02/2013 20:02:26.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "From Donald's Windows Phone", + "ExtentionBlockSize": 104, + "LocalizedName": null, + "SeqNum": 0, + "EntryNum": 66912, + "FileReferenceInt": 66912, + "AccessTime": "10/17/2013 04:00:00.000000", + "CreationTime": "10/17/2013 19:29:06.000000", + "Signature": "0xbeef0004L", + "RefNum": "66912-0" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "SAVEDP~1", + "Location": null, + "Comments": null, + "ModificationTime": "10/12/2013 17:35:30.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Saved pictures", + "ExtentionBlockSize": 78, + "LocalizedName": null, + "SeqNum": 0, + "EntryNum": 4309184, + "FileReferenceInt": 4309184, + "AccessTime": "10/17/2013 04:00:00.000000", + "CreationTime": "10/17/2013 19:29:12.000000", + "Signature": "0xbeef0004L", + "RefNum": "4309184-0" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "E:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "From Donald's Windows Phone", + "ParentEntryNum": 66912, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L", + "ItemCount": 5, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "", + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "10/17/2013 19:29:10.260000", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\20733.Donald.set_935149829_en-us.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x0L", + "ParentSeqNum": null, + "ParentRefStr": null, + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "ExtentionBlockSize": 42, + "Signature": "0xbeef0013L" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": null, + "ParentEntryNum": null, + "DistinctTypesStr": "item", + "ExtentionListing": "0xbeef0013L", + "ItemCount": 3 + }, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\20884.Donald.txt_172291708_en-US.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "iexplore.exe", + "WorkingDir": "%HOMEDRIVE%%HOMEPATH%", + "LocalPath": "C:\\Program Files\\Internet Explorer\\iexplore.exe", + "ModificationDateTime": "08/22/2013 12:34:04.110966", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\213288.Windows.Internet Explorer.lnk", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "08/22/2013 08:52:25.004329", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 6, + "ParentRefStr": "197705-6", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 19:20:24.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files", + "ExtentionBlockSize": 116, + "LocalizedName": "@shell32.dll,-21781", + "SeqNum": 6, + "EntryNum": 197634, + "FileReferenceInt": 1688849860461570, + "AccessTime": "09/23/2013 19:20:24.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "197634-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "INTERN~1", + "Location": null, + "Comments": null, + "ModificationTime": "08/22/2013 19:09:54.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Internet Explorer", + "ExtentionBlockSize": 84, + "LocalizedName": null, + "SeqNum": 6, + "EntryNum": 197705, + "FileReferenceInt": 1688849860461641, + "AccessTime": "08/22/2013 19:09:54.000000", + "CreationTime": "08/22/2013 15:36:32.000000", + "Signature": "0xbeef0004L", + "RefNum": "197705-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "iexplore.exe", + "Location": null, + "Comments": null, + "ModificationTime": "08/22/2013 12:34:06.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 804464, + "ExtentionBlocks": [ + { + "LongName": "iexplore.exe", + "ExtentionBlockSize": 74, + "LocalizedName": null, + "SeqNum": 1, + "EntryNum": 217849, + "FileReferenceInt": 281474976928505, + "AccessTime": "08/22/2013 08:52:26.000000", + "CreationTime": "08/22/2013 08:52:26.000000", + "Signature": "0xbeef0004L", + "RefNum": "217849-1" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "Internet Explorer", + "ParentEntryNum": 197705, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 6, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "@\"%windir%\\System32\\ie4uinit.exe\",-732", + "RelativePath": "..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\Program Files\\Internet Explorer\\iexplore.exe", + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 804464, + "CreationDateTime": "08/22/2013 08:52:25.004329", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "UserGuide.exe", + "WorkingDir": "C:\\Program Files (x86)\\Lenovo\\UserGuide", + "LocalPath": "C:\\Program Files (x86)\\Lenovo\\UserGuide\\UserGuide.exe", + "ModificationDateTime": "05/16/2012 22:57:22.000000", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\21389..UserGuide.lnk", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "06/02/2013 03:48:43.628792", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 5, + "ParentRefStr": "147638-5", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~2", + "Location": null, + "Comments": null, + "ModificationTime": "06/02/2013 03:48:44.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files (x86)", + "ExtentionBlockSize": 124, + "LocalizedName": "@shell32.dll,-21817", + "SeqNum": 1, + "EntryNum": 3725, + "FileReferenceInt": 281474976714381, + "AccessTime": "06/02/2013 03:48:44.000000", + "CreationTime": "07/26/2012 05:38:00.000000", + "Signature": "0xbeef0004L", + "RefNum": "3725-1" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Lenovo", + "Location": null, + "Comments": null, + "ModificationTime": "06/02/2013 03:48:44.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Lenovo", + "ExtentionBlockSize": 58, + "LocalizedName": null, + "SeqNum": 5, + "EntryNum": 147637, + "FileReferenceInt": 1407374883700917, + "AccessTime": "06/02/2013 03:48:44.000000", + "CreationTime": "06/02/2013 03:48:44.000000", + "Signature": "0xbeef0004L", + "RefNum": "147637-5" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "USERGU~1", + "Location": null, + "Comments": null, + "ModificationTime": "06/02/2013 03:48:44.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "UserGuide", + "ExtentionBlockSize": 64, + "LocalizedName": null, + "SeqNum": 5, + "EntryNum": 147638, + "FileReferenceInt": 1407374883700918, + "AccessTime": "06/02/2013 03:48:44.000000", + "CreationTime": "06/02/2013 03:48:44.000000", + "Signature": "0xbeef0004L", + "RefNum": "147638-5" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "USERGU~1.EXE", + "Location": null, + "Comments": null, + "ModificationTime": "05/16/2012 22:57:22.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 15872, + "ExtentionBlocks": [ + { + "LongName": "UserGuide.exe", + "ExtentionBlockSize": 72, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 147888, + "FileReferenceInt": 844424930279856, + "AccessTime": "06/02/2013 03:48:44.000000", + "CreationTime": "05/16/2012 22:57:22.000000", + "Signature": "0xbeef0004L", + "RefNum": "147888-3" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "UserGuide", + "ParentEntryNum": 147638, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 7, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": ".\\UserGuide.exe", + "Codepage": "cp1252", + "IconLoc": "%SystemRoot%\\Installer\\{F07C2CF8-4C53-4EC3-8162-A6221E36EB88}\\ARPPRODUCTICON.exe", + "AppIdName": null, + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 15872, + "CreationDateTime": "05/16/2012 22:57:22.000000", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\21460.Donald.set_3598659381_en-us.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x0L", + "ParentSeqNum": null, + "ParentRefStr": null, + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "ExtentionBlockSize": 42, + "Signature": "0xbeef0013L" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": null, + "ParentEntryNum": null, + "DistinctTypesStr": "item", + "ExtentionListing": "0xbeef0013L", + "ItemCount": 3 + }, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": "GfxUIEx.exe", + "WorkingDir": "C:\\WINDOWS\\system32", + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": "Metro", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\21488..Intel(R) HD Graphics Control Panel.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": null, + "ParentRefStr": "None-None", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "WINDOWS", + "Location": null, + "Comments": null, + "ModificationTime": "1601-01-01 00:00:00", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "FileReferenceInt": null, + "SeqNum": null, + "Signature": "0xbeef0004L", + "RefNum": null, + "EntryNum": null, + "LongName": "WINDOWS", + "ExtentionBlockSize": 64, + "LocalizedName": null + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "system32", + "Location": null, + "Comments": null, + "ModificationTime": "1601-01-01 00:00:00", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "FileReferenceInt": null, + "SeqNum": null, + "Signature": "0xbeef0004L", + "RefNum": null, + "EntryNum": null, + "LongName": "system32", + "ExtentionBlockSize": 66, + "LocalizedName": null + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "GfxUIEx.exe", + "Location": null, + "Comments": null, + "ModificationTime": "1601-01-01 00:00:00", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "FileReferenceInt": null, + "SeqNum": null, + "Signature": "0xbeef0004L", + "RefNum": null, + "EntryNum": null, + "LongName": "GfxUIEx.exe", + "ExtentionBlockSize": 72, + "LocalizedName": null + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "system32", + "ParentEntryNum": null, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 6, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": "..\\..\\..\\..\\..\\..\\WINDOWS\\system32\\GfxUIEx.exe", + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\21735.Donald.txt_396494738_en-us.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\22237.Donald.site_227368865_en-us.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x0L", + "ParentSeqNum": null, + "ParentRefStr": null, + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "ExtentionBlockSize": 42, + "Signature": "0xbeef0013L" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": null, + "ParentEntryNum": null, + "DistinctTypesStr": "item", + "ExtentionListing": "0xbeef0013L", + "ItemCount": 3 + }, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": "%HOMEDRIVE%%HOMEPATH%", + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\228983..Camera.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%SystemRoot%\\Camera\\Camera.exe,-1001", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\Camera\\Camera.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%SystemRoot%\\Camera\\Camera.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": "%HOMEDRIVE%%HOMEPATH%", + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\228983.Windows.Camera.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%SystemRoot%\\Camera\\Camera.exe,-1001", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\Camera\\Camera.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%SystemRoot%\\Camera\\Camera.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\228985..Desktop.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x1fL", + "ParentSeqNum": null, + "ParentLongName": null, + "ParentEntryNum": null, + "DistinctTypesStr": "root_folder", + "ExtentionListing": "", + "ItemCount": 2, + "RootFolder": [ + { + "ShellFolderId": "3080f90d-d7ad-11d9-bd98-0000947b0257", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "@%SystemRoot%\\system32\\twinui.dll,-4513", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\imageres.dll", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\228985.Windows.Desktop.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x1fL", + "ParentSeqNum": null, + "ParentLongName": null, + "ParentEntryNum": null, + "DistinctTypesStr": "root_folder", + "ExtentionListing": "", + "ItemCount": 2, + "RootFolder": [ + { + "ShellFolderId": "3080f90d-d7ad-11d9-bd98-0000947b0257", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "@%SystemRoot%\\system32\\twinui.dll,-4513", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\imageres.dll", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": "%HOMEDRIVE%%HOMEPATH%", + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\228988..FileManager.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%SystemRoot%\\FileManager\\FileManager.exe,-1001", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\FileManager\\FileManager.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\FileManager\\FileManager.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": "%HOMEDRIVE%%HOMEPATH%", + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\228988.Windows.FileManager.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%SystemRoot%\\FileManager\\FileManager.exe,-1001", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\FileManager\\FileManager.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\FileManager\\FileManager.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": "%HOMEDRIVE%%HOMEPATH%", + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\228989..Immersive Control Panel.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%SystemRoot%\\ImmersiveControlPanel\\systemsettings.exe,-651", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\ImmersiveControlPanel\\systemsettings.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\System32\\Control.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": "%HOMEDRIVE%%HOMEPATH%", + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\228989.Windows.Immersive Control Panel.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%SystemRoot%\\ImmersiveControlPanel\\systemsettings.exe,-651", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\ImmersiveControlPanel\\systemsettings.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\System32\\Control.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": "%HOMEDRIVE%%HOMEPATH%", + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\228990..PhotosApp.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%SystemRoot%\\FileManager\\PhotosApp.exe,-1001", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\FileManager\\PhotosApp.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\FileManager\\PhotosApp.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": "%HOMEDRIVE%%HOMEPATH%", + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\228990.Windows.PhotosApp.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%SystemRoot%\\FileManager\\PhotosApp.exe,-1001", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\FileManager\\PhotosApp.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\FileManager\\PhotosApp.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": "-sta {C90FB8CA-3295-4462-A721-2935E83694BA}", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\228991..Search.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\imageres.dll", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\rundll32.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": "-sta {C90FB8CA-3295-4462-A721-2935E83694BA}", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\228991.Windows.Search.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\imageres.dll", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\rundll32.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": "%HOMEDRIVE%%HOMEPATH%", + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\228993..Windows Store.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%windir%\\WinStore\\WinStoreUI.dll,-1", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\WinStore\\WinStoreUI.dll", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\WinStore\\WinStore.htm" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": "%HOMEDRIVE%%HOMEPATH%", + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\228993.Windows.Windows Store.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%windir%\\WinStore\\WinStoreUI.dll,-1", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\WinStore\\WinStoreUI.dll", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\WinStore\\WinStore.htm" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": "%windir%\\system32\\Speech\\SpeechUX", + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": "-SpeechUX", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\228996..Speech Recognition.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%windir%\\system32\\speech\\speechux\\sapi.cpl,-5556", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\Speech\\SpeechUX\\sapi.cpl", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\Speech\\Common\\sapisvr.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": "%windir%\\system32\\Speech\\SpeechUX", + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": "-SpeechUX", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\228996.Windows.Speech Recognition.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%windir%\\system32\\speech\\speechux\\sapi.cpl,-5556", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\Speech\\SpeechUX\\sapi.cpl", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\Speech\\Common\\sapisvr.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\228997..Calculator.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%SystemRoot%\\system32\\shell32.dll,-22531", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\calc.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\calc.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\228997.Windows.Calculator.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%SystemRoot%\\system32\\shell32.dll,-22531", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\calc.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\calc.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\228999..Math Input Panel.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%CommonProgramFiles%\\Microsoft Shared\\Ink\\mip.exe,-292", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%CommonProgramFiles%\\Microsoft Shared\\Ink\\mip.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%CommonProgramFiles%\\Microsoft Shared\\Ink\\mip.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\228999.Windows.Math Input Panel.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%CommonProgramFiles%\\Microsoft Shared\\Ink\\mip.exe,-292", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%CommonProgramFiles%\\Microsoft Shared\\Ink\\mip.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%CommonProgramFiles%\\Microsoft Shared\\Ink\\mip.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229000..Paint.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%SystemRoot%\\system32\\shell32.dll,-22566", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\mspaint.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\mspaint.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229000.Windows.Paint.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%SystemRoot%\\system32\\shell32.dll,-22566", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\mspaint.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\mspaint.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": "%windir%\\system32\\", + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229001..Remote Desktop Connection.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%windir%\\system32\\mstsc.exe,-4001", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\mstsc.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\mstsc.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": "%windir%\\system32\\", + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229001.Windows.Remote Desktop Connection.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%windir%\\system32\\mstsc.exe,-4001", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\mstsc.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\mstsc.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229002..Snipping Tool.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%SystemRoot%\\System32\\SnippingTool.exe,-15052", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\SnippingTool.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\SnippingTool.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229002.Windows.Snipping Tool.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%SystemRoot%\\System32\\SnippingTool.exe,-15052", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\SnippingTool.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\SnippingTool.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": "%SystemRoot%\\system32", + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229003..Sound Recorder.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%SystemRoot%\\system32\\SoundRecorder.exe,-32790", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%SystemRoot%\\system32\\SoundRecorder.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%SystemRoot%\\system32\\SoundRecorder.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": "%SystemRoot%\\system32", + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229003.Windows.Sound Recorder.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%SystemRoot%\\system32\\SoundRecorder.exe,-32790", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%SystemRoot%\\system32\\SoundRecorder.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%SystemRoot%\\system32\\SoundRecorder.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229004..Steps Recorder.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%SystemRoot%\\System32\\psr.exe,-1702", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\psr.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\psr.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229004.Windows.Steps Recorder.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%SystemRoot%\\System32\\psr.exe,-1702", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\psr.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\psr.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229005..Sticky Notes.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%SystemRoot%\\system32\\SNTSearch.dll,-504", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\StikyNot.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\StikyNot.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229005.Windows.Sticky Notes.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%SystemRoot%\\system32\\SNTSearch.dll,-504", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\StikyNot.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\StikyNot.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229006..Windows Fax and Scan.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%windir%\\system32\\FXSRESM.dll,-115", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\WFSR.dll", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\WFS.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229006.Windows.Windows Fax and Scan.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%windir%\\system32\\FXSRESM.dll,-115", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\WFSR.dll", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\WFS.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": "%ProgramFiles(x86)%\\Windows Media Player", + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": "/prefetch:1", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229007..Windows Media Player.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%systemroot%\\syswow64\\unregmp2.exe,-155", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%ProgramFiles(x86)%\\Windows Media Player\\wmplayer.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%ProgramFiles(x86)%\\Windows Media Player\\wmplayer.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": "%ProgramFiles(x86)%\\Windows Media Player", + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": "/prefetch:1", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229007.Windows.Windows Media Player.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%systemroot%\\syswow64\\unregmp2.exe,-155", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%ProgramFiles(x86)%\\Windows Media Player\\wmplayer.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%ProgramFiles(x86)%\\Windows Media Player\\wmplayer.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229008..Wordpad.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%SystemRoot%\\system32\\Shell32.dll,-22581", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%ProgramFiles%\\Windows NT\\Accessories\\wordpad.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%ProgramFiles%\\Windows NT\\Accessories\\wordpad.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229008.Windows.Wordpad.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%SystemRoot%\\system32\\Shell32.dll,-22581", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%ProgramFiles%\\Windows NT\\Accessories\\wordpad.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%ProgramFiles%\\Windows NT\\Accessories\\wordpad.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229009..XPS Viewer.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%systemroot%\\system32\\XpsRchVw.exe,-103", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%systemroot%\\system32\\XpsRchVw.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%systemroot%\\system32\\xpsrchvw.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229009.Windows.XPS Viewer.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%systemroot%\\system32\\XpsRchVw.exe,-103", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%systemroot%\\system32\\XpsRchVw.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%systemroot%\\system32\\xpsrchvw.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229011..Character Map.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%SystemRoot%\\system32\\Shell32.dll,-22533", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\charmap.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\charmap.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229011.Windows.Character Map.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%SystemRoot%\\system32\\Shell32.dll,-22533", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\charmap.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\charmap.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229014..Windows Journal.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%ProgramFiles%\\Windows Journal\\Journal.exe,-3075", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%ProgramFiles%\\Windows Journal\\Journal.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%ProgramFiles%\\Windows Journal\\Journal.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229014.Windows.Windows Journal.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%ProgramFiles%\\Windows Journal\\Journal.exe,-3075", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%ProgramFiles%\\Windows Journal\\Journal.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%ProgramFiles%\\Windows Journal\\Journal.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229015..Component Services.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%systemroot%\\system32\\comres.dll,-3411", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%systemroot%\\system32\\comres.dll", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\comexp.msc" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229015.Windows.Component Services.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%systemroot%\\system32\\comres.dll,-3411", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%systemroot%\\system32\\comres.dll", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\comexp.msc" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": "%HOMEDRIVE%%HOMEPATH%", + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": "/s", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229016..Computer Management.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%systemroot%\\system32\\mycomput.dll,-112", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\Mycomput.dll", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\compmgmt.msc" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": "%HOMEDRIVE%%HOMEPATH%", + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": "/s", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229016.Windows.Computer Management.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%systemroot%\\system32\\mycomput.dll,-112", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\Mycomput.dll", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\compmgmt.msc" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": "%systemroot%\\system32", + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229018..dfrgui.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%systemroot%\\system32\\dfrgui.exe,-172", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%systemroot%\\system32\\dfrgui.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\dfrgui.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": "%systemroot%\\system32", + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229018.Windows.dfrgui.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%systemroot%\\system32\\dfrgui.exe,-172", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%systemroot%\\system32\\dfrgui.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\dfrgui.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229019..Disk Cleanup.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%SystemRoot%\\system32\\Shell32.dll,-22538", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\cleanmgr.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\cleanmgr.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229019.Windows.Disk Cleanup.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%SystemRoot%\\system32\\Shell32.dll,-22538", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\cleanmgr.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\cleanmgr.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": "%windir%\\system32", + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": "/s", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229020..Event Viewer.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%windir%\\system32\\miguiresource.dll,-102", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\miguiresource.dll", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\eventvwr.msc" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": "%windir%\\system32", + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": "/s", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229020.Windows.Event Viewer.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%windir%\\system32\\miguiresource.dll,-102", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\miguiresource.dll", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\eventvwr.msc" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": "%windir%\\system32", + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229021..iSCSI Initiator.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%windir%\\system32\\iscsicpl.dll,-5002", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\iscsicpl.dll", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\iscsicpl.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": "%windir%\\system32", + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229021.Windows.iSCSI Initiator.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%windir%\\system32\\iscsicpl.dll,-5002", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\iscsicpl.dll", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\iscsicpl.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": "%windir%\\system32", + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229022..Memory Diagnostics Tool.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%windir%\\system32\\MdSched.exe,-4002", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\MdSched.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\MdSched.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": "%windir%\\system32", + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229022.Windows.Memory Diagnostics Tool.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%windir%\\system32\\MdSched.exe,-4002", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\MdSched.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\MdSched.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": "%windir%\\syswow64", + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229023..ODBC Data Sources (32-bit).lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%windir%\\syswow64\\odbcint.dll,-1312", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\syswow64\\odbcint.dll", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\syswow64\\odbcad32.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": "%windir%\\syswow64", + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229023.Windows.ODBC Data Sources (32-bit).lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%windir%\\syswow64\\odbcint.dll,-1312", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\syswow64\\odbcint.dll", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\syswow64\\odbcad32.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": "%windir%\\system32", + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229024..ODBC Data Sources (64-bit).lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%windir%\\system32\\odbcint.dll,-1312", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\odbcint.dll", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\odbcad32.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": "%windir%\\system32", + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229024.Windows.ODBC Data Sources (64-bit).lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%windir%\\system32\\odbcint.dll,-1312", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\odbcint.dll", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\odbcad32.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": "/s", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229025..Performance Monitor.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%systemroot%\\system32\\Wdc.dll,-10025", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\wdc.dll", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\perfmon.msc" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": "/s", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229025.Windows.Performance Monitor.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%systemroot%\\system32\\Wdc.dll,-10025", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\wdc.dll", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\perfmon.msc" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229026..Print Management.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%systemroot%\\system32\\pmcsnap.dll,-710", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%systemroot%\\system32\\pmcsnap.dll", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%systemroot%\\system32\\printmanagement.msc" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229026.Windows.Print Management.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%systemroot%\\system32\\pmcsnap.dll,-710", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%systemroot%\\system32\\pmcsnap.dll", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%systemroot%\\system32\\printmanagement.msc" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": "/res", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229027..Resource Monitor.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%systemroot%\\system32\\wdc.dll,-10031", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\wdc.dll", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\perfmon.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": "/res", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229027.Windows.Resource Monitor.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%systemroot%\\system32\\wdc.dll,-10031", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\wdc.dll", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\perfmon.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": "/s", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229028..Security Configuration Management.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%systemroot%\\system32\\shell32.dll,-22552", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\wsecedit.dll", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\secpol.msc" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": "/s", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229028.Windows.Security Configuration Management.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%systemroot%\\system32\\shell32.dll,-22552", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\wsecedit.dll", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\secpol.msc" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": "%HOMEDRIVE%%HOMEPATH%", + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229030..services.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%systemroot%\\system32\\Filemgmt.dll,-602", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\filemgmt.dll", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\services.msc" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": "%HOMEDRIVE%%HOMEPATH%", + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229030.Windows.services.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%systemroot%\\system32\\Filemgmt.dll,-602", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\filemgmt.dll", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\services.msc" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229031..System Configuration.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%systemroot%\\system32\\msconfig.exe,-1601", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\msconfig.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\msconfig.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229031.Windows.System Configuration.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%systemroot%\\system32\\msconfig.exe,-1601", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\msconfig.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\msconfig.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229032..System Information.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%systemroot%\\system32\\Msinfo32.exe,-130", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\msinfo32.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\msinfo32.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229032.Windows.System Information.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%systemroot%\\system32\\Msinfo32.exe,-130", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\msinfo32.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\msinfo32.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": "/s", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229034..Task Scheduler.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%windir%\\system32\\miguiresource.dll,-202", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\miguiresource.dll", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\taskschd.msc" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": "/s", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229034.Windows.Task Scheduler.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%windir%\\system32\\miguiresource.dll,-202", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\miguiresource.dll", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\taskschd.msc" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": "%windir%\\system32", + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229035..Windows Firewall with Advanced Security.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%SystemRoot%\\System32\\authFWGP.dll,-21", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%SystemRoot%\\System32\\AuthFWGP.dll", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\WF.msc" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": "%windir%\\system32", + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229035.Windows.Windows Firewall with Advanced Security.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%SystemRoot%\\System32\\authFWGP.dll,-21", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%SystemRoot%\\System32\\AuthFWGP.dll", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\WF.msc" + }, + { + "VolumeLabel": "OSDisk", + "BaseName": "powershell.exe", + "WorkingDir": "%HOMEDRIVE%%HOMEPATH%", + "LocalPath": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe", + "ModificationDateTime": "07/26/2012 03:20:50.264000", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229036.Windows.Windows PowerShell (x86).lnk", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "07/26/2012 01:26:44.455823", + "DriveSerialNumber": "74ee-2d73", + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 1, + "ParentRefStr": "7560-1", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Windows", + "Location": null, + "Comments": null, + "ModificationTime": "06/07/2013 22:00:04.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Windows", + "ExtentionBlockSize": 60, + "LocalizedName": null, + "SeqNum": 1, + "EntryNum": 4127, + "FileReferenceInt": 281474976714783, + "AccessTime": "06/07/2013 22:00:04.000000", + "CreationTime": "07/26/2012 05:38:00.000000", + "Signature": "0xbeef0004L", + "RefNum": "4127-1" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "SysWOW64", + "Location": null, + "Comments": null, + "ModificationTime": "05/24/2013 21:47:12.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "SysWOW64", + "ExtentionBlockSize": 62, + "LocalizedName": null, + "SeqNum": 1, + "EntryNum": 7305, + "FileReferenceInt": 281474976717961, + "AccessTime": "05/24/2013 21:47:12.000000", + "CreationTime": "07/26/2012 05:38:02.000000", + "Signature": "0xbeef0004L", + "RefNum": "7305-1" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "WINDOW~1", + "Location": null, + "Comments": null, + "ModificationTime": "07/26/2012 08:13:00.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "WindowsPowerShell", + "ExtentionBlockSize": 80, + "LocalizedName": null, + "SeqNum": 1, + "EntryNum": 7559, + "FileReferenceInt": 281474976718215, + "AccessTime": "07/26/2012 08:13:00.000000", + "CreationTime": "07/26/2012 08:13:00.000000", + "Signature": "0xbeef0004L", + "RefNum": "7559-1" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "v1.0", + "Location": null, + "Comments": null, + "ModificationTime": "05/24/2013 21:47:22.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "v1.0", + "ExtentionBlockSize": 54, + "LocalizedName": null, + "SeqNum": 1, + "EntryNum": 7560, + "FileReferenceInt": 281474976718216, + "AccessTime": "05/24/2013 21:47:22.000000", + "CreationTime": "07/26/2012 08:13:00.000000", + "Signature": "0xbeef0004L", + "RefNum": "7560-1" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "powershell.exe", + "Location": null, + "Comments": null, + "ModificationTime": "07/26/2012 03:20:52.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 454656, + "ExtentionBlocks": [ + { + "LongName": "powershell.exe", + "ExtentionBlockSize": 74, + "LocalizedName": null, + "SeqNum": 1, + "EntryNum": 63999, + "FileReferenceInt": 281474976774655, + "AccessTime": "07/26/2012 01:26:46.000000", + "CreationTime": "07/26/2012 01:26:46.000000", + "Signature": "0xbeef0004L", + "RefNum": "63999-1" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "v1.0", + "ParentEntryNum": 7560, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 8, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "Performs object-based (command-line) functions", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%SystemRoot%\\syswow64\\WindowsPowerShell\\v1.0\\powershell.exe", + "AppIdName": null, + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 454656, + "CreationDateTime": "07/26/2012 01:26:44.455823", + "EnvVarLoc": "%SystemRoot%\\syswow64\\WindowsPowerShell\\v1.0\\powershell.exe" + }, + { + "VolumeLabel": "OSDisk", + "BaseName": "powershell.exe", + "WorkingDir": "%HOMEDRIVE%%HOMEPATH%", + "LocalPath": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe", + "ModificationDateTime": "07/26/2012 03:20:50.264000", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229037..Windows PowerShell (x86).lnk", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "07/26/2012 01:26:44.455823", + "DriveSerialNumber": "74ee-2d73", + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 1, + "ParentRefStr": "7560-1", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Windows", + "Location": null, + "Comments": null, + "ModificationTime": "06/07/2013 22:00:04.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Windows", + "ExtentionBlockSize": 60, + "LocalizedName": null, + "SeqNum": 1, + "EntryNum": 4127, + "FileReferenceInt": 281474976714783, + "AccessTime": "06/07/2013 22:00:04.000000", + "CreationTime": "07/26/2012 05:38:00.000000", + "Signature": "0xbeef0004L", + "RefNum": "4127-1" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "SysWOW64", + "Location": null, + "Comments": null, + "ModificationTime": "05/24/2013 21:47:12.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "SysWOW64", + "ExtentionBlockSize": 62, + "LocalizedName": null, + "SeqNum": 1, + "EntryNum": 7305, + "FileReferenceInt": 281474976717961, + "AccessTime": "05/24/2013 21:47:12.000000", + "CreationTime": "07/26/2012 05:38:02.000000", + "Signature": "0xbeef0004L", + "RefNum": "7305-1" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "WINDOW~1", + "Location": null, + "Comments": null, + "ModificationTime": "07/26/2012 08:13:00.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "WindowsPowerShell", + "ExtentionBlockSize": 80, + "LocalizedName": null, + "SeqNum": 1, + "EntryNum": 7559, + "FileReferenceInt": 281474976718215, + "AccessTime": "07/26/2012 08:13:00.000000", + "CreationTime": "07/26/2012 08:13:00.000000", + "Signature": "0xbeef0004L", + "RefNum": "7559-1" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "v1.0", + "Location": null, + "Comments": null, + "ModificationTime": "05/24/2013 21:47:22.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "v1.0", + "ExtentionBlockSize": 54, + "LocalizedName": null, + "SeqNum": 1, + "EntryNum": 7560, + "FileReferenceInt": 281474976718216, + "AccessTime": "05/24/2013 21:47:22.000000", + "CreationTime": "07/26/2012 08:13:00.000000", + "Signature": "0xbeef0004L", + "RefNum": "7560-1" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "powershell.exe", + "Location": null, + "Comments": null, + "ModificationTime": "07/26/2012 03:20:52.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 454656, + "ExtentionBlocks": [ + { + "LongName": "powershell.exe", + "ExtentionBlockSize": 74, + "LocalizedName": null, + "SeqNum": 1, + "EntryNum": 63999, + "FileReferenceInt": 281474976774655, + "AccessTime": "07/26/2012 01:26:46.000000", + "CreationTime": "07/26/2012 01:26:46.000000", + "Signature": "0xbeef0004L", + "RefNum": "63999-1" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "v1.0", + "ParentEntryNum": 7560, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 8, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "Performs object-based (command-line) functions", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%SystemRoot%\\syswow64\\WindowsPowerShell\\v1.0\\powershell.exe", + "AppIdName": null, + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 454656, + "CreationDateTime": "07/26/2012 01:26:44.455823", + "EnvVarLoc": "%SystemRoot%\\syswow64\\WindowsPowerShell\\v1.0\\powershell.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": "%HOMEDRIVE%%HOMEPATH%", + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229038..Windows PowerShell ISE (x86).lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\powershell.exe,-113", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\powershell_ise.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\syswow64\\WindowsPowerShell\\v1.0\\PowerShell_ISE.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": "%HOMEDRIVE%%HOMEPATH%", + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229038.Windows.Windows PowerShell ISE (x86).lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\powershell.exe,-113", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\powershell_ise.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\syswow64\\WindowsPowerShell\\v1.0\\PowerShell_ISE.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": "%HOMEDRIVE%%HOMEPATH%", + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229039..Windows PowerShell ISE.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\powershell.exe,-113", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\powershell_ise.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\WindowsPowerShell\\v1.0\\PowerShell_ISE.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": "%HOMEDRIVE%%HOMEPATH%", + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229039.Windows.Windows PowerShell ISE.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\powershell.exe,-113", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\powershell_ise.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\WindowsPowerShell\\v1.0\\PowerShell_ISE.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": "/name Microsoft.DefaultPrograms", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229049..Default Programs.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%SystemRoot%\\system32\\sud.dll,-10", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\imageres.dll", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\control.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": "/name Microsoft.DefaultPrograms", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229049.Windows.Default Programs.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%SystemRoot%\\system32\\sud.dll,-10", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\imageres.dll", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\control.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": "/7", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229051..Task Manager.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%systemroot%\\system32\\Taskmgr.exe,-33551", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\Taskmgr.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\taskmgr.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": "/7", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229051.Windows.Task Manager.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%systemroot%\\system32\\Taskmgr.exe,-33551", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\Taskmgr.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\taskmgr.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": "%windir%\\system32\\migwiz", + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229052..Windows Easy Transfer.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%windir%\\system32\\migwiz\\wet.dll,-590", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\migwiz\\migwiz.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\migwiz\\migwiz.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": "%windir%\\system32\\migwiz", + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229052.Windows.Windows Easy Transfer.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%windir%\\system32\\migwiz\\wet.dll,-590", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\migwiz\\migwiz.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\migwiz\\migwiz.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": "%windir%\\system32\\migwiz", + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229053.Windows.migwiz.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%windir%\\system32\\migwiz\\wet.dll,-590", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\migwiz\\migwiz.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\migwiz\\migwiz.exe" + }, + { + "VolumeLabel": "OSDisk", + "BaseName": "powershell.exe", + "WorkingDir": "%HOMEDRIVE%%HOMEPATH%", + "LocalPath": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "ModificationDateTime": "07/26/2012 03:20:50.264000", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229054.Windows.Windows PowerShell.lnk", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "07/26/2012 01:26:44.455823", + "DriveSerialNumber": "74ee-2d73", + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 1, + "ParentRefStr": "7560-1", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Windows", + "Location": null, + "Comments": null, + "ModificationTime": "06/07/2013 22:00:04.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Windows", + "ExtentionBlockSize": 60, + "LocalizedName": null, + "SeqNum": 1, + "EntryNum": 4127, + "FileReferenceInt": 281474976714783, + "AccessTime": "06/07/2013 22:00:04.000000", + "CreationTime": "07/26/2012 05:38:00.000000", + "Signature": "0xbeef0004L", + "RefNum": "4127-1" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "System32", + "Location": null, + "Comments": null, + "ModificationTime": "06/07/2013 00:42:58.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "System32", + "ExtentionBlockSize": 62, + "LocalizedName": null, + "SeqNum": 1, + "EntryNum": 6154, + "FileReferenceInt": 281474976716810, + "AccessTime": "06/07/2013 00:42:58.000000", + "CreationTime": "07/26/2012 05:38:02.000000", + "Signature": "0xbeef0004L", + "RefNum": "6154-1" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "WINDOW~1", + "Location": null, + "Comments": null, + "ModificationTime": "07/26/2012 08:13:00.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "WindowsPowerShell", + "ExtentionBlockSize": 80, + "LocalizedName": null, + "SeqNum": 1, + "EntryNum": 7559, + "FileReferenceInt": 281474976718215, + "AccessTime": "07/26/2012 08:13:00.000000", + "CreationTime": "07/26/2012 08:13:00.000000", + "Signature": "0xbeef0004L", + "RefNum": "7559-1" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "v1.0", + "Location": null, + "Comments": null, + "ModificationTime": "05/24/2013 21:47:22.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "v1.0", + "ExtentionBlockSize": 54, + "LocalizedName": null, + "SeqNum": 1, + "EntryNum": 7560, + "FileReferenceInt": 281474976718216, + "AccessTime": "05/24/2013 21:47:22.000000", + "CreationTime": "07/26/2012 08:13:00.000000", + "Signature": "0xbeef0004L", + "RefNum": "7560-1" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "powershell.exe", + "Location": null, + "Comments": null, + "ModificationTime": "07/26/2012 03:20:52.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 454656, + "ExtentionBlocks": [ + { + "LongName": "powershell.exe", + "ExtentionBlockSize": 74, + "LocalizedName": null, + "SeqNum": 1, + "EntryNum": 63999, + "FileReferenceInt": 281474976774655, + "AccessTime": "07/26/2012 01:26:46.000000", + "CreationTime": "07/26/2012 01:26:46.000000", + "Signature": "0xbeef0004L", + "RefNum": "63999-1" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "v1.0", + "ParentEntryNum": 7560, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 8, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "Performs object-based (command-line) functions", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\powershell.exe", + "AppIdName": null, + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 454656, + "CreationDateTime": "07/26/2012 01:26:44.455823", + "EnvVarLoc": "%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\powershell.exe" + }, + { + "VolumeLabel": "OSDisk", + "BaseName": "powershell.exe", + "WorkingDir": "%HOMEDRIVE%%HOMEPATH%", + "LocalPath": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "ModificationDateTime": "07/26/2012 03:20:50.264000", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229055..Windows PowerShell.lnk", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "07/26/2012 01:26:44.455823", + "DriveSerialNumber": "74ee-2d73", + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 1, + "ParentRefStr": "7560-1", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Windows", + "Location": null, + "Comments": null, + "ModificationTime": "06/07/2013 22:00:04.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Windows", + "ExtentionBlockSize": 60, + "LocalizedName": null, + "SeqNum": 1, + "EntryNum": 4127, + "FileReferenceInt": 281474976714783, + "AccessTime": "06/07/2013 22:00:04.000000", + "CreationTime": "07/26/2012 05:38:00.000000", + "Signature": "0xbeef0004L", + "RefNum": "4127-1" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "System32", + "Location": null, + "Comments": null, + "ModificationTime": "06/07/2013 00:42:58.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "System32", + "ExtentionBlockSize": 62, + "LocalizedName": null, + "SeqNum": 1, + "EntryNum": 6154, + "FileReferenceInt": 281474976716810, + "AccessTime": "06/07/2013 00:42:58.000000", + "CreationTime": "07/26/2012 05:38:02.000000", + "Signature": "0xbeef0004L", + "RefNum": "6154-1" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "WINDOW~1", + "Location": null, + "Comments": null, + "ModificationTime": "07/26/2012 08:13:00.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "WindowsPowerShell", + "ExtentionBlockSize": 80, + "LocalizedName": null, + "SeqNum": 1, + "EntryNum": 7559, + "FileReferenceInt": 281474976718215, + "AccessTime": "07/26/2012 08:13:00.000000", + "CreationTime": "07/26/2012 08:13:00.000000", + "Signature": "0xbeef0004L", + "RefNum": "7559-1" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "v1.0", + "Location": null, + "Comments": null, + "ModificationTime": "05/24/2013 21:47:22.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "v1.0", + "ExtentionBlockSize": 54, + "LocalizedName": null, + "SeqNum": 1, + "EntryNum": 7560, + "FileReferenceInt": 281474976718216, + "AccessTime": "05/24/2013 21:47:22.000000", + "CreationTime": "07/26/2012 08:13:00.000000", + "Signature": "0xbeef0004L", + "RefNum": "7560-1" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "powershell.exe", + "Location": null, + "Comments": null, + "ModificationTime": "07/26/2012 03:20:52.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 454656, + "ExtentionBlocks": [ + { + "LongName": "powershell.exe", + "ExtentionBlockSize": 74, + "LocalizedName": null, + "SeqNum": 1, + "EntryNum": 63999, + "FileReferenceInt": 281474976774655, + "AccessTime": "07/26/2012 01:26:46.000000", + "CreationTime": "07/26/2012 01:26:46.000000", + "Signature": "0xbeef0004L", + "RefNum": "63999-1" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "v1.0", + "ParentEntryNum": 7560, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 8, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "Performs object-based (command-line) functions", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\powershell.exe", + "AppIdName": null, + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 454656, + "CreationDateTime": "07/26/2012 01:26:44.455823", + "EnvVarLoc": "%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\powershell.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": "shell:::{3080F90D-D7AD-11D9-BD98-0000947B0257}", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229118.Default.1 - Desktop.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\explorer.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": "shell:::{3080F90D-D7AD-11D9-BD98-0000947B0257}", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229118.Windows.1 - Desktop.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\explorer.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": "shell:::{3080F90D-D7AD-11D9-BD98-0000947B0257}", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229119.Windows.1 - Desktop.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\explorer.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": "shell:::{3080F90D-D7AD-11D9-BD98-0000947B0257}", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229120.Windows.1 - Desktop.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\explorer.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": "shell:::{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229125.Default.1 - Run.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\explorer.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": "shell:::{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229125.Windows.1 - Run.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\explorer.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": "shell:::{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229126.Windows.1 - Run.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\explorer.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": "shell:::{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229127.Windows.1 - Run.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\explorer.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": "shell:::{2559a1f8-21d7-11d4-bdaf-00c04f60b9f0}", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229128.Default.2 - Search.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\explorer.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": "shell:::{2559a1f8-21d7-11d4-bdaf-00c04f60b9f0}", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229128.Windows.2 - Search.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\explorer.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": "shell:::{2559a1f8-21d7-11d4-bdaf-00c04f60b9f0}", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229129.Windows.2 - Search.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\explorer.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": "shell:::{2559a1f8-21d7-11d4-bdaf-00c04f60b9f0}", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229130.Windows.2 - Search.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\explorer.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": "/e,::{20D04FE0-3AEA-1069-A2D8-08002B30309D}", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229131.Default.3 - Windows Explorer.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\explorer.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": "/e,::{20D04FE0-3AEA-1069-A2D8-08002B30309D}", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229131.Windows.3 - Windows Explorer.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\explorer.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": "/e,::{20D04FE0-3AEA-1069-A2D8-08002B30309D}", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229132.Windows.3 - Windows Explorer.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\explorer.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": "/e,::{20D04FE0-3AEA-1069-A2D8-08002B30309D}", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229133.Windows.3 - Windows Explorer.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\explorer.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229134.Default.4 - Control Panel.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\control.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229134.Windows.4 - Control Panel.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\control.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229135.Windows.4 - Control Panel.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\control.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229136.Windows.4 - Control Panel.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\control.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": "/0", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229137.Default.5 - Task Manager.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\taskmgr.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": "/0", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229137.Windows.5 - Task Manager.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\taskmgr.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": "/0", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229138.Windows.5 - Task Manager.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\taskmgr.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": "/0", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229139.Windows.5 - Task Manager.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\taskmgr.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229143.Default.01 - Command Prompt.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\cmd.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229143.Windows.01 - Command Prompt.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\cmd.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229144.Windows.01 - Command Prompt.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\cmd.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229145.Windows.01 - Command Prompt.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\cmd.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229146.Default.01a - Windows PowerShell.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\WindowsPowerShell\\v1.0\\powershell.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\WindowsPowerShell\\v1.0\\powershell.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229146.Windows.01a - Windows PowerShell.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\WindowsPowerShell\\v1.0\\powershell.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\WindowsPowerShell\\v1.0\\powershell.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229147.Windows.01a - Windows PowerShell.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\WindowsPowerShell\\v1.0\\powershell.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\WindowsPowerShell\\v1.0\\powershell.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229148.Windows.01a - Windows PowerShell.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\WindowsPowerShell\\v1.0\\powershell.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\WindowsPowerShell\\v1.0\\powershell.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": "%HOMEDRIVE%%HOMEPATH%", + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229149.Default.02 - Command Prompt.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\cmd.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": "%HOMEDRIVE%%HOMEPATH%", + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229149.Windows.02 - Command Prompt.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\cmd.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": "%HOMEDRIVE%%HOMEPATH%", + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229150.Windows.02 - Command Prompt.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\cmd.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": "%HOMEDRIVE%%HOMEPATH%", + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229151.Windows.02 - Command Prompt.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\cmd.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": "%HOMEDRIVE%%HOMEPATH%", + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229152.Default.02a - Windows PowerShell.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\WindowsPowerShell\\v1.0\\powershell.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\WindowsPowerShell\\v1.0\\powershell.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": "%HOMEDRIVE%%HOMEPATH%", + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229152.Windows.02a - Windows PowerShell.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\WindowsPowerShell\\v1.0\\powershell.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\WindowsPowerShell\\v1.0\\powershell.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": "%HOMEDRIVE%%HOMEPATH%", + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229153.Windows.02a - Windows PowerShell.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\WindowsPowerShell\\v1.0\\powershell.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\WindowsPowerShell\\v1.0\\powershell.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": "%HOMEDRIVE%%HOMEPATH%", + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229154.Windows.02a - Windows PowerShell.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\WindowsPowerShell\\v1.0\\powershell.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\WindowsPowerShell\\v1.0\\powershell.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229155.Default.03 - Computer Management.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\compmgmt.msc" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229155.Windows.03 - Computer Management.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\compmgmt.msc" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229156.Windows.03 - Computer Management.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\compmgmt.msc" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229157.Windows.03 - Computer Management.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\compmgmt.msc" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229158.Default.04 - Disk Management.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\diskmgmt.msc" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229158.Windows.04 - Disk Management.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\diskmgmt.msc" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229159.Windows.04 - Disk Management.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\diskmgmt.msc" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229160.Windows.04 - Disk Management.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\diskmgmt.msc" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": "::{7007ACC7-3202-11D1-AAD2-00805FC1270E}", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229161.Default.04-1 - Network Connections.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\explorer.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": "::{7007ACC7-3202-11D1-AAD2-00805FC1270E}", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229161.Windows.04-1 - Network Connections.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\explorer.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": "::{7007ACC7-3202-11D1-AAD2-00805FC1270E}", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229162.Windows.04-1 - Network Connections.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\explorer.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": "::{7007ACC7-3202-11D1-AAD2-00805FC1270E}", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229163.Windows.04-1 - Network Connections.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\explorer.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": "/name Microsoft.DeviceManager", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229164.Default.05 - Device Manager.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\control.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": "/name Microsoft.DeviceManager", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229164.Windows.05 - Device Manager.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\control.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": "/name Microsoft.DeviceManager", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229165.Windows.05 - Device Manager.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\control.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": "/name Microsoft.DeviceManager", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229166.Windows.05 - Device Manager.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\control.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": "/name Microsoft.System", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229167.Default.06 - System.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\control.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": "/name Microsoft.System", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229167.Windows.06 - System.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\control.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": "/name Microsoft.System", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229168.Windows.06 - System.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\control.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": "/name Microsoft.System", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229169.Windows.06 - System.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\control.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229170.Default.07 - Event Viewer.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\eventvwr.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229170.Windows.07 - Event Viewer.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\eventvwr.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229171.Windows.07 - Event Viewer.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\eventvwr.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229172.Windows.07 - Event Viewer.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\eventvwr.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": "/name Microsoft.PowerOptions", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229173.Default.08 - Power Options.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\control.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": "/name Microsoft.PowerOptions", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229173.Windows.08 - Power Options.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\control.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": "/name Microsoft.PowerOptions", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229174.Windows.08 - Power Options.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\control.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": "/name Microsoft.PowerOptions", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229175.Windows.08 - Power Options.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\control.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229177.Default.09 - Mobility Center.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\mblctr.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229177.Windows.09 - Mobility Center.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\mblctr.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229178.Windows.09 - Mobility Center.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\mblctr.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229179.Windows.09 - Mobility Center.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\mblctr.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": "/name Microsoft.ProgramsAndFeatures", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229180.Default.10 - Programs and Features.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\control.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": "/name Microsoft.ProgramsAndFeatures", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229180.Windows.10 - Programs and Features.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\control.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": "/name Microsoft.ProgramsAndFeatures", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229181.Windows.10 - Programs and Features.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\control.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": "/name Microsoft.ProgramsAndFeatures", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229182.Windows.10 - Programs and Features.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\control.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229193.Default.Shows Desktop.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x1fL", + "ParentSeqNum": null, + "ParentLongName": null, + "ParentEntryNum": null, + "DistinctTypesStr": "root_folder", + "ExtentionListing": "", + "ItemCount": 2, + "RootFolder": [ + { + "ShellFolderId": "3080f90d-d7ad-11d9-bd98-0000947b0257", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "@%SystemRoot%\\system32\\shell32.dll,-10113", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\imageres.dll", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229193.Windows.Shows Desktop.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x1fL", + "ParentSeqNum": null, + "ParentLongName": null, + "ParentEntryNum": null, + "DistinctTypesStr": "root_folder", + "ExtentionListing": "", + "ItemCount": 2, + "RootFolder": [ + { + "ShellFolderId": "3080f90d-d7ad-11d9-bd98-0000947b0257", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "@%SystemRoot%\\system32\\shell32.dll,-10113", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\imageres.dll", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229194.Windows.Shows Desktop.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x1fL", + "ParentSeqNum": null, + "ParentLongName": null, + "ParentEntryNum": null, + "DistinctTypesStr": "root_folder", + "ExtentionListing": "", + "ItemCount": 2, + "RootFolder": [ + { + "ShellFolderId": "3080f90d-d7ad-11d9-bd98-0000947b0257", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "@%SystemRoot%\\system32\\shell32.dll,-10113", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\imageres.dll", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229195.Windows.Shows Desktop.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x1fL", + "ParentSeqNum": null, + "ParentLongName": null, + "ParentEntryNum": null, + "DistinctTypesStr": "root_folder", + "ExtentionListing": "", + "ItemCount": 2, + "RootFolder": [ + { + "ShellFolderId": "3080f90d-d7ad-11d9-bd98-0000947b0257", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "@%SystemRoot%\\system32\\shell32.dll,-10113", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\imageres.dll", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229196.Default.Window Switcher.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x1fL", + "ParentSeqNum": null, + "ParentLongName": null, + "ParentEntryNum": null, + "DistinctTypesStr": "root_folder", + "ExtentionListing": "", + "ItemCount": 2, + "RootFolder": [ + { + "ShellFolderId": "3080f90e-d7ad-11d9-bd98-0000947b0257", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "@%SystemRoot%\\system32\\shell32.dll,-10114", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\explorer.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229196.Windows.Window Switcher.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x1fL", + "ParentSeqNum": null, + "ParentLongName": null, + "ParentEntryNum": null, + "DistinctTypesStr": "root_folder", + "ExtentionListing": "", + "ItemCount": 2, + "RootFolder": [ + { + "ShellFolderId": "3080f90e-d7ad-11d9-bd98-0000947b0257", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "@%SystemRoot%\\system32\\shell32.dll,-10114", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\explorer.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229197.Windows.Window Switcher.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x1fL", + "ParentSeqNum": null, + "ParentLongName": null, + "ParentEntryNum": null, + "DistinctTypesStr": "root_folder", + "ExtentionListing": "", + "ItemCount": 2, + "RootFolder": [ + { + "ShellFolderId": "3080f90e-d7ad-11d9-bd98-0000947b0257", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "@%SystemRoot%\\system32\\shell32.dll,-10114", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\explorer.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229198.Windows.Window Switcher.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x1fL", + "ParentSeqNum": null, + "ParentLongName": null, + "ParentEntryNum": null, + "DistinctTypesStr": "root_folder", + "ExtentionListing": "", + "ItemCount": 2, + "RootFolder": [ + { + "ShellFolderId": "3080f90e-d7ad-11d9-bd98-0000947b0257", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "@%SystemRoot%\\system32\\shell32.dll,-10114", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\explorer.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": "/SendTo", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229210.Default.Fax Recipient.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%windir%\\system32\\FXSRESM.dll,-121", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\WFSR.dll", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\WFS.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": "/SendTo", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229210.Windows.Fax Recipient.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%windir%\\system32\\FXSRESM.dll,-121", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\WFSR.dll", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\WFS.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229218.Default.Magnify.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%windir%\\system32\\shell32.dll,-22553", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\magnify.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\magnify.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229218.Windows.Magnify.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%windir%\\system32\\shell32.dll,-22553", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\magnify.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\magnify.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229219.Windows.Magnify.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%windir%\\system32\\shell32.dll,-22553", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\magnify.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\magnify.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229220.Windows.Magnify.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%windir%\\system32\\shell32.dll,-22553", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\magnify.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\magnify.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229221.Default.Narrator.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%windir%\\system32\\shell32.dll,-22560", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\narrator.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\narrator.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229221.Windows.Narrator.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%windir%\\system32\\shell32.dll,-22560", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\narrator.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\narrator.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229222.Windows.Narrator.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%windir%\\system32\\shell32.dll,-22560", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\narrator.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\narrator.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229223.Windows.Narrator.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%windir%\\system32\\shell32.dll,-22560", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\narrator.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\narrator.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229224.Default.On-Screen Keyboard.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%SystemRoot%\\system32\\shell32.dll,-22564", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\osk.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\osk.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229224.Windows.On-Screen Keyboard.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%SystemRoot%\\system32\\shell32.dll,-22564", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\osk.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\osk.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229225.Windows.On-Screen Keyboard.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%SystemRoot%\\system32\\shell32.dll,-22564", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\osk.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\osk.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229226.Windows.On-Screen Keyboard.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%SystemRoot%\\system32\\shell32.dll,-22564", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\osk.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\osk.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": "%HOMEDRIVE%%HOMEPATH%", + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229230.Default.Notepad.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%SystemRoot%\\system32\\Shell32.dll,-22563", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\notepad.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\notepad.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": "%HOMEDRIVE%%HOMEPATH%", + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229230.Windows.Notepad.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%SystemRoot%\\system32\\Shell32.dll,-22563", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\notepad.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\notepad.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": "%HOMEDRIVE%%HOMEPATH%", + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229231.Windows.Notepad.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%SystemRoot%\\system32\\Shell32.dll,-22563", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\notepad.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\notepad.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": "%HOMEDRIVE%%HOMEPATH%", + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229232.Windows.Notepad.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%SystemRoot%\\system32\\Shell32.dll,-22563", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\notepad.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\notepad.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": "%HOMEDRIVE%%HOMEPATH%", + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229233.Default.Command Prompt.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%windir%\\system32\\shell32.dll,-22534", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\cmd.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\cmd.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": "%HOMEDRIVE%%HOMEPATH%", + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229233.Windows.Command Prompt.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%windir%\\system32\\shell32.dll,-22534", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\cmd.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\cmd.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": "%HOMEDRIVE%%HOMEPATH%", + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229234.Windows.Command Prompt.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%windir%\\system32\\shell32.dll,-22534", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\cmd.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\cmd.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": "%HOMEDRIVE%%HOMEPATH%", + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229235.Windows.Command Prompt.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%windir%\\system32\\shell32.dll,-22534", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\cmd.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\cmd.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229236.Default.computer.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x1fL", + "ParentSeqNum": null, + "ParentLongName": null, + "ParentEntryNum": null, + "DistinctTypesStr": "root_folder", + "ExtentionListing": "", + "ItemCount": 2, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "@%windir%\\explorer.exe,-304", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229236.Windows.computer.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x1fL", + "ParentSeqNum": null, + "ParentLongName": null, + "ParentEntryNum": null, + "DistinctTypesStr": "root_folder", + "ExtentionListing": "", + "ItemCount": 2, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "@%windir%\\explorer.exe,-304", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229237.Windows.computer.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x1fL", + "ParentSeqNum": null, + "ParentLongName": null, + "ParentEntryNum": null, + "DistinctTypesStr": "root_folder", + "ExtentionListing": "", + "ItemCount": 2, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "@%windir%\\explorer.exe,-304", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229238.Windows.computer.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x1fL", + "ParentSeqNum": null, + "ParentLongName": null, + "ParentEntryNum": null, + "DistinctTypesStr": "root_folder", + "ExtentionListing": "", + "ItemCount": 2, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "@%windir%\\explorer.exe,-304", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229239.Default.Control Panel.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x1fL", + "ParentSeqNum": null, + "ParentLongName": null, + "ParentEntryNum": null, + "DistinctTypesStr": "root_folder", + "ExtentionListing": "", + "ItemCount": 2, + "RootFolder": [ + { + "ShellFolderId": "5399e694-6ce5-4d6c-8fce-1d8870fdcba0", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "@%windir%\\explorer.exe,-307", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\imageres.dll", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229239.Windows.Control Panel.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x1fL", + "ParentSeqNum": null, + "ParentLongName": null, + "ParentEntryNum": null, + "DistinctTypesStr": "root_folder", + "ExtentionListing": "", + "ItemCount": 2, + "RootFolder": [ + { + "ShellFolderId": "5399e694-6ce5-4d6c-8fce-1d8870fdcba0", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "@%windir%\\explorer.exe,-307", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\imageres.dll", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229240.Windows.Control Panel.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x1fL", + "ParentSeqNum": null, + "ParentLongName": null, + "ParentEntryNum": null, + "DistinctTypesStr": "root_folder", + "ExtentionListing": "", + "ItemCount": 2, + "RootFolder": [ + { + "ShellFolderId": "5399e694-6ce5-4d6c-8fce-1d8870fdcba0", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "@%windir%\\explorer.exe,-307", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\imageres.dll", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229241.Windows.Control Panel.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x1fL", + "ParentSeqNum": null, + "ParentLongName": null, + "ParentEntryNum": null, + "DistinctTypesStr": "root_folder", + "ExtentionListing": "", + "ItemCount": 2, + "RootFolder": [ + { + "ShellFolderId": "5399e694-6ce5-4d6c-8fce-1d8870fdcba0", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "@%windir%\\explorer.exe,-307", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\imageres.dll", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229245.Default.File Explorer.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x1fL", + "ParentSeqNum": null, + "ParentLongName": null, + "ParentEntryNum": null, + "DistinctTypesStr": "root_folder", + "ExtentionListing": "", + "ItemCount": 2, + "RootFolder": [ + { + "ShellFolderId": "52205fd8-5dfb-447d-801a-d0b52f2e83e1", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "@%SystemRoot%\\system32\\Shell32.dll,-22579", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\explorer.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229245.Windows.File Explorer.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x1fL", + "ParentSeqNum": null, + "ParentLongName": null, + "ParentEntryNum": null, + "DistinctTypesStr": "root_folder", + "ExtentionListing": "", + "ItemCount": 2, + "RootFolder": [ + { + "ShellFolderId": "52205fd8-5dfb-447d-801a-d0b52f2e83e1", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "@%SystemRoot%\\system32\\Shell32.dll,-22579", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\explorer.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229246.Windows.File Explorer.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x1fL", + "ParentSeqNum": null, + "ParentLongName": null, + "ParentEntryNum": null, + "DistinctTypesStr": "root_folder", + "ExtentionListing": "", + "ItemCount": 2, + "RootFolder": [ + { + "ShellFolderId": "52205fd8-5dfb-447d-801a-d0b52f2e83e1", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "@%SystemRoot%\\system32\\Shell32.dll,-22579", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\explorer.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229247.Windows.File Explorer.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x1fL", + "ParentSeqNum": null, + "ParentLongName": null, + "ParentEntryNum": null, + "DistinctTypesStr": "root_folder", + "ExtentionListing": "", + "ItemCount": 2, + "RootFolder": [ + { + "ShellFolderId": "52205fd8-5dfb-447d-801a-d0b52f2e83e1", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "@%SystemRoot%\\system32\\Shell32.dll,-22579", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\explorer.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229248.Default.Help.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x1fL", + "ParentSeqNum": null, + "ParentLongName": null, + "ParentEntryNum": null, + "DistinctTypesStr": "root_folder", + "ExtentionListing": "", + "ItemCount": 2, + "RootFolder": [ + { + "ShellFolderId": "2559a1f1-21d7-11d4-bdaf-00c04f60b9f0", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "@%windir%\\explorer.exe,-7001", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\helppane.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229248.Windows.Help.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x1fL", + "ParentSeqNum": null, + "ParentLongName": null, + "ParentEntryNum": null, + "DistinctTypesStr": "root_folder", + "ExtentionListing": "", + "ItemCount": 2, + "RootFolder": [ + { + "ShellFolderId": "2559a1f1-21d7-11d4-bdaf-00c04f60b9f0", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "@%windir%\\explorer.exe,-7001", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\helppane.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229249.Windows.Help.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x1fL", + "ParentSeqNum": null, + "ParentLongName": null, + "ParentEntryNum": null, + "DistinctTypesStr": "root_folder", + "ExtentionListing": "", + "ItemCount": 2, + "RootFolder": [ + { + "ShellFolderId": "2559a1f1-21d7-11d4-bdaf-00c04f60b9f0", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "@%windir%\\explorer.exe,-7001", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\helppane.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229250.Windows.Help.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x1fL", + "ParentSeqNum": null, + "ParentLongName": null, + "ParentEntryNum": null, + "DistinctTypesStr": "root_folder", + "ExtentionListing": "", + "ItemCount": 2, + "RootFolder": [ + { + "ShellFolderId": "2559a1f1-21d7-11d4-bdaf-00c04f60b9f0", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "@%windir%\\explorer.exe,-7001", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\helppane.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229251.Default.Run.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x1fL", + "ParentSeqNum": null, + "ParentLongName": null, + "ParentEntryNum": null, + "DistinctTypesStr": "root_folder", + "ExtentionListing": "", + "ItemCount": 2, + "RootFolder": [ + { + "ShellFolderId": "2559a1f3-21d7-11d4-bdaf-00c04f60b9f0", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "@%windir%\\explorer.exe,-7003", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\shell32.dll", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229251.Windows.Run.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x1fL", + "ParentSeqNum": null, + "ParentLongName": null, + "ParentEntryNum": null, + "DistinctTypesStr": "root_folder", + "ExtentionListing": "", + "ItemCount": 2, + "RootFolder": [ + { + "ShellFolderId": "2559a1f3-21d7-11d4-bdaf-00c04f60b9f0", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "@%windir%\\explorer.exe,-7003", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\shell32.dll", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229252.Windows.Run.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x1fL", + "ParentSeqNum": null, + "ParentLongName": null, + "ParentEntryNum": null, + "DistinctTypesStr": "root_folder", + "ExtentionListing": "", + "ItemCount": 2, + "RootFolder": [ + { + "ShellFolderId": "2559a1f3-21d7-11d4-bdaf-00c04f60b9f0", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "@%windir%\\explorer.exe,-7003", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\shell32.dll", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229253.Windows.Run.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x1fL", + "ParentSeqNum": null, + "ParentLongName": null, + "ParentEntryNum": null, + "DistinctTypesStr": "root_folder", + "ExtentionListing": "", + "ItemCount": 2, + "RootFolder": [ + { + "ShellFolderId": "2559a1f3-21d7-11d4-bdaf-00c04f60b9f0", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "@%windir%\\explorer.exe,-7003", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\shell32.dll", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229254.Default.Windows.Defender.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%ProgramFiles%\\Windows Defender\\EppManifest.dll", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%ProgramFiles%\\Windows Defender\\MSASCui.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229254.Windows.Windows.Defender.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%ProgramFiles%\\Windows Defender\\EppManifest.dll", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%ProgramFiles%\\Windows Defender\\MSASCui.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229255.Windows.Windows.Defender.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%ProgramFiles%\\Windows Defender\\EppManifest.dll", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%ProgramFiles%\\Windows Defender\\MSASCui.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\229256.Windows.Windows.Defender.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%ProgramFiles%\\Windows Defender\\EppManifest.dll", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%ProgramFiles%\\Windows Defender\\MSASCui.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\23219.Donald.set_4244106600_en-us.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x0L", + "ParentSeqNum": null, + "ParentRefStr": null, + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "ExtentionBlockSize": 42, + "Signature": "0xbeef0013L" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": null, + "ParentEntryNum": null, + "DistinctTypesStr": "item", + "ExtentionListing": "0xbeef0013L", + "ItemCount": 3 + }, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\232464.Donald.Narrator.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%windir%\\system32\\shell32.dll,-22560", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\narrator.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\narrator.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\232469.Donald.Window Switcher.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x1fL", + "ParentSeqNum": null, + "ParentLongName": null, + "ParentEntryNum": null, + "DistinctTypesStr": "root_folder", + "ExtentionListing": "", + "ItemCount": 2, + "RootFolder": [ + { + "ShellFolderId": "3080f90e-d7ad-11d9-bd98-0000947b0257", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "@%SystemRoot%\\system32\\shell32.dll,-10114", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\explorer.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\232484.Donald.Windows.Defender.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%ProgramFiles%\\Windows Defender\\EppManifest.dll", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%ProgramFiles%\\Windows Defender\\MSASCui.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\232489.Donald.Run.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x1fL", + "ParentSeqNum": null, + "ParentLongName": null, + "ParentEntryNum": null, + "DistinctTypesStr": "root_folder", + "ExtentionListing": "", + "ItemCount": 2, + "RootFolder": [ + { + "ShellFolderId": "2559a1f3-21d7-11d4-bdaf-00c04f60b9f0", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "@%windir%\\explorer.exe,-7003", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\shell32.dll", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\232492.Donald.Control Panel.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x1fL", + "ParentSeqNum": null, + "ParentLongName": null, + "ParentEntryNum": null, + "DistinctTypesStr": "root_folder", + "ExtentionListing": "", + "ItemCount": 2, + "RootFolder": [ + { + "ShellFolderId": "5399e694-6ce5-4d6c-8fce-1d8870fdcba0", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "@%windir%\\explorer.exe,-307", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\imageres.dll", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\232495.Donald.Help.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x1fL", + "ParentSeqNum": null, + "ParentLongName": null, + "ParentEntryNum": null, + "DistinctTypesStr": "root_folder", + "ExtentionListing": "", + "ItemCount": 2, + "RootFolder": [ + { + "ShellFolderId": "2559a1f1-21d7-11d4-bdaf-00c04f60b9f0", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "@%windir%\\explorer.exe,-7001", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\helppane.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\232500.Donald.File Explorer.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x1fL", + "ParentSeqNum": null, + "ParentLongName": null, + "ParentEntryNum": null, + "DistinctTypesStr": "root_folder", + "ExtentionListing": "", + "ItemCount": 2, + "RootFolder": [ + { + "ShellFolderId": "52205fd8-5dfb-447d-801a-d0b52f2e83e1", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "@%SystemRoot%\\system32\\Shell32.dll,-22579", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\explorer.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\232501.Donald.computer.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x1fL", + "ParentSeqNum": null, + "ParentLongName": null, + "ParentEntryNum": null, + "DistinctTypesStr": "root_folder", + "ExtentionListing": "", + "ItemCount": 2, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "@%windir%\\explorer.exe,-304", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": "%HOMEDRIVE%%HOMEPATH%", + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\232511.Donald.Notepad.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%SystemRoot%\\system32\\Shell32.dll,-22563", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\notepad.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\notepad.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": "%HOMEDRIVE%%HOMEPATH%", + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\232514.Donald.Command Prompt.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%windir%\\system32\\shell32.dll,-22534", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\cmd.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\cmd.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\232520.Donald.On-Screen Keyboard.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%SystemRoot%\\system32\\shell32.dll,-22564", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\osk.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\osk.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\232524.Donald.Magnify.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%windir%\\system32\\shell32.dll,-22553", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\magnify.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\magnify.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": "/name Microsoft.PowerOptions", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\232527.Donald.08 - Power Options.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\control.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": "/SendTo", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\232540.Donald.Fax Recipient.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%windir%\\system32\\FXSRESM.dll,-121", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\WFSR.dll", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\WFS.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": "%HOMEDRIVE%%HOMEPATH%", + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\232555.Donald.02 - Command Prompt.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\cmd.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\232559.Donald.09 - Mobility Center.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\mblctr.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\232572.Donald.Shows Desktop.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x1fL", + "ParentSeqNum": null, + "ParentLongName": null, + "ParentEntryNum": null, + "DistinctTypesStr": "root_folder", + "ExtentionListing": "", + "ItemCount": 2, + "RootFolder": [ + { + "ShellFolderId": "3080f90d-d7ad-11d9-bd98-0000947b0257", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "@%SystemRoot%\\system32\\shell32.dll,-10113", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\imageres.dll", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": "/name Microsoft.ProgramsAndFeatures", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\232573.Donald.10 - Programs and Features.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\control.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\232576.Donald.04 - Disk Management.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\diskmgmt.msc" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\232584.Donald.07 - Event Viewer.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\eventvwr.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": "/name Microsoft.System", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\232587.Donald.06 - System.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\control.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": "/name Microsoft.DeviceManager", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\232590.Donald.05 - Device Manager.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\control.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": "::{7007ACC7-3202-11D1-AAD2-00805FC1270E}", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\232591.Donald.04-1 - Network Connections.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\explorer.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\232598.Donald.03 - Computer Management.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\compmgmt.msc" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": "%HOMEDRIVE%%HOMEPATH%", + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\232599.Donald.02a - Windows PowerShell.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\WindowsPowerShell\\v1.0\\powershell.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\WindowsPowerShell\\v1.0\\powershell.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\232608.Donald.4 - Control Panel.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\control.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\232609.Donald.01 - Command Prompt.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\cmd.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": "/0", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\232616.Donald.5 - Task Manager.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\taskmgr.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\232619.Donald.01a - Windows PowerShell.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\WindowsPowerShell\\v1.0\\powershell.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\WindowsPowerShell\\v1.0\\powershell.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": "/e,::{20D04FE0-3AEA-1069-A2D8-08002B30309D}", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\232622.Donald.3 - Windows Explorer.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\explorer.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": "shell:::{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\232628.Donald.1 - Run.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\explorer.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": "shell:::{2559a1f8-21d7-11d4-bdaf-00c04f60b9f0}", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\232631.Donald.2 - Search.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\explorer.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": "shell:::{3080F90D-D7AD-11D9-BD98-0000947B0257}", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\232632.Donald.1 - Desktop.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\explorer.exe" + }, + { + "VolumeLabel": "", + "BaseName": "spoolsv.exe", + "WorkingDir": null, + "LocalPath": "C:\\Windows\\System32\\spoolsv.exe", + "ModificationDateTime": "08/22/2013 09:10:12.246516", + "CmdArgs": "/SendTo", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\236095.Windows.Fax Recipient.lnk", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "08/22/2013 09:10:12.605922", + "DriveSerialNumber": "f6bc-38a8", + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 1, + "ParentRefStr": "9720-1", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Windows", + "Location": null, + "Comments": null, + "ModificationTime": "08/22/2013 14:47:38.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Windows", + "ExtentionBlockSize": 64, + "LocalizedName": null, + "SeqNum": 1, + "EntryNum": 9709, + "FileReferenceInt": 281474976720365, + "AccessTime": "08/22/2013 14:47:38.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "9709-1" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "System32", + "Location": null, + "Comments": null, + "ModificationTime": "08/22/2013 14:48:56.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "System32", + "ExtentionBlockSize": 66, + "LocalizedName": null, + "SeqNum": 1, + "EntryNum": 9720, + "FileReferenceInt": 281474976720376, + "AccessTime": "08/22/2013 14:48:56.000000", + "CreationTime": "08/22/2013 13:36:18.000000", + "Signature": "0xbeef0004L", + "RefNum": "9720-1" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "spoolsv.exe", + "Location": null, + "Comments": null, + "ModificationTime": "08/22/2013 09:10:14.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 798208, + "ExtentionBlocks": [ + { + "LongName": "spoolsv.exe", + "ExtentionBlockSize": 72, + "LocalizedName": null, + "SeqNum": 1, + "EntryNum": 31044, + "FileReferenceInt": 281474976741700, + "AccessTime": "08/22/2013 09:10:14.000000", + "CreationTime": "08/22/2013 09:10:14.000000", + "Signature": "0xbeef0004L", + "RefNum": "31044-1" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "System32", + "ParentEntryNum": 9720, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 6, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "Sends the document as fax to a Fax Recipient.", + "RelativePath": "..\\..\\..\\..\\..\\..\\..\\System32\\spoolsv.exe", + "Codepage": "cp1252", + "IconLoc": "%SystemRoot%\\System32\\WFSR.dll", + "AppIdName": null, + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 798208, + "CreationDateTime": "08/22/2013 09:10:12.605922", + "EnvVarLoc": null + }, + { + "VolumeLabel": "", + "BaseName": "spoolsv.exe", + "WorkingDir": null, + "LocalPath": "C:\\Windows\\System32\\spoolsv.exe", + "ModificationDateTime": "08/22/2013 09:10:12.246516", + "CmdArgs": "/SendTo", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\236096.Windows.Fax Recipient.lnk", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "08/22/2013 09:10:12.605922", + "DriveSerialNumber": "f6bc-38a8", + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 1, + "ParentRefStr": "9720-1", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Windows", + "Location": null, + "Comments": null, + "ModificationTime": "08/22/2013 14:47:38.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Windows", + "ExtentionBlockSize": 64, + "LocalizedName": null, + "SeqNum": 1, + "EntryNum": 9709, + "FileReferenceInt": 281474976720365, + "AccessTime": "08/22/2013 14:47:38.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "9709-1" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "System32", + "Location": null, + "Comments": null, + "ModificationTime": "08/22/2013 14:48:56.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "System32", + "ExtentionBlockSize": 66, + "LocalizedName": null, + "SeqNum": 1, + "EntryNum": 9720, + "FileReferenceInt": 281474976720376, + "AccessTime": "08/22/2013 14:48:56.000000", + "CreationTime": "08/22/2013 13:36:18.000000", + "Signature": "0xbeef0004L", + "RefNum": "9720-1" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "spoolsv.exe", + "Location": null, + "Comments": null, + "ModificationTime": "08/22/2013 09:10:14.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 798208, + "ExtentionBlocks": [ + { + "LongName": "spoolsv.exe", + "ExtentionBlockSize": 72, + "LocalizedName": null, + "SeqNum": 1, + "EntryNum": 31044, + "FileReferenceInt": 281474976741700, + "AccessTime": "08/22/2013 09:10:14.000000", + "CreationTime": "08/22/2013 09:10:14.000000", + "Signature": "0xbeef0004L", + "RefNum": "31044-1" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "System32", + "ParentEntryNum": 9720, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 6, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "Sends the document as fax to a Fax Recipient.", + "RelativePath": "..\\..\\..\\..\\..\\..\\..\\System32\\spoolsv.exe", + "Codepage": "cp1252", + "IconLoc": "%SystemRoot%\\System32\\WFSR.dll", + "AppIdName": null, + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 798208, + "CreationDateTime": "08/22/2013 09:10:12.605922", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "Mini Patisserie Business Plan.docx", + "WorkingDir": "C:\\Users\\Donald\\Documents", + "LocalPath": "C:\\Users\\Donald\\Documents\\Mini Patisserie Business Plan.docx", + "ModificationDateTime": "10/21/2013 18:44:49.258750", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\23614.Donald.Mini Patisserie Business Plan.lnk", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "10/21/2013 18:44:47.933961", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x0L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ExtentionListing": "", + "ItemCount": 5, + "ParentRefStr": null, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "031e4825-7b94-4dc3-b131-e946b44c8dd5", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": "..\\..\\..\\..\\..\\Documents\\Mini Patisserie Business Plan.docx", + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "docx", + "NetworkPath": "\\\\BIFROST\\Users\\Donald\\Documents\\Mini Patisserie Business Plan.docx", + "FileSize": 2026404, + "CreationDateTime": "10/21/2013 18:44:45.783504", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\24946.Donald.AppexMaps.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": "USB", + "BaseName": "", + "WorkingDir": null, + "LocalPath": "F:\\", + "ModificationDateTime": "01/01/1980 04:00:00.000000", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\25105.Donald.USB (F).lnk", + "Flags": "", + "DriveType": "DRIVE_REMOVABLE;", + "AccessDateTime": "01/01/1980 04:00:00.000000", + "DriveSerialNumber": "39c7-1beb", + "AppIdCode": null, + "LnkTrgData": { + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "F:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": null, + "DistinctTypesHex": "0x2fL;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "volume;root_folder", + "ExtentionListing": "", + "ItemCount": 3, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "", + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "01/01/1980 04:00:00.000000", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\253003.Windows.Microsoft.Windows.ParentalControls.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\WpcMon.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\253006.Windows.Windows.SystemToast.AutoPlay.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\explorer.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\253007.Windows.Windows.SystemToast.BdeUnlock.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\bdeunlock.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\253008.Windows.Windows.SystemToast.Bthprops.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\DevicePairingWizard.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\253009.Windows.Windows.SystemToast.Devices.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\explorer.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\253011.Windows.Windows.SystemToast.Explorer.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\explorer.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\253012.Windows.Windows.SystemToast.NfpAppAcquire.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\ProximityUxHost.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\253013.Windows.Windows.SystemToast.NfpAppLaunch.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\ProximityUxHost.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\253014.Windows.Windows.SystemToast.NfpDevicePairing.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\ProximityUxHost.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\253015.Windows.Windows.SystemToast.NfpReceiveContent.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\ProximityUxHost.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\253016.Windows.Windows.SystemToast.OpenWith.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\OpenWith.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\253017.Windows.Windows.SystemToast.Print.Notification.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\explorer.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\253018.Windows.Windows.SystemToast.RasToastNotifier.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\RasApi32.dll" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\253019.Windows.Windows.SystemToast.Share.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\explorer.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": "%ProgramFiles%\\Hyper-V\\", + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": "\"%windir%\\system32\\virtmgmt.msc\"", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\253331..Hyper-V Manager.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%ProgramFiles%\\Hyper-V\\SnapInAbout.dll,-132", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%ProgramFiles%\\Hyper-V\\SnapInAbout.dll", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\mmc.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": "%ProgramFiles%\\Hyper-V\\", + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": "\"%windir%\\system32\\virtmgmt.msc\"", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\253331.Windows.Hyper-V Manager.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%ProgramFiles%\\Hyper-V\\SnapInAbout.dll,-132", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%ProgramFiles%\\Hyper-V\\SnapInAbout.dll", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\mmc.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": "%ProgramFiles%\\Hyper-V\\", + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": "\"%windir%\\system32\\virtmgmt.msc\"", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\253332..Hyper-V Manager.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%ProgramFiles%\\Hyper-V\\SnapInAbout.dll,-132", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%ProgramFiles%\\Hyper-V\\SnapInAbout.dll", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\mmc.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": "%ProgramFiles%\\Hyper-V\\", + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": "\"%windir%\\system32\\virtmgmt.msc\"", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\253332.Windows.Hyper-V Manager.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%ProgramFiles%\\Hyper-V\\SnapInAbout.dll,-132", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%ProgramFiles%\\Hyper-V\\SnapInAbout.dll", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\mmc.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": "%ProgramFiles%\\Hyper-V\\", + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\253335..VMConnect.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%ProgramFiles%\\Hyper-V\\SnapInAbout.dll,-301", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\vmconnect.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\vmconnect.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": "%ProgramFiles%\\Hyper-V\\", + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\253335.Windows.VMConnect.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%ProgramFiles%\\Hyper-V\\SnapInAbout.dll,-301", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\vmconnect.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\vmconnect.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": "%HOMEDRIVE%%HOMEPATH%", + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\253398.Windows.ADSIEdit.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%systemroot%\\system32\\adsiedit.dll,-43003", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%SystemRoot%\\system32\\adsiedit.dll", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%SystemRoot%\\system32\\adsiedit.msc" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": "%HOMEDRIVE%%HOMEPATH%", + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\253427.Windows.Active Directory Sites and Services.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%systemroot%\\system32\\dsadmin.dll,-8888", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%SystemRoot%\\system32\\dsadmin.dll", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%SystemRoot%\\system32\\dssite.msc" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": "%HOMEDRIVE%%HOMEPATH%", + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\253454.Windows.ADAM Install.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%SystemRoot%\\ADAM\\adaminstall.exe,-5003", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%SystemRoot%\\ADAM\\adaminstall.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%SystemRoot%\\ADAM\\adaminstall.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": "%windir%\\ehome", + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\253556.Windows.Media Center.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%systemroot%\\ehome\\ehres.dll,-116", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\ehome\\ehshell.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\ehome\\ehshell.exe" + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "7zFM.exe", + "WorkingDir": null, + "LocalPath": "C:\\Program Files\\7-Zip\\7zFM.exe", + "ModificationDateTime": "11/19/2010 01:10:48.000000", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\25367..7-Zip File Manager.lnk", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "10/18/2013 00:28:34.161690", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 7, + "ParentRefStr": "24650-7", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~1", + "Location": null, + "Comments": null, + "ModificationTime": "10/18/2013 00:28:36.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files", + "ExtentionBlockSize": 116, + "LocalizedName": "@shell32.dll,-21781", + "SeqNum": 6, + "EntryNum": 197634, + "FileReferenceInt": 1688849860461570, + "AccessTime": "10/18/2013 00:28:36.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "197634-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "7-Zip", + "Location": null, + "Comments": null, + "ModificationTime": "10/18/2013 00:28:36.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "7-Zip", + "ExtentionBlockSize": 60, + "LocalizedName": null, + "SeqNum": 7, + "EntryNum": 24650, + "FileReferenceInt": 1970324836999242, + "AccessTime": "10/18/2013 00:28:36.000000", + "CreationTime": "10/18/2013 00:28:36.000000", + "Signature": "0xbeef0004L", + "RefNum": "24650-7" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "7zFM.exe", + "Location": null, + "Comments": null, + "ModificationTime": "11/19/2010 01:10:48.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 740352, + "ExtentionBlocks": [ + { + "LongName": "7zFM.exe", + "ExtentionBlockSize": 66, + "LocalizedName": null, + "SeqNum": 11, + "EntryNum": 24652, + "FileReferenceInt": 3096224743841868, + "AccessTime": "10/18/2013 00:28:36.000000", + "CreationTime": "11/19/2010 01:10:48.000000", + "Signature": "0xbeef0004L", + "RefNum": "24652-11" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "7-Zip", + "ParentEntryNum": 24650, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 6, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": "..\\..\\..\\..\\..\\..\\Program Files\\7-Zip\\7zFM.exe", + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 740352, + "CreationDateTime": "11/19/2010 01:10:48.000000", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "7-zip.chm", + "WorkingDir": null, + "LocalPath": "C:\\Program Files\\7-Zip\\7-zip.chm", + "ModificationDateTime": "11/19/2010 01:08:04.000000", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\25372..7-Zip Help.lnk", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "10/18/2013 00:28:34.247751", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 7, + "ParentRefStr": "24650-7", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~1", + "Location": null, + "Comments": null, + "ModificationTime": "10/18/2013 00:28:36.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files", + "ExtentionBlockSize": 116, + "LocalizedName": "@shell32.dll,-21781", + "SeqNum": 6, + "EntryNum": 197634, + "FileReferenceInt": 1688849860461570, + "AccessTime": "10/18/2013 00:28:36.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "197634-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "7-Zip", + "Location": null, + "Comments": null, + "ModificationTime": "10/18/2013 00:28:36.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "7-Zip", + "ExtentionBlockSize": 60, + "LocalizedName": null, + "SeqNum": 7, + "EntryNum": 24650, + "FileReferenceInt": 1970324836999242, + "AccessTime": "10/18/2013 00:28:36.000000", + "CreationTime": "10/18/2013 00:28:36.000000", + "Signature": "0xbeef0004L", + "RefNum": "24650-7" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "7-zip.chm", + "Location": null, + "Comments": null, + "ModificationTime": "11/19/2010 01:08:04.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 91020, + "ExtentionBlocks": [ + { + "LongName": "7-zip.chm", + "ExtentionBlockSize": 68, + "LocalizedName": null, + "SeqNum": 8, + "EntryNum": 24674, + "FileReferenceInt": 2251799813709922, + "AccessTime": "10/18/2013 00:28:36.000000", + "CreationTime": "11/19/2010 01:08:04.000000", + "Signature": "0xbeef0004L", + "RefNum": "24674-8" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "7-Zip", + "ParentEntryNum": 24650, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 6, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": "..\\..\\..\\..\\..\\..\\Program Files\\7-Zip\\7-zip.chm", + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "chm", + "NetworkPath": null, + "FileSize": 91020, + "CreationDateTime": "11/19/2010 01:08:04.000000", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\253931.Windows.IIS Manager.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%windir%\\system32\\inetsrv\\InetMgr.exe,-102", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\inetsrv\\InetMgr.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\inetsrv\\InetMgr.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\253932.Windows.IIS Client Manager.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%windir%\\system32\\inetsrv\\InetMgr.exe,-102", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\inetsrv\\InetMgr.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\inetsrv\\InetMgr.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\253953.Windows.IIS6 Manager.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%windir%\\system32\\inetsrv\\InetMgr6.exe,-202", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\inetsrv\\InetMgr6.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\inetsrv\\InetMgr6.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\254109.Windows.NetworkProjection.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%SystemRoot%\\system32\\NetProjW.dll,-511", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\NetProjW.dll", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\NetProj.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": "%ProgramFiles%\\CMAK", + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\254152.Windows.Connection Manager Administration Kit.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%ProgramFiles%\\CMAK\\cmak.exe,-1022", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%ProgramFiles%\\CMAK\\cmak.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%ProgramFiles%\\CMAK\\cmak.exe" + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "01ff1a22e91a9404ca882a72e80c7f0044836fe5c6.jpg", + "WorkingDir": "C:\\Users\\Donald\\Pictures\\iCloud Photos\\Shared\\Camera Photos", + "LocalPath": "C:\\Users\\Donald\\Pictures\\iCloud Photos\\Shared\\Camera Photos\\01ff1a22e91a9404ca882a72e80c7f0044836fe5c6.jpg", + "ModificationDateTime": "10/17/2013 19:27:17.427406", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\26209.Donald.01ff1a22e91a9404ca882a72e80c7f0044836fe5c6.lnk", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "10/17/2013 19:27:14.067206", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x0L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ExtentionListing": "", + "ItemCount": 8, + "ParentRefStr": null, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "031e4825-7b94-4dc3-b131-e946b44c8dd5", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": "..\\..\\..\\..\\..\\Pictures\\iCloud Photos\\Shared\\Camera Photos\\01ff1a22e91a9404ca882a72e80c7f0044836fe5c6.jpg", + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "jpg", + "NetworkPath": "\\\\BIFROST\\Users\\Donald\\Pictures\\iCloud Photos\\Shared\\Camera Photos\\01ff1a22e91a9404ca882a72e80c7f0044836fe5c6.jpg", + "FileSize": 1595010, + "CreationDateTime": "10/17/2013 19:27:14.067206", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\26576.Donald.In Review - NOT FOR RELEASE.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x0L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ExtentionListing": "", + "ItemCount": 6, + "ParentRefStr": null, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "b28aa736-876b-46da-b3a8-84c5e30ba492", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\274807.Windows.Scan Management.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%windir%\\system32\\SmcNative.dll,-10002", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\system32\\SmcNative.dll", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\system32\\ScanManagement.msc" + }, + { + "VolumeLabel": null, + "BaseName": "wmplayer.exe", + "WorkingDir": "%ProgramFiles(x86)%\\Windows Media Player", + "LocalPath": null, + "ModificationDateTime": "08/22/2013 03:48:35.980021", + "CmdArgs": "/prefetch:1", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\280261..Windows Media Player.lnk", + "Flags": "Archive;", + "DriveType": null, + "AccessDateTime": "08/22/2013 03:48:36.308178", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@%systemroot%\\syswow64\\unregmp2.exe,-155", + "RelativePath": "..\\..\\..\\..\\..\\Program Files (x86)\\Windows Media Player\\wmplayer.exe", + "Codepage": "cp1252", + "IconLoc": "%ProgramFiles(x86)%\\Windows Media Player\\wmplayer.exe", + "AppIdName": null, + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 164864, + "CreationDateTime": "08/22/2013 03:48:36.308178", + "EnvVarLoc": "%ProgramFiles(x86)%\\Windows Media Player\\wmplayer.exe" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\281050.Donald.TheWallStreetJournal.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\281117.Donald.App.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "iexplore.exe", + "WorkingDir": null, + "LocalPath": "C:\\Program Files\\Internet Explorer\\iexplore.exe", + "ModificationDateTime": "08/22/2013 12:34:04.110966", + "CmdArgs": "-pinnedSite -contentTile -formatVersion 0x00000003 -pinnedTimeLow 0xab980917 -pinnedTimeHigh 0x01cecc6e -securityFlags 0x00000000 -tileType 0x00000002 -url 0x00000019 http://www.wpcentral.com/", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\28994.Donald.-21032278930.lnk", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "08/22/2013 08:52:25.004329", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 6, + "ParentRefStr": "197705-6", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~1", + "Location": null, + "Comments": null, + "ModificationTime": "10/18/2013 00:28:36.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files", + "ExtentionBlockSize": 116, + "LocalizedName": "@shell32.dll,-21781", + "SeqNum": 6, + "EntryNum": 197634, + "FileReferenceInt": 1688849860461570, + "AccessTime": "10/18/2013 00:28:36.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "197634-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "INTERN~1", + "Location": null, + "Comments": null, + "ModificationTime": "10/10/2013 07:46:14.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Internet Explorer", + "ExtentionBlockSize": 84, + "LocalizedName": null, + "SeqNum": 6, + "EntryNum": 197705, + "FileReferenceInt": 1688849860461641, + "AccessTime": "10/10/2013 07:46:14.000000", + "CreationTime": "08/22/2013 15:36:32.000000", + "Signature": "0xbeef0004L", + "RefNum": "197705-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "iexplore.exe", + "Location": null, + "Comments": null, + "ModificationTime": "08/22/2013 12:34:06.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 804464, + "ExtentionBlocks": [ + { + "LongName": "iexplore.exe", + "ExtentionBlockSize": 74, + "LocalizedName": null, + "SeqNum": 1, + "EntryNum": 217849, + "FileReferenceInt": 281474976928505, + "AccessTime": "08/22/2013 08:52:26.000000", + "CreationTime": "08/22/2013 08:52:26.000000", + "Signature": "0xbeef0004L", + "RefNum": "217849-1" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "Internet Explorer", + "ParentEntryNum": 197705, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 6, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 804464, + "CreationDateTime": "08/22/2013 08:52:25.004329", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "MSACCESS.EXE", + "WorkingDir": null, + "LocalPath": "C:\\Program Files\\Microsoft Office 15\\root\\office15\\MSACCESS.EXE", + "ModificationDateTime": "09/23/2013 20:30:00.297612", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\30037..Access 2013.lnk", + "Flags": "Sparse File;Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "09/23/2013 20:29:54.441764", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 6, + "ParentRefStr": "5225-6", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:23:56.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files", + "ExtentionBlockSize": 116, + "LocalizedName": "@shell32.dll,-21781", + "SeqNum": 6, + "EntryNum": 197634, + "FileReferenceInt": 1688849860461570, + "AccessTime": "09/23/2013 20:23:56.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "197634-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "MICROS~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:24:20.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Microsoft Office 15", + "ExtentionBlockSize": 88, + "LocalizedName": null, + "SeqNum": 15, + "EntryNum": 4229, + "FileReferenceInt": 4222124650664069, + "AccessTime": "09/23/2013 20:24:20.000000", + "CreationTime": "09/23/2013 20:23:56.000000", + "Signature": "0xbeef0004L", + "RefNum": "4229-15" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "root", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:24:22.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "root", + "ExtentionBlockSize": 58, + "LocalizedName": null, + "SeqNum": 9, + "EntryNum": 5190, + "FileReferenceInt": 2533274790401094, + "AccessTime": "09/23/2013 20:24:22.000000", + "CreationTime": "09/23/2013 20:24:08.000000", + "Signature": "0xbeef0004L", + "RefNum": "5190-9" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "office15", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:32:38.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "office15", + "ExtentionBlockSize": 66, + "LocalizedName": null, + "SeqNum": 6, + "EntryNum": 5225, + "FileReferenceInt": 1688849860269161, + "AccessTime": "09/23/2013 20:32:38.000000", + "CreationTime": "09/23/2013 20:24:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "5225-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "MSACCESS.EXE", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:30:02.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 20579496, + "ExtentionBlocks": [ + { + "LongName": "MSACCESS.EXE", + "ExtentionBlockSize": 74, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 30227, + "FileReferenceInt": 844424930162195, + "AccessTime": "09/23/2013 20:29:56.000000", + "CreationTime": "09/23/2013 20:24:22.000000", + "Signature": "0xbeef0004L", + "RefNum": "30227-3" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "office15", + "ParentEntryNum": 5225, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 8, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "Build a professional app quickly to manage data.", + "RelativePath": "..\\..\\..\\..\\..\\..\\Program Files\\Microsoft Office 15\\root\\office15\\MSACCESS.EXE", + "Codepage": "cp1252", + "IconLoc": "%ProgramFiles%\\Microsoft Office 15\\Root\\VFS\\Windows\\Installer\\{90150000-000F-0000-1000-0000000FF1CE}\\accicons.exe", + "AppIdName": null, + "FileExt": "EXE", + "NetworkPath": null, + "FileSize": 20579496, + "CreationDateTime": "09/23/2013 20:24:21.196536", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "EXCEL.EXE", + "WorkingDir": null, + "LocalPath": "C:\\Program Files\\Microsoft Office 15\\root\\office15\\EXCEL.EXE", + "ModificationDateTime": "09/23/2013 20:28:31.559819", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\30039..Excel 2013.lnk", + "Flags": "Sparse File;Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "09/23/2013 20:28:15.874480", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 6, + "ParentRefStr": "5225-6", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:23:56.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files", + "ExtentionBlockSize": 116, + "LocalizedName": "@shell32.dll,-21781", + "SeqNum": 6, + "EntryNum": 197634, + "FileReferenceInt": 1688849860461570, + "AccessTime": "09/23/2013 20:23:56.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "197634-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "MICROS~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:24:20.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Microsoft Office 15", + "ExtentionBlockSize": 88, + "LocalizedName": null, + "SeqNum": 15, + "EntryNum": 4229, + "FileReferenceInt": 4222124650664069, + "AccessTime": "09/23/2013 20:24:20.000000", + "CreationTime": "09/23/2013 20:23:56.000000", + "Signature": "0xbeef0004L", + "RefNum": "4229-15" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "root", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:24:22.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "root", + "ExtentionBlockSize": 58, + "LocalizedName": null, + "SeqNum": 9, + "EntryNum": 5190, + "FileReferenceInt": 2533274790401094, + "AccessTime": "09/23/2013 20:24:22.000000", + "CreationTime": "09/23/2013 20:24:08.000000", + "Signature": "0xbeef0004L", + "RefNum": "5190-9" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "office15", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:32:38.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "office15", + "ExtentionBlockSize": 66, + "LocalizedName": null, + "SeqNum": 6, + "EntryNum": 5225, + "FileReferenceInt": 1688849860269161, + "AccessTime": "09/23/2013 20:32:38.000000", + "CreationTime": "09/23/2013 20:24:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "5225-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "EXCEL.EXE", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:28:32.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 32876192, + "ExtentionBlocks": [ + { + "LongName": "EXCEL.EXE", + "ExtentionBlockSize": 68, + "LocalizedName": null, + "SeqNum": 24, + "EntryNum": 4777, + "FileReferenceInt": 6755399441060521, + "AccessTime": "09/23/2013 20:28:16.000000", + "CreationTime": "09/23/2013 20:24:22.000000", + "Signature": "0xbeef0004L", + "RefNum": "4777-24" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "office15", + "ParentEntryNum": 5225, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 8, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "Easily discover, visualize, and share insights from your data.", + "RelativePath": "..\\..\\..\\..\\..\\..\\Program Files\\Microsoft Office 15\\root\\office15\\EXCEL.EXE", + "Codepage": "cp1252", + "IconLoc": "%ProgramFiles%\\Microsoft Office 15\\Root\\VFS\\Windows\\Installer\\{90150000-000F-0000-1000-0000000FF1CE}\\xlicons.exe", + "AppIdName": null, + "FileExt": "EXE", + "NetworkPath": null, + "FileSize": 32876192, + "CreationDateTime": "09/23/2013 20:24:21.102777", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "INFOPATH.EXE", + "WorkingDir": null, + "LocalPath": "C:\\Program Files\\Microsoft Office 15\\root\\office15\\INFOPATH.EXE", + "ModificationDateTime": "09/23/2013 20:29:23.501406", + "CmdArgs": "/design", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\30040..InfoPath Designer 2013.lnk", + "Flags": "Sparse File;Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "09/23/2013 20:29:22.969520", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 6, + "ParentRefStr": "5225-6", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:23:56.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files", + "ExtentionBlockSize": 116, + "LocalizedName": "@shell32.dll,-21781", + "SeqNum": 6, + "EntryNum": 197634, + "FileReferenceInt": 1688849860461570, + "AccessTime": "09/23/2013 20:23:56.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "197634-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "MICROS~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:24:20.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Microsoft Office 15", + "ExtentionBlockSize": 88, + "LocalizedName": null, + "SeqNum": 15, + "EntryNum": 4229, + "FileReferenceInt": 4222124650664069, + "AccessTime": "09/23/2013 20:24:20.000000", + "CreationTime": "09/23/2013 20:23:56.000000", + "Signature": "0xbeef0004L", + "RefNum": "4229-15" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "root", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:24:22.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "root", + "ExtentionBlockSize": 58, + "LocalizedName": null, + "SeqNum": 9, + "EntryNum": 5190, + "FileReferenceInt": 2533274790401094, + "AccessTime": "09/23/2013 20:24:22.000000", + "CreationTime": "09/23/2013 20:24:08.000000", + "Signature": "0xbeef0004L", + "RefNum": "5190-9" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "office15", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:32:38.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "office15", + "ExtentionBlockSize": 66, + "LocalizedName": null, + "SeqNum": 6, + "EntryNum": 5225, + "FileReferenceInt": 1688849860269161, + "AccessTime": "09/23/2013 20:32:38.000000", + "CreationTime": "09/23/2013 20:24:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "5225-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "INFOPATH.EXE", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:29:24.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 2557096, + "ExtentionBlocks": [ + { + "LongName": "INFOPATH.EXE", + "ExtentionBlockSize": 74, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 30416, + "FileReferenceInt": 844424930162384, + "AccessTime": "09/23/2013 20:29:24.000000", + "CreationTime": "09/23/2013 20:24:22.000000", + "Signature": "0xbeef0004L", + "RefNum": "30416-3" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "office15", + "ParentEntryNum": 5225, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 8, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "Design dynamic forms to gather and reuse information throughout the organization using Microsoft InfoPath.", + "RelativePath": "..\\..\\..\\..\\..\\..\\Program Files\\Microsoft Office 15\\root\\office15\\INFOPATH.EXE", + "Codepage": "cp1252", + "IconLoc": "%ProgramFiles%\\Microsoft Office 15\\Root\\VFS\\Windows\\Installer\\{90150000-000F-0000-1000-0000000FF1CE}\\inficon.exe", + "AppIdName": null, + "FileExt": "EXE", + "NetworkPath": null, + "FileSize": 2557096, + "CreationDateTime": "09/23/2013 20:24:21.134033", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "INFOPATH.EXE", + "WorkingDir": null, + "LocalPath": "C:\\Program Files\\Microsoft Office 15\\root\\office15\\INFOPATH.EXE", + "ModificationDateTime": "09/23/2013 20:29:23.501406", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\30042..InfoPath Filler 2013.lnk", + "Flags": "Sparse File;Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "09/23/2013 20:29:22.969520", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 6, + "ParentRefStr": "5225-6", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:23:56.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files", + "ExtentionBlockSize": 116, + "LocalizedName": "@shell32.dll,-21781", + "SeqNum": 6, + "EntryNum": 197634, + "FileReferenceInt": 1688849860461570, + "AccessTime": "09/23/2013 20:23:56.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "197634-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "MICROS~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:24:20.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Microsoft Office 15", + "ExtentionBlockSize": 88, + "LocalizedName": null, + "SeqNum": 15, + "EntryNum": 4229, + "FileReferenceInt": 4222124650664069, + "AccessTime": "09/23/2013 20:24:20.000000", + "CreationTime": "09/23/2013 20:23:56.000000", + "Signature": "0xbeef0004L", + "RefNum": "4229-15" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "root", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:24:22.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "root", + "ExtentionBlockSize": 58, + "LocalizedName": null, + "SeqNum": 9, + "EntryNum": 5190, + "FileReferenceInt": 2533274790401094, + "AccessTime": "09/23/2013 20:24:22.000000", + "CreationTime": "09/23/2013 20:24:08.000000", + "Signature": "0xbeef0004L", + "RefNum": "5190-9" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "office15", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:32:38.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "office15", + "ExtentionBlockSize": 66, + "LocalizedName": null, + "SeqNum": 6, + "EntryNum": 5225, + "FileReferenceInt": 1688849860269161, + "AccessTime": "09/23/2013 20:32:38.000000", + "CreationTime": "09/23/2013 20:24:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "5225-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "INFOPATH.EXE", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:29:24.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 2557096, + "ExtentionBlocks": [ + { + "LongName": "INFOPATH.EXE", + "ExtentionBlockSize": 74, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 30416, + "FileReferenceInt": 844424930162384, + "AccessTime": "09/23/2013 20:29:24.000000", + "CreationTime": "09/23/2013 20:24:22.000000", + "Signature": "0xbeef0004L", + "RefNum": "30416-3" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "office15", + "ParentEntryNum": 5225, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 8, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "Fill out dynamic forms to gather and reuse information throughout the organization using Microsoft InfoPath.", + "RelativePath": "..\\..\\..\\..\\..\\..\\Program Files\\Microsoft Office 15\\root\\office15\\INFOPATH.EXE", + "Codepage": "cp1252", + "IconLoc": "%ProgramFiles%\\Microsoft Office 15\\Root\\VFS\\Windows\\Installer\\{90150000-000F-0000-1000-0000000FF1CE}\\inficon.exe", + "AppIdName": null, + "FileExt": "EXE", + "NetworkPath": null, + "FileSize": 2557096, + "CreationDateTime": "09/23/2013 20:24:21.134033", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "lync.exe", + "WorkingDir": null, + "LocalPath": "C:\\Program Files\\Microsoft Office 15\\root\\office15\\lync.exe", + "ModificationDateTime": "09/23/2013 20:29:35.414716", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\30043..Lync 2013.lnk", + "Flags": "Sparse File;Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "09/23/2013 20:29:29.537026", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 6, + "ParentRefStr": "5225-6", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:23:56.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files", + "ExtentionBlockSize": 116, + "LocalizedName": "@shell32.dll,-21781", + "SeqNum": 6, + "EntryNum": 197634, + "FileReferenceInt": 1688849860461570, + "AccessTime": "09/23/2013 20:23:56.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "197634-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "MICROS~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:24:20.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Microsoft Office 15", + "ExtentionBlockSize": 88, + "LocalizedName": null, + "SeqNum": 15, + "EntryNum": 4229, + "FileReferenceInt": 4222124650664069, + "AccessTime": "09/23/2013 20:24:20.000000", + "CreationTime": "09/23/2013 20:23:56.000000", + "Signature": "0xbeef0004L", + "RefNum": "4229-15" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "root", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:24:22.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "root", + "ExtentionBlockSize": 58, + "LocalizedName": null, + "SeqNum": 9, + "EntryNum": 5190, + "FileReferenceInt": 2533274790401094, + "AccessTime": "09/23/2013 20:24:22.000000", + "CreationTime": "09/23/2013 20:24:08.000000", + "Signature": "0xbeef0004L", + "RefNum": "5190-9" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "office15", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:32:38.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "office15", + "ExtentionBlockSize": 66, + "LocalizedName": null, + "SeqNum": 6, + "EntryNum": 5225, + "FileReferenceInt": 1688849860269161, + "AccessTime": "09/23/2013 20:32:38.000000", + "CreationTime": "09/23/2013 20:24:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "5225-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "lync.exe", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:29:36.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 22170784, + "ExtentionBlocks": [ + { + "LongName": "lync.exe", + "ExtentionBlockSize": 66, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 30417, + "FileReferenceInt": 844424930162385, + "AccessTime": "09/23/2013 20:29:30.000000", + "CreationTime": "09/23/2013 20:24:22.000000", + "Signature": "0xbeef0004L", + "RefNum": "30417-3" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "office15", + "ParentEntryNum": 5225, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 8, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "Connect with people everywhere through voice and video calls, Lync Meetings, and IM.", + "RelativePath": "..\\..\\..\\..\\..\\..\\Program Files\\Microsoft Office 15\\root\\office15\\lync.exe", + "Codepage": "cp1252", + "IconLoc": "%ProgramFiles%\\Microsoft Office 15\\Root\\VFS\\Windows\\Installer\\{90150000-000F-0000-1000-0000000FF1CE}\\lyncicon.exe", + "AppIdName": null, + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 22170784, + "CreationDateTime": "09/23/2013 20:24:21.149659", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "AppVLP.exe", + "WorkingDir": null, + "LocalPath": "C:\\Program Files\\Microsoft Office 15\\root\\client\\AppVLP.exe", + "ModificationDateTime": "09/23/2013 20:29:01.592311", + "CmdArgs": "\"C:\\Program Files (x86)\\Microsoft Office\\Office15\\DCF\\DATABASECOMPARE.EXE\"", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\30046..Database Compare 2013.lnk", + "Flags": "Sparse File;Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "09/23/2013 20:29:01.576690", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 10, + "ParentRefStr": "5217-10", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:23:56.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files", + "ExtentionBlockSize": 116, + "LocalizedName": "@shell32.dll,-21781", + "SeqNum": 6, + "EntryNum": 197634, + "FileReferenceInt": 1688849860461570, + "AccessTime": "09/23/2013 20:23:56.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "197634-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "MICROS~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:24:20.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Microsoft Office 15", + "ExtentionBlockSize": 88, + "LocalizedName": null, + "SeqNum": 15, + "EntryNum": 4229, + "FileReferenceInt": 4222124650664069, + "AccessTime": "09/23/2013 20:24:20.000000", + "CreationTime": "09/23/2013 20:23:56.000000", + "Signature": "0xbeef0004L", + "RefNum": "4229-15" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "root", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:24:22.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "root", + "ExtentionBlockSize": 58, + "LocalizedName": null, + "SeqNum": 9, + "EntryNum": 5190, + "FileReferenceInt": 2533274790401094, + "AccessTime": "09/23/2013 20:24:22.000000", + "CreationTime": "09/23/2013 20:24:08.000000", + "Signature": "0xbeef0004L", + "RefNum": "5190-9" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "client", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:29:04.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "client", + "ExtentionBlockSize": 62, + "LocalizedName": null, + "SeqNum": 10, + "EntryNum": 5217, + "FileReferenceInt": 2814749767111777, + "AccessTime": "09/23/2013 20:29:04.000000", + "CreationTime": "09/23/2013 20:24:14.000000", + "Signature": "0xbeef0004L", + "RefNum": "5217-10" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "AppVLP.exe", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:29:02.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 380160, + "ExtentionBlocks": [ + { + "LongName": "AppVLP.exe", + "ExtentionBlockSize": 70, + "LocalizedName": null, + "SeqNum": 2, + "EntryNum": 30488, + "FileReferenceInt": 562949953451800, + "AccessTime": "09/23/2013 20:29:02.000000", + "CreationTime": "09/23/2013 20:29:02.000000", + "Signature": "0xbeef0004L", + "RefNum": "30488-2" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "client", + "ParentEntryNum": 5217, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 8, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "Compare versions of an Access database.", + "RelativePath": "..\\..\\..\\..\\..\\..\\..\\Program Files\\Microsoft Office 15\\root\\client\\AppVLP.exe", + "Codepage": "cp1252", + "IconLoc": "%ProgramFiles%\\Microsoft Office 15\\Root\\VFS\\Windows\\Installer\\{90150000-000F-0000-1000-0000000FF1CE}\\dbcicons.exe", + "AppIdName": null, + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 380160, + "CreationDateTime": "09/23/2013 20:29:01.576690", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "OcPubMgr.exe", + "WorkingDir": null, + "LocalPath": "C:\\Program Files\\Microsoft Office 15\\root\\office15\\OcPubMgr.exe", + "ModificationDateTime": "09/23/2013 20:31:34.187536", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\30048..Lync Recording Manager.lnk", + "Flags": "Sparse File;Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "09/23/2013 20:24:21.290291", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 6, + "ParentRefStr": "5225-6", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:23:56.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files", + "ExtentionBlockSize": 116, + "LocalizedName": "@shell32.dll,-21781", + "SeqNum": 6, + "EntryNum": 197634, + "FileReferenceInt": 1688849860461570, + "AccessTime": "09/23/2013 20:23:56.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "197634-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "MICROS~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:24:20.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Microsoft Office 15", + "ExtentionBlockSize": 88, + "LocalizedName": null, + "SeqNum": 15, + "EntryNum": 4229, + "FileReferenceInt": 4222124650664069, + "AccessTime": "09/23/2013 20:24:20.000000", + "CreationTime": "09/23/2013 20:23:56.000000", + "Signature": "0xbeef0004L", + "RefNum": "4229-15" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "root", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:24:22.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "root", + "ExtentionBlockSize": 58, + "LocalizedName": null, + "SeqNum": 9, + "EntryNum": 5190, + "FileReferenceInt": 2533274790401094, + "AccessTime": "09/23/2013 20:24:22.000000", + "CreationTime": "09/23/2013 20:24:08.000000", + "Signature": "0xbeef0004L", + "RefNum": "5190-9" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "office15", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:32:38.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "office15", + "ExtentionBlockSize": 66, + "LocalizedName": null, + "SeqNum": 6, + "EntryNum": 5225, + "FileReferenceInt": 1688849860269161, + "AccessTime": "09/23/2013 20:32:38.000000", + "CreationTime": "09/23/2013 20:24:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "5225-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "OcPubMgr.exe", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:31:36.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 1843408, + "ExtentionBlocks": [ + { + "LongName": "OcPubMgr.exe", + "ExtentionBlockSize": 74, + "LocalizedName": null, + "SeqNum": 2, + "EntryNum": 28824, + "FileReferenceInt": 562949953450136, + "AccessTime": "09/23/2013 20:24:22.000000", + "CreationTime": "09/23/2013 20:24:22.000000", + "Signature": "0xbeef0004L", + "RefNum": "28824-2" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "office15", + "ParentEntryNum": 5225, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 8, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "Manage all your Lync recordings in one place.", + "RelativePath": "..\\..\\..\\..\\..\\..\\..\\Program Files\\Microsoft Office 15\\root\\office15\\OcPubMgr.exe", + "Codepage": "cp1252", + "IconLoc": "%ProgramFiles%\\Microsoft Office 15\\Root\\VFS\\Windows\\Installer\\{90150000-000F-0000-1000-0000000FF1CE}\\lyncicon.exe", + "AppIdName": null, + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 1843408, + "CreationDateTime": "09/23/2013 20:24:21.290291", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "SETLANG.EXE", + "WorkingDir": null, + "LocalPath": "C:\\Program Files\\Microsoft Office 15\\root\\office15\\SETLANG.EXE", + "ModificationDateTime": "09/23/2013 20:32:22.248700", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\30049..Office 2013 Language Preferences.lnk", + "Flags": "Sparse File;Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "09/23/2013 20:24:21.368419", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 6, + "ParentRefStr": "5225-6", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:23:56.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files", + "ExtentionBlockSize": 116, + "LocalizedName": "@shell32.dll,-21781", + "SeqNum": 6, + "EntryNum": 197634, + "FileReferenceInt": 1688849860461570, + "AccessTime": "09/23/2013 20:23:56.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "197634-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "MICROS~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:24:20.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Microsoft Office 15", + "ExtentionBlockSize": 88, + "LocalizedName": null, + "SeqNum": 15, + "EntryNum": 4229, + "FileReferenceInt": 4222124650664069, + "AccessTime": "09/23/2013 20:24:20.000000", + "CreationTime": "09/23/2013 20:23:56.000000", + "Signature": "0xbeef0004L", + "RefNum": "4229-15" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "root", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:24:22.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "root", + "ExtentionBlockSize": 58, + "LocalizedName": null, + "SeqNum": 9, + "EntryNum": 5190, + "FileReferenceInt": 2533274790401094, + "AccessTime": "09/23/2013 20:24:22.000000", + "CreationTime": "09/23/2013 20:24:08.000000", + "Signature": "0xbeef0004L", + "RefNum": "5190-9" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "office15", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:32:38.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "office15", + "ExtentionBlockSize": 66, + "LocalizedName": null, + "SeqNum": 6, + "EntryNum": 5225, + "FileReferenceInt": 1688849860269161, + "AccessTime": "09/23/2013 20:32:38.000000", + "CreationTime": "09/23/2013 20:24:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "5225-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "SETLANG.EXE", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:32:24.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 55512, + "ExtentionBlocks": [ + { + "LongName": "SETLANG.EXE", + "ExtentionBlockSize": 72, + "LocalizedName": null, + "SeqNum": 2, + "EntryNum": 29342, + "FileReferenceInt": 562949953450654, + "AccessTime": "09/23/2013 20:24:22.000000", + "CreationTime": "09/23/2013 20:24:22.000000", + "Signature": "0xbeef0004L", + "RefNum": "29342-2" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "office15", + "ParentEntryNum": 5225, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 8, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "Change the language preferences for Office applications.", + "RelativePath": "..\\..\\..\\..\\..\\..\\..\\Program Files\\Microsoft Office 15\\root\\office15\\SETLANG.EXE", + "Codepage": "cp1252", + "IconLoc": "%ProgramFiles%\\Microsoft Office 15\\Root\\VFS\\Windows\\Installer\\{90150000-000F-0000-1000-0000000FF1CE}\\misc.exe", + "AppIdName": null, + "FileExt": "EXE", + "NetworkPath": null, + "FileSize": 55512, + "CreationDateTime": "09/23/2013 20:24:21.368419", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "MSOUC.EXE", + "WorkingDir": null, + "LocalPath": "C:\\Program Files\\Microsoft Office 15\\root\\office15\\MSOUC.EXE", + "ModificationDateTime": "09/23/2013 20:32:22.247698", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\30051..Office 2013 Upload Center.lnk", + "Flags": "Sparse File;Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "09/23/2013 20:24:21.243413", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 6, + "ParentRefStr": "5225-6", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:23:56.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files", + "ExtentionBlockSize": 116, + "LocalizedName": "@shell32.dll,-21781", + "SeqNum": 6, + "EntryNum": 197634, + "FileReferenceInt": 1688849860461570, + "AccessTime": "09/23/2013 20:23:56.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "197634-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "MICROS~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:24:20.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Microsoft Office 15", + "ExtentionBlockSize": 88, + "LocalizedName": null, + "SeqNum": 15, + "EntryNum": 4229, + "FileReferenceInt": 4222124650664069, + "AccessTime": "09/23/2013 20:24:20.000000", + "CreationTime": "09/23/2013 20:23:56.000000", + "Signature": "0xbeef0004L", + "RefNum": "4229-15" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "root", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:24:22.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "root", + "ExtentionBlockSize": 58, + "LocalizedName": null, + "SeqNum": 9, + "EntryNum": 5190, + "FileReferenceInt": 2533274790401094, + "AccessTime": "09/23/2013 20:24:22.000000", + "CreationTime": "09/23/2013 20:24:08.000000", + "Signature": "0xbeef0004L", + "RefNum": "5190-9" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "office15", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:32:38.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "office15", + "ExtentionBlockSize": 66, + "LocalizedName": null, + "SeqNum": 6, + "EntryNum": 5225, + "FileReferenceInt": 1688849860269161, + "AccessTime": "09/23/2013 20:32:38.000000", + "CreationTime": "09/23/2013 20:24:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "5225-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "MSOUC.EXE", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:32:24.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 626368, + "ExtentionBlocks": [ + { + "LongName": "MSOUC.EXE", + "ExtentionBlockSize": 68, + "LocalizedName": null, + "SeqNum": 2, + "EntryNum": 28655, + "FileReferenceInt": 562949953449967, + "AccessTime": "09/23/2013 20:24:22.000000", + "CreationTime": "09/23/2013 20:24:22.000000", + "Signature": "0xbeef0004L", + "RefNum": "28655-2" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "office15", + "ParentEntryNum": 5225, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 8, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "Manage file uploads to web servers using the Microsoft Office Upload Center.", + "RelativePath": "..\\..\\..\\..\\..\\..\\..\\Program Files\\Microsoft Office 15\\root\\office15\\MSOUC.EXE", + "Codepage": "cp1252", + "IconLoc": "%ProgramFiles%\\Microsoft Office 15\\Root\\VFS\\Windows\\Installer\\{90150000-000F-0000-1000-0000000FF1CE}\\msouc.exe", + "AppIdName": null, + "FileExt": "EXE", + "NetworkPath": null, + "FileSize": 626368, + "CreationDateTime": "09/23/2013 20:24:21.243413", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "AppVLP.exe", + "WorkingDir": null, + "LocalPath": "C:\\Program Files\\Microsoft Office 15\\root\\client\\AppVLP.exe", + "ModificationDateTime": "09/23/2013 20:29:01.592311", + "CmdArgs": "\"C:\\Program Files (x86)\\Microsoft Office\\Office15\\DCF\\SPREADSHEETCOMPARE.EXE\"", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\30052..Spreadsheet Compare 2013.lnk", + "Flags": "Sparse File;Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "09/23/2013 20:29:01.576690", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 10, + "ParentRefStr": "5217-10", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:23:56.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files", + "ExtentionBlockSize": 116, + "LocalizedName": "@shell32.dll,-21781", + "SeqNum": 6, + "EntryNum": 197634, + "FileReferenceInt": 1688849860461570, + "AccessTime": "09/23/2013 20:23:56.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "197634-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "MICROS~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:24:20.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Microsoft Office 15", + "ExtentionBlockSize": 88, + "LocalizedName": null, + "SeqNum": 15, + "EntryNum": 4229, + "FileReferenceInt": 4222124650664069, + "AccessTime": "09/23/2013 20:24:20.000000", + "CreationTime": "09/23/2013 20:23:56.000000", + "Signature": "0xbeef0004L", + "RefNum": "4229-15" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "root", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:24:22.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "root", + "ExtentionBlockSize": 58, + "LocalizedName": null, + "SeqNum": 9, + "EntryNum": 5190, + "FileReferenceInt": 2533274790401094, + "AccessTime": "09/23/2013 20:24:22.000000", + "CreationTime": "09/23/2013 20:24:08.000000", + "Signature": "0xbeef0004L", + "RefNum": "5190-9" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "client", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:29:04.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "client", + "ExtentionBlockSize": 62, + "LocalizedName": null, + "SeqNum": 10, + "EntryNum": 5217, + "FileReferenceInt": 2814749767111777, + "AccessTime": "09/23/2013 20:29:04.000000", + "CreationTime": "09/23/2013 20:24:14.000000", + "Signature": "0xbeef0004L", + "RefNum": "5217-10" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "AppVLP.exe", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:29:02.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 380160, + "ExtentionBlocks": [ + { + "LongName": "AppVLP.exe", + "ExtentionBlockSize": 70, + "LocalizedName": null, + "SeqNum": 2, + "EntryNum": 30488, + "FileReferenceInt": 562949953451800, + "AccessTime": "09/23/2013 20:29:02.000000", + "CreationTime": "09/23/2013 20:29:02.000000", + "Signature": "0xbeef0004L", + "RefNum": "30488-2" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "client", + "ParentEntryNum": 5217, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 8, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "Compare versions of an Excel workbook.", + "RelativePath": "..\\..\\..\\..\\..\\..\\..\\Program Files\\Microsoft Office 15\\root\\client\\AppVLP.exe", + "Codepage": "cp1252", + "IconLoc": "%ProgramFiles%\\Microsoft Office 15\\Root\\VFS\\Windows\\Installer\\{90150000-000F-0000-1000-0000000FF1CE}\\sscicons.exe", + "AppIdName": null, + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 380160, + "CreationDateTime": "09/23/2013 20:29:01.576690", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "msotd.exe", + "WorkingDir": null, + "LocalPath": "C:\\Program Files\\Microsoft Office 15\\root\\office15\\msotd.exe", + "ModificationDateTime": "09/23/2013 20:32:18.680480", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\30054..Telemetry Dashboard for Office 2013.lnk", + "Flags": "Sparse File;Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "09/23/2013 20:24:21.243413", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 6, + "ParentRefStr": "5225-6", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:23:56.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files", + "ExtentionBlockSize": 116, + "LocalizedName": "@shell32.dll,-21781", + "SeqNum": 6, + "EntryNum": 197634, + "FileReferenceInt": 1688849860461570, + "AccessTime": "09/23/2013 20:23:56.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "197634-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "MICROS~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:24:20.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Microsoft Office 15", + "ExtentionBlockSize": 88, + "LocalizedName": null, + "SeqNum": 15, + "EntryNum": 4229, + "FileReferenceInt": 4222124650664069, + "AccessTime": "09/23/2013 20:24:20.000000", + "CreationTime": "09/23/2013 20:23:56.000000", + "Signature": "0xbeef0004L", + "RefNum": "4229-15" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "root", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:24:22.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "root", + "ExtentionBlockSize": 58, + "LocalizedName": null, + "SeqNum": 9, + "EntryNum": 5190, + "FileReferenceInt": 2533274790401094, + "AccessTime": "09/23/2013 20:24:22.000000", + "CreationTime": "09/23/2013 20:24:08.000000", + "Signature": "0xbeef0004L", + "RefNum": "5190-9" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "office15", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:32:38.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "office15", + "ExtentionBlockSize": 66, + "LocalizedName": null, + "SeqNum": 6, + "EntryNum": 5225, + "FileReferenceInt": 1688849860269161, + "AccessTime": "09/23/2013 20:32:38.000000", + "CreationTime": "09/23/2013 20:24:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "5225-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "msotd.exe", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:32:20.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 37048, + "ExtentionBlocks": [ + { + "LongName": "msotd.exe", + "ExtentionBlockSize": 68, + "LocalizedName": null, + "SeqNum": 2, + "EntryNum": 28645, + "FileReferenceInt": 562949953449957, + "AccessTime": "09/23/2013 20:24:22.000000", + "CreationTime": "09/23/2013 20:24:22.000000", + "Signature": "0xbeef0004L", + "RefNum": "28645-2" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "office15", + "ParentEntryNum": 5225, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 8, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "Analyze and monitor Office solutions in your organization by using Office Telemetry Dashboard.", + "RelativePath": "..\\..\\..\\..\\..\\..\\..\\Program Files\\Microsoft Office 15\\root\\office15\\msotd.exe", + "Codepage": "cp1252", + "IconLoc": "%ProgramFiles%\\Microsoft Office 15\\Root\\VFS\\Windows\\Installer\\{90150000-000F-0000-1000-0000000FF1CE}\\osmadminicon.exe", + "AppIdName": null, + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 37048, + "CreationDateTime": "09/23/2013 20:24:21.243413", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "msoev.exe", + "WorkingDir": null, + "LocalPath": "C:\\Program Files\\Microsoft Office 15\\root\\office15\\msoev.exe", + "ModificationDateTime": "09/23/2013 20:32:18.680480", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\30055..Telemetry Log for Office 2013.lnk", + "Flags": "Sparse File;Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "09/23/2013 20:24:21.227788", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 6, + "ParentRefStr": "5225-6", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:23:56.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files", + "ExtentionBlockSize": 116, + "LocalizedName": "@shell32.dll,-21781", + "SeqNum": 6, + "EntryNum": 197634, + "FileReferenceInt": 1688849860461570, + "AccessTime": "09/23/2013 20:23:56.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "197634-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "MICROS~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:24:20.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Microsoft Office 15", + "ExtentionBlockSize": 88, + "LocalizedName": null, + "SeqNum": 15, + "EntryNum": 4229, + "FileReferenceInt": 4222124650664069, + "AccessTime": "09/23/2013 20:24:20.000000", + "CreationTime": "09/23/2013 20:23:56.000000", + "Signature": "0xbeef0004L", + "RefNum": "4229-15" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "root", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:24:22.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "root", + "ExtentionBlockSize": 58, + "LocalizedName": null, + "SeqNum": 9, + "EntryNum": 5190, + "FileReferenceInt": 2533274790401094, + "AccessTime": "09/23/2013 20:24:22.000000", + "CreationTime": "09/23/2013 20:24:08.000000", + "Signature": "0xbeef0004L", + "RefNum": "5190-9" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "office15", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:32:38.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "office15", + "ExtentionBlockSize": 66, + "LocalizedName": null, + "SeqNum": 6, + "EntryNum": 5225, + "FileReferenceInt": 1688849860269161, + "AccessTime": "09/23/2013 20:32:38.000000", + "CreationTime": "09/23/2013 20:24:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "5225-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "msoev.exe", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:32:20.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 37040, + "ExtentionBlocks": [ + { + "LongName": "msoev.exe", + "ExtentionBlockSize": 68, + "LocalizedName": null, + "SeqNum": 2, + "EntryNum": 28574, + "FileReferenceInt": 562949953449886, + "AccessTime": "09/23/2013 20:24:22.000000", + "CreationTime": "09/23/2013 20:24:22.000000", + "Signature": "0xbeef0004L", + "RefNum": "28574-2" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "office15", + "ParentEntryNum": 5225, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 8, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "View critical errors, compatibility issues and workaround information for your Office solutions by using Office Telemetry Log.", + "RelativePath": "..\\..\\..\\..\\..\\..\\..\\Program Files\\Microsoft Office 15\\root\\office15\\msoev.exe", + "Codepage": "cp1252", + "IconLoc": "%ProgramFiles%\\Microsoft Office 15\\Root\\VFS\\Windows\\Installer\\{90150000-000F-0000-1000-0000000FF1CE}\\osmclienticon.exe", + "AppIdName": null, + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 37040, + "CreationDateTime": "09/23/2013 20:24:21.227788", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "ONENOTE.EXE", + "WorkingDir": null, + "LocalPath": "C:\\Program Files\\Microsoft Office 15\\root\\office15\\ONENOTE.EXE", + "ModificationDateTime": "09/23/2013 20:30:04.506519", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\30057..OneNote 2013.lnk", + "Flags": "Sparse File;Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "09/23/2013 20:30:03.365957", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 6, + "ParentRefStr": "5225-6", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:23:56.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files", + "ExtentionBlockSize": 116, + "LocalizedName": "@shell32.dll,-21781", + "SeqNum": 6, + "EntryNum": 197634, + "FileReferenceInt": 1688849860461570, + "AccessTime": "09/23/2013 20:23:56.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "197634-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "MICROS~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:24:20.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Microsoft Office 15", + "ExtentionBlockSize": 88, + "LocalizedName": null, + "SeqNum": 15, + "EntryNum": 4229, + "FileReferenceInt": 4222124650664069, + "AccessTime": "09/23/2013 20:24:20.000000", + "CreationTime": "09/23/2013 20:23:56.000000", + "Signature": "0xbeef0004L", + "RefNum": "4229-15" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "root", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:24:22.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "root", + "ExtentionBlockSize": 58, + "LocalizedName": null, + "SeqNum": 9, + "EntryNum": 5190, + "FileReferenceInt": 2533274790401094, + "AccessTime": "09/23/2013 20:24:22.000000", + "CreationTime": "09/23/2013 20:24:08.000000", + "Signature": "0xbeef0004L", + "RefNum": "5190-9" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "office15", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:32:38.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "office15", + "ExtentionBlockSize": 66, + "LocalizedName": null, + "SeqNum": 6, + "EntryNum": 5225, + "FileReferenceInt": 1688849860269161, + "AccessTime": "09/23/2013 20:32:38.000000", + "CreationTime": "09/23/2013 20:24:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "5225-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "ONENOTE.EXE", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:30:06.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 2223272, + "ExtentionBlocks": [ + { + "LongName": "ONENOTE.EXE", + "ExtentionBlockSize": 72, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 30229, + "FileReferenceInt": 844424930162197, + "AccessTime": "09/23/2013 20:30:04.000000", + "CreationTime": "09/23/2013 20:24:22.000000", + "Signature": "0xbeef0004L", + "RefNum": "30229-3" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "office15", + "ParentEntryNum": 5225, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 8, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "Take notes and have them when you need them.", + "RelativePath": "..\\..\\..\\..\\..\\..\\Program Files\\Microsoft Office 15\\root\\office15\\ONENOTE.EXE", + "Codepage": "cp1252", + "IconLoc": "%ProgramFiles%\\Microsoft Office 15\\Root\\VFS\\Windows\\Installer\\{90150000-000F-0000-1000-0000000FF1CE}\\joticon.exe", + "AppIdName": null, + "FileExt": "EXE", + "NetworkPath": null, + "FileSize": 2223272, + "CreationDateTime": "09/23/2013 20:24:21.305918", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "OUTLOOK.EXE", + "WorkingDir": null, + "LocalPath": "C:\\Program Files\\Microsoft Office 15\\root\\office15\\OUTLOOK.EXE", + "ModificationDateTime": "09/23/2013 20:30:21.889179", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\30058..Outlook 2013.lnk", + "Flags": "Sparse File;Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "09/23/2013 20:30:14.334581", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 6, + "ParentRefStr": "5225-6", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:23:56.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files", + "ExtentionBlockSize": 116, + "LocalizedName": "@shell32.dll,-21781", + "SeqNum": 6, + "EntryNum": 197634, + "FileReferenceInt": 1688849860461570, + "AccessTime": "09/23/2013 20:23:56.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "197634-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "MICROS~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:24:20.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Microsoft Office 15", + "ExtentionBlockSize": 88, + "LocalizedName": null, + "SeqNum": 15, + "EntryNum": 4229, + "FileReferenceInt": 4222124650664069, + "AccessTime": "09/23/2013 20:24:20.000000", + "CreationTime": "09/23/2013 20:23:56.000000", + "Signature": "0xbeef0004L", + "RefNum": "4229-15" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "root", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:24:22.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "root", + "ExtentionBlockSize": 58, + "LocalizedName": null, + "SeqNum": 9, + "EntryNum": 5190, + "FileReferenceInt": 2533274790401094, + "AccessTime": "09/23/2013 20:24:22.000000", + "CreationTime": "09/23/2013 20:24:08.000000", + "Signature": "0xbeef0004L", + "RefNum": "5190-9" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "office15", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:32:38.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "office15", + "ExtentionBlockSize": 66, + "LocalizedName": null, + "SeqNum": 6, + "EntryNum": 5225, + "FileReferenceInt": 1688849860269161, + "AccessTime": "09/23/2013 20:32:38.000000", + "CreationTime": "09/23/2013 20:24:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "5225-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "OUTLOOK.EXE", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:30:22.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 26695336, + "ExtentionBlocks": [ + { + "LongName": "OUTLOOK.EXE", + "ExtentionBlockSize": 72, + "LocalizedName": null, + "SeqNum": 4, + "EntryNum": 30242, + "FileReferenceInt": 1125899906872866, + "AccessTime": "09/23/2013 20:30:16.000000", + "CreationTime": "09/23/2013 20:24:22.000000", + "Signature": "0xbeef0004L", + "RefNum": "30242-4" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "office15", + "ParentEntryNum": 5225, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 8, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "Manage your email, schedules, contacts, and to-dos.", + "RelativePath": "..\\..\\..\\..\\..\\..\\Program Files\\Microsoft Office 15\\root\\office15\\OUTLOOK.EXE", + "Codepage": "cp1252", + "IconLoc": "%ProgramFiles%\\Microsoft Office 15\\Root\\VFS\\Windows\\Installer\\{90150000-000F-0000-1000-0000000FF1CE}\\outicon.exe", + "AppIdName": null, + "FileExt": "EXE", + "NetworkPath": null, + "FileSize": 26695336, + "CreationDateTime": "09/23/2013 20:24:21.321541", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "POWERPNT.EXE", + "WorkingDir": null, + "LocalPath": "C:\\Program Files\\Microsoft Office 15\\root\\office15\\POWERPNT.EXE", + "ModificationDateTime": "09/23/2013 20:30:22.873597", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\30060..PowerPoint 2013.lnk", + "Flags": "Sparse File;Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "09/23/2013 20:30:22.623624", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 6, + "ParentRefStr": "5225-6", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:23:56.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files", + "ExtentionBlockSize": 116, + "LocalizedName": "@shell32.dll,-21781", + "SeqNum": 6, + "EntryNum": 197634, + "FileReferenceInt": 1688849860461570, + "AccessTime": "09/23/2013 20:23:56.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "197634-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "MICROS~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:24:20.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Microsoft Office 15", + "ExtentionBlockSize": 88, + "LocalizedName": null, + "SeqNum": 15, + "EntryNum": 4229, + "FileReferenceInt": 4222124650664069, + "AccessTime": "09/23/2013 20:24:20.000000", + "CreationTime": "09/23/2013 20:23:56.000000", + "Signature": "0xbeef0004L", + "RefNum": "4229-15" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "root", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:24:22.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "root", + "ExtentionBlockSize": 58, + "LocalizedName": null, + "SeqNum": 9, + "EntryNum": 5190, + "FileReferenceInt": 2533274790401094, + "AccessTime": "09/23/2013 20:24:22.000000", + "CreationTime": "09/23/2013 20:24:08.000000", + "Signature": "0xbeef0004L", + "RefNum": "5190-9" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "office15", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:32:38.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "office15", + "ExtentionBlockSize": 66, + "LocalizedName": null, + "SeqNum": 6, + "EntryNum": 5225, + "FileReferenceInt": 1688849860269161, + "AccessTime": "09/23/2013 20:32:38.000000", + "CreationTime": "09/23/2013 20:24:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "5225-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "POWERPNT.EXE", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:30:24.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 1848408, + "ExtentionBlocks": [ + { + "LongName": "POWERPNT.EXE", + "ExtentionBlockSize": 74, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 30410, + "FileReferenceInt": 844424930162378, + "AccessTime": "09/23/2013 20:30:24.000000", + "CreationTime": "09/23/2013 20:24:22.000000", + "Signature": "0xbeef0004L", + "RefNum": "30410-3" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "office15", + "ParentEntryNum": 5225, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 8, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "Design and deliver beautiful presentations with ease and confidence.", + "RelativePath": "..\\..\\..\\..\\..\\..\\Program Files\\Microsoft Office 15\\root\\office15\\POWERPNT.EXE", + "Codepage": "cp1252", + "IconLoc": "%ProgramFiles%\\Microsoft Office 15\\Root\\VFS\\Windows\\Installer\\{90150000-000F-0000-1000-0000000FF1CE}\\pptico.exe", + "AppIdName": null, + "FileExt": "EXE", + "NetworkPath": null, + "FileSize": 1848408, + "CreationDateTime": "09/23/2013 20:24:21.337164", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "MSPUB.EXE", + "WorkingDir": null, + "LocalPath": "C:\\Program Files\\Microsoft Office 15\\root\\office15\\MSPUB.EXE", + "ModificationDateTime": "09/23/2013 20:28:35.343601", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\30061..Publisher 2013.lnk", + "Flags": "Sparse File;Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "09/23/2013 20:28:31.528579", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 6, + "ParentRefStr": "5225-6", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:23:56.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files", + "ExtentionBlockSize": 116, + "LocalizedName": "@shell32.dll,-21781", + "SeqNum": 6, + "EntryNum": 197634, + "FileReferenceInt": 1688849860461570, + "AccessTime": "09/23/2013 20:23:56.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "197634-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "MICROS~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:24:20.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Microsoft Office 15", + "ExtentionBlockSize": 88, + "LocalizedName": null, + "SeqNum": 15, + "EntryNum": 4229, + "FileReferenceInt": 4222124650664069, + "AccessTime": "09/23/2013 20:24:20.000000", + "CreationTime": "09/23/2013 20:23:56.000000", + "Signature": "0xbeef0004L", + "RefNum": "4229-15" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "root", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:24:22.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "root", + "ExtentionBlockSize": 58, + "LocalizedName": null, + "SeqNum": 9, + "EntryNum": 5190, + "FileReferenceInt": 2533274790401094, + "AccessTime": "09/23/2013 20:24:22.000000", + "CreationTime": "09/23/2013 20:24:08.000000", + "Signature": "0xbeef0004L", + "RefNum": "5190-9" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "office15", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:32:38.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "office15", + "ExtentionBlockSize": 66, + "LocalizedName": null, + "SeqNum": 6, + "EntryNum": 5225, + "FileReferenceInt": 1688849860269161, + "AccessTime": "09/23/2013 20:32:38.000000", + "CreationTime": "09/23/2013 20:24:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "5225-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "MSPUB.EXE", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:28:36.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 14111400, + "ExtentionBlocks": [ + { + "LongName": "MSPUB.EXE", + "ExtentionBlockSize": 68, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 4021, + "FileReferenceInt": 844424930135989, + "AccessTime": "09/23/2013 20:28:32.000000", + "CreationTime": "09/23/2013 20:24:22.000000", + "Signature": "0xbeef0004L", + "RefNum": "4021-3" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "office15", + "ParentEntryNum": 5225, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 8, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "Create professional-grade publications that make an impact.", + "RelativePath": "..\\..\\..\\..\\..\\..\\Program Files\\Microsoft Office 15\\root\\office15\\MSPUB.EXE", + "Codepage": "cp1252", + "IconLoc": "%ProgramFiles%\\Microsoft Office 15\\Root\\VFS\\Windows\\Installer\\{90150000-000F-0000-1000-0000000FF1CE}\\pubs.exe", + "AppIdName": null, + "FileExt": "EXE", + "NetworkPath": null, + "FileSize": 14111400, + "CreationDateTime": "09/23/2013 20:24:21.243413", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "ONENOTEM.EXE", + "WorkingDir": null, + "LocalPath": "C:\\Program Files\\Microsoft Office 15\\root\\office15\\ONENOTEM.EXE", + "ModificationDateTime": "09/23/2013 20:27:39.630588", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\30063..Send to OneNote 2013.lnk", + "Flags": "Sparse File;Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "09/23/2013 20:24:21.305918", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 6, + "ParentRefStr": "5225-6", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:23:56.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files", + "ExtentionBlockSize": 116, + "LocalizedName": "@shell32.dll,-21781", + "SeqNum": 6, + "EntryNum": 197634, + "FileReferenceInt": 1688849860461570, + "AccessTime": "09/23/2013 20:23:56.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "197634-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "MICROS~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:24:20.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Microsoft Office 15", + "ExtentionBlockSize": 88, + "LocalizedName": null, + "SeqNum": 15, + "EntryNum": 4229, + "FileReferenceInt": 4222124650664069, + "AccessTime": "09/23/2013 20:24:20.000000", + "CreationTime": "09/23/2013 20:23:56.000000", + "Signature": "0xbeef0004L", + "RefNum": "4229-15" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "root", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:24:22.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "root", + "ExtentionBlockSize": 58, + "LocalizedName": null, + "SeqNum": 9, + "EntryNum": 5190, + "FileReferenceInt": 2533274790401094, + "AccessTime": "09/23/2013 20:24:22.000000", + "CreationTime": "09/23/2013 20:24:08.000000", + "Signature": "0xbeef0004L", + "RefNum": "5190-9" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "office15", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:32:38.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "office15", + "ExtentionBlockSize": 66, + "LocalizedName": null, + "SeqNum": 6, + "EntryNum": 5225, + "FileReferenceInt": 1688849860269161, + "AccessTime": "09/23/2013 20:32:38.000000", + "CreationTime": "09/23/2013 20:24:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "5225-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "ONENOTEM.EXE", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:27:40.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 186544, + "ExtentionBlocks": [ + { + "LongName": "ONENOTEM.EXE", + "ExtentionBlockSize": 74, + "LocalizedName": null, + "SeqNum": 2, + "EntryNum": 29241, + "FileReferenceInt": 562949953450553, + "AccessTime": "09/23/2013 20:24:22.000000", + "CreationTime": "09/23/2013 20:24:22.000000", + "Signature": "0xbeef0004L", + "RefNum": "29241-2" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "office15", + "ParentEntryNum": 5225, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 8, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "Show the clipping panel (Windows+N) or take a screen clipping (Windows+S)", + "RelativePath": "..\\..\\..\\..\\..\\..\\Program Files\\Microsoft Office 15\\root\\office15\\ONENOTEM.EXE", + "Codepage": "cp1252", + "IconLoc": "%ProgramFiles%\\Microsoft Office 15\\Root\\VFS\\Windows\\Installer\\{90150000-000F-0000-1000-0000000FF1CE}\\joticon.exe", + "AppIdName": null, + "FileExt": "EXE", + "NetworkPath": null, + "FileSize": 186544, + "CreationDateTime": "09/23/2013 20:24:21.305918", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "GROOVE.EXE", + "WorkingDir": null, + "LocalPath": "C:\\Program Files\\Microsoft Office 15\\root\\office15\\GROOVE.EXE", + "ModificationDateTime": "09/23/2013 20:29:22.797642", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\30064..SkyDrive Pro 2013.lnk", + "Flags": "Sparse File;Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "09/23/2013 20:29:19.310598", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 6, + "ParentRefStr": "5225-6", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:23:56.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files", + "ExtentionBlockSize": 116, + "LocalizedName": "@shell32.dll,-21781", + "SeqNum": 6, + "EntryNum": 197634, + "FileReferenceInt": 1688849860461570, + "AccessTime": "09/23/2013 20:23:56.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "197634-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "MICROS~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:24:20.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Microsoft Office 15", + "ExtentionBlockSize": 88, + "LocalizedName": null, + "SeqNum": 15, + "EntryNum": 4229, + "FileReferenceInt": 4222124650664069, + "AccessTime": "09/23/2013 20:24:20.000000", + "CreationTime": "09/23/2013 20:23:56.000000", + "Signature": "0xbeef0004L", + "RefNum": "4229-15" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "root", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:24:22.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "root", + "ExtentionBlockSize": 58, + "LocalizedName": null, + "SeqNum": 9, + "EntryNum": 5190, + "FileReferenceInt": 2533274790401094, + "AccessTime": "09/23/2013 20:24:22.000000", + "CreationTime": "09/23/2013 20:24:08.000000", + "Signature": "0xbeef0004L", + "RefNum": "5190-9" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "office15", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:32:38.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "office15", + "ExtentionBlockSize": 66, + "LocalizedName": null, + "SeqNum": 6, + "EntryNum": 5225, + "FileReferenceInt": 1688849860269161, + "AccessTime": "09/23/2013 20:32:38.000000", + "CreationTime": "09/23/2013 20:24:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "5225-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "GROOVE.EXE", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:29:24.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 13067952, + "ExtentionBlocks": [ + { + "LongName": "GROOVE.EXE", + "ExtentionBlockSize": 70, + "LocalizedName": null, + "SeqNum": 14, + "EntryNum": 3978, + "FileReferenceInt": 3940649673953162, + "AccessTime": "09/23/2013 20:29:20.000000", + "CreationTime": "09/23/2013 20:24:22.000000", + "Signature": "0xbeef0004L", + "RefNum": "3978-14" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "office15", + "ParentEntryNum": 5225, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 8, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "Sync SharePoint documents to your computer and work with the content as if you were connected using Microsoft SkyDrive Pro.", + "RelativePath": "..\\..\\..\\..\\..\\..\\Program Files\\Microsoft Office 15\\root\\office15\\GROOVE.EXE", + "Codepage": "cp1252", + "IconLoc": "%ProgramFiles%\\Microsoft Office 15\\Root\\VFS\\Windows\\Installer\\{90150000-000F-0000-1000-0000000FF1CE}\\grv_icons.exe", + "AppIdName": null, + "FileExt": "EXE", + "NetworkPath": null, + "FileSize": 13067952, + "CreationDateTime": "09/23/2013 20:24:21.118407", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "WINWORD.EXE", + "WorkingDir": null, + "LocalPath": "C:\\Program Files\\Microsoft Office 15\\root\\office15\\WINWORD.EXE", + "ModificationDateTime": "09/23/2013 20:28:41.621819", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\30066..Word 2013.lnk", + "Flags": "Sparse File;Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "09/23/2013 20:28:41.309315", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 6, + "ParentRefStr": "5225-6", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:23:56.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files", + "ExtentionBlockSize": 116, + "LocalizedName": "@shell32.dll,-21781", + "SeqNum": 6, + "EntryNum": 197634, + "FileReferenceInt": 1688849860461570, + "AccessTime": "09/23/2013 20:23:56.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "197634-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "MICROS~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:24:20.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Microsoft Office 15", + "ExtentionBlockSize": 88, + "LocalizedName": null, + "SeqNum": 15, + "EntryNum": 4229, + "FileReferenceInt": 4222124650664069, + "AccessTime": "09/23/2013 20:24:20.000000", + "CreationTime": "09/23/2013 20:23:56.000000", + "Signature": "0xbeef0004L", + "RefNum": "4229-15" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "root", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:24:22.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "root", + "ExtentionBlockSize": 58, + "LocalizedName": null, + "SeqNum": 9, + "EntryNum": 5190, + "FileReferenceInt": 2533274790401094, + "AccessTime": "09/23/2013 20:24:22.000000", + "CreationTime": "09/23/2013 20:24:08.000000", + "Signature": "0xbeef0004L", + "RefNum": "5190-9" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "office15", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:32:38.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "office15", + "ExtentionBlockSize": 66, + "LocalizedName": null, + "SeqNum": 6, + "EntryNum": 5225, + "FileReferenceInt": 1688849860269161, + "AccessTime": "09/23/2013 20:32:38.000000", + "CreationTime": "09/23/2013 20:24:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "5225-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "WINWORD.EXE", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:28:42.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 1925280, + "ExtentionBlocks": [ + { + "LongName": "WINWORD.EXE", + "ExtentionBlockSize": 72, + "LocalizedName": null, + "SeqNum": 10, + "EntryNum": 7453, + "FileReferenceInt": 2814749767114013, + "AccessTime": "09/23/2013 20:28:42.000000", + "CreationTime": "09/23/2013 20:24:22.000000", + "Signature": "0xbeef0004L", + "RefNum": "7453-10" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "office15", + "ParentEntryNum": 5225, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 8, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "Create beautiful documents, easily work with others, and enjoy the read.", + "RelativePath": "..\\..\\..\\..\\..\\..\\Program Files\\Microsoft Office 15\\root\\office15\\WINWORD.EXE", + "Codepage": "cp1252", + "IconLoc": "%ProgramFiles%\\Microsoft Office 15\\Root\\VFS\\Windows\\Installer\\{90150000-000F-0000-1000-0000000FF1CE}\\wordicon.exe", + "AppIdName": null, + "FileExt": "EXE", + "NetworkPath": null, + "FileSize": 1925280, + "CreationDateTime": "09/23/2013 20:24:21.399667", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\3018.Donald.App.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "Netflix 3Q13 Conference Call Announcement 09 30 13.pdf", + "WorkingDir": "C:\\Users\\Donald\\SkyDrive\\Documents", + "LocalPath": "C:\\Users\\Donald\\SkyDrive\\Documents\\Netflix 3Q13 Conference Call Announcement 09 30 13.pdf", + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\3285.Donald.Netflix 3Q13 Conference Call Announcement 09 30 13.lnk", + "Flags": "", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "ParentLongName": "Documents", + "DistinctTypesHex": "0x32L;0x31L;0x1fL", + "ParentSeqNum": 3, + "DistinctTypesStr": "root_folder;file_entry", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "DOCUME~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 19:49:02.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Documents", + "ExtentionBlockSize": 68, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 127282, + "FileReferenceInt": 844424930259250, + "AccessTime": "09/23/2013 19:49:02.000000", + "CreationTime": "08/12/2013 01:11:04.000000", + "Signature": "0xbeef0004L", + "RefNum": "127282-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "Netflix 3Q13 Conference Call Announcement 09 30 13.pdf", + "Location": null, + "Comments": null, + "ModificationTime": "1601-01-01 00:00:00", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "FileReferenceInt": null, + "SeqNum": null, + "Signature": "0xbeef0004L", + "RefNum": null, + "EntryNum": null, + "LongName": "Netflix 3Q13 Conference Call Announcement 09 30 13.pdf", + "ExtentionBlockSize": 158, + "LocalizedName": null + } + ] + } + ], + "ExtentionListing": "0xbeef0004L;0xbeef0004L", + "ItemCount": 4, + "ParentRefStr": "127282-3", + "ParentEntryNum": 127282, + "RootFolder": [ + { + "ShellFolderId": "8e74d236-7f35-4720-b138-1fed0b85ea75", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": "..\\..\\..\\..\\..\\SkyDrive\\Documents\\Netflix 3Q13 Conference Call Announcement 09 30 13.pdf", + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "pdf", + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "OUTLOOK.EXE", + "WorkingDir": null, + "LocalPath": "C:\\Program Files\\Microsoft Office 15\\root\\office15\\OUTLOOK.EXE", + "ModificationDateTime": "09/23/2013 20:30:21.889179", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\3307.Donald.Outlook 2013.lnk", + "Flags": "Sparse File;Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "09/23/2013 20:30:14.334581", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 6, + "ParentRefStr": "5225-6", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:23:56.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files", + "ExtentionBlockSize": 116, + "LocalizedName": "@shell32.dll,-21781", + "SeqNum": 6, + "EntryNum": 197634, + "FileReferenceInt": 1688849860461570, + "AccessTime": "09/23/2013 20:23:56.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "197634-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "MICROS~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:24:20.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Microsoft Office 15", + "ExtentionBlockSize": 88, + "LocalizedName": null, + "SeqNum": 15, + "EntryNum": 4229, + "FileReferenceInt": 4222124650664069, + "AccessTime": "09/23/2013 20:24:20.000000", + "CreationTime": "09/23/2013 20:23:56.000000", + "Signature": "0xbeef0004L", + "RefNum": "4229-15" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "root", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:24:22.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "root", + "ExtentionBlockSize": 58, + "LocalizedName": null, + "SeqNum": 9, + "EntryNum": 5190, + "FileReferenceInt": 2533274790401094, + "AccessTime": "09/23/2013 20:24:22.000000", + "CreationTime": "09/23/2013 20:24:08.000000", + "Signature": "0xbeef0004L", + "RefNum": "5190-9" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "office15", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:32:38.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "office15", + "ExtentionBlockSize": 66, + "LocalizedName": null, + "SeqNum": 6, + "EntryNum": 5225, + "FileReferenceInt": 1688849860269161, + "AccessTime": "09/23/2013 20:32:38.000000", + "CreationTime": "09/23/2013 20:24:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "5225-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "OUTLOOK.EXE", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:30:22.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 26695336, + "ExtentionBlocks": [ + { + "LongName": "OUTLOOK.EXE", + "ExtentionBlockSize": 72, + "LocalizedName": null, + "SeqNum": 4, + "EntryNum": 30242, + "FileReferenceInt": 1125899906872866, + "AccessTime": "09/23/2013 20:30:16.000000", + "CreationTime": "09/23/2013 20:24:22.000000", + "Signature": "0xbeef0004L", + "RefNum": "30242-4" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "office15", + "ParentEntryNum": 5225, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 8, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "Manage your email, schedules, contacts, and to-dos.", + "RelativePath": "..\\..\\..\\..\\..\\..\\Program Files\\Microsoft Office 15\\root\\office15\\OUTLOOK.EXE", + "Codepage": "cp1252", + "IconLoc": "%ProgramFiles%\\Microsoft Office 15\\Root\\VFS\\Windows\\Installer\\{90150000-000F-0000-1000-0000000FF1CE}\\outicon.exe", + "AppIdName": null, + "FileExt": "EXE", + "NetworkPath": null, + "FileSize": 26695336, + "CreationDateTime": "09/23/2013 20:24:21.321541", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "TIVO Research.docx", + "WorkingDir": "C:\\Users\\Donald\\SkyDrive\\Documents", + "LocalPath": "C:\\Users\\Donald\\SkyDrive\\Documents\\TIVO Research.docx", + "ModificationDateTime": "10/20/2013 01:33:27.000000", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\3350.Donald.TIVO Research.lnk", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "10/20/2013 18:58:26.000000", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "ParentLongName": "Documents", + "DistinctTypesHex": "0x32L;0x31L;0x1fL", + "ParentSeqNum": 3, + "DistinctTypesStr": "root_folder;file_entry", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "DOCUME~1", + "Location": null, + "Comments": null, + "ModificationTime": "10/21/2013 18:50:46.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Documents", + "ExtentionBlockSize": 68, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 127282, + "FileReferenceInt": 844424930259250, + "AccessTime": "10/21/2013 18:50:46.000000", + "CreationTime": "08/12/2013 01:11:04.000000", + "Signature": "0xbeef0004L", + "RefNum": "127282-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "TIVORE~1.DOC", + "Location": null, + "Comments": null, + "ModificationTime": "10/20/2013 01:33:28.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 122735, + "ExtentionBlocks": [ + { + "LongName": "TIVO Research.docx", + "ExtentionBlockSize": 86, + "LocalizedName": null, + "SeqNum": 8, + "EntryNum": 20201, + "FileReferenceInt": 2251799813705449, + "AccessTime": "10/20/2013 18:58:26.000000", + "CreationTime": "08/08/2013 03:53:08.000000", + "Signature": "0xbeef0004L", + "RefNum": "20201-8" + } + ] + } + ], + "ExtentionListing": "0xbeef0025L;0xbeef0004L;0xbeef0004L", + "ItemCount": 4, + "ParentRefStr": "127282-3", + "ParentEntryNum": 127282, + "RootFolder": [ + { + "ShellFolderId": "8e74d236-7f35-4720-b138-1fed0b85ea75", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "ExtentionBlockSize": 30, + "Signature": "0xbeef0025L" + } + ] + } + ] + }, + "Description": null, + "RelativePath": "..\\..\\..\\..\\..\\SkyDrive\\Documents\\TIVO Research.docx", + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "docx", + "NetworkPath": "\\\\BIFROST\\SkyDrive\\Documents\\TIVO Research.docx", + "FileSize": 122735, + "CreationDateTime": "08/08/2013 03:53:07.250000", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "Blue Harvest Business Plan.docx", + "WorkingDir": "C:\\Users\\Donald\\Dropbox\\Shared Documents\\Confidential Analysis Data", + "LocalPath": "C:\\Users\\Donald\\Dropbox\\Shared Documents\\Confidential Analysis Data\\Blue Harvest Business Plan.docx", + "ModificationDateTime": "08/12/2013 03:39:23.540000", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\3373.Donald.Blue Harvest Business Plan.lnk", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "08/08/2013 19:18:11.402623", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "ParentLongName": "Confidential Analysis Data", + "DistinctTypesHex": "0x0L;0x31L;0x32L;0x1fL", + "ParentSeqNum": 4, + "DistinctTypesStr": "item;root_folder;file_entry", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "LongName": "Dropbox", + "ExtentionBlockSize": 64, + "LocalizedName": null, + "SeqNum": 4, + "EntryNum": 48220, + "FileReferenceInt": 1125899906890844, + "AccessTime": "08/08/2013 19:17:00.000000", + "CreationTime": "08/08/2013 19:17:00.000000", + "Signature": "0xbeef0004L", + "RefNum": "48220-4" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "SHARED~1", + "Location": null, + "Comments": null, + "ModificationTime": "08/08/2013 19:18:12.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Shared Documents", + "ExtentionBlockSize": 82, + "LocalizedName": null, + "SeqNum": 4, + "EntryNum": 48358, + "FileReferenceInt": 1125899906890982, + "AccessTime": "08/08/2013 19:18:12.000000", + "CreationTime": "08/08/2013 19:18:12.000000", + "Signature": "0xbeef0004L", + "RefNum": "48358-4" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "CONFID~1", + "Location": null, + "Comments": null, + "ModificationTime": "08/08/2013 19:18:12.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Confidential Analysis Data", + "ExtentionBlockSize": 102, + "LocalizedName": null, + "SeqNum": 4, + "EntryNum": 48359, + "FileReferenceInt": 1125899906890983, + "AccessTime": "08/08/2013 19:18:12.000000", + "CreationTime": "08/08/2013 19:18:12.000000", + "Signature": "0xbeef0004L", + "RefNum": "48359-4" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "BLUEHA~1.DOC", + "Location": null, + "Comments": null, + "ModificationTime": "08/12/2013 03:39:24.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 366117, + "ExtentionBlocks": [ + { + "LongName": "Blue Harvest Business Plan.docx", + "ExtentionBlockSize": 112, + "LocalizedName": null, + "SeqNum": 9, + "EntryNum": 48361, + "FileReferenceInt": 2533274790444265, + "AccessTime": "08/08/2013 19:18:12.000000", + "CreationTime": "08/08/2013 19:18:12.000000", + "Signature": "0xbeef0004L", + "RefNum": "48361-9" + } + ] + } + ], + "ExtentionListing": "0xbeef0025L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 6, + "ParentRefStr": "48359-4", + "ParentEntryNum": 48359, + "RootFolder": [ + { + "ShellFolderId": "59031a47-3f72-44a7-89c5-5595fe6b30ee", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "ExtentionBlockSize": 30, + "Signature": "0xbeef0025L" + } + ] + } + ] + }, + "Description": null, + "RelativePath": "..\\..\\..\\..\\..\\Dropbox\\Shared Documents\\Confidential Analysis Data\\Blue Harvest Business Plan.docx", + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "docx", + "NetworkPath": "\\\\BIFROST\\Users\\Donald\\Dropbox\\Shared Documents\\Confidential Analysis Data\\Blue Harvest Business Plan.docx", + "FileSize": 366117, + "CreationDateTime": "08/08/2013 19:18:11.402623", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\3413.Donald.Microsoft.XboxLIVEGames.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "iexplore.exe", + "WorkingDir": null, + "LocalPath": "C:\\Program Files\\Internet Explorer\\iexplore.exe", + "ModificationDateTime": "08/22/2013 12:34:04.110966", + "CmdArgs": "-pinnedSite -contentTile -formatVersion 0x00000003 -pinnedTimeLow 0x3be81542 -pinnedTimeHigh 0x01cecc6f -securityFlags 0x00000000 -tileType 0x00000003 -url 0x00000013 http://www.cnn.com/", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\36336.Donald.-6642553740.lnk", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "08/22/2013 08:52:25.004329", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 6, + "ParentRefStr": "197705-6", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~1", + "Location": null, + "Comments": null, + "ModificationTime": "10/18/2013 00:28:36.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files", + "ExtentionBlockSize": 116, + "LocalizedName": "@shell32.dll,-21781", + "SeqNum": 6, + "EntryNum": 197634, + "FileReferenceInt": 1688849860461570, + "AccessTime": "10/18/2013 00:28:36.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "197634-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "INTERN~1", + "Location": null, + "Comments": null, + "ModificationTime": "10/10/2013 07:46:14.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Internet Explorer", + "ExtentionBlockSize": 84, + "LocalizedName": null, + "SeqNum": 6, + "EntryNum": 197705, + "FileReferenceInt": 1688849860461641, + "AccessTime": "10/10/2013 07:46:14.000000", + "CreationTime": "08/22/2013 15:36:32.000000", + "Signature": "0xbeef0004L", + "RefNum": "197705-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "iexplore.exe", + "Location": null, + "Comments": null, + "ModificationTime": "08/22/2013 12:34:06.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 804464, + "ExtentionBlocks": [ + { + "LongName": "iexplore.exe", + "ExtentionBlockSize": 74, + "LocalizedName": null, + "SeqNum": 1, + "EntryNum": 217849, + "FileReferenceInt": 281474976928505, + "AccessTime": "08/22/2013 08:52:26.000000", + "CreationTime": "08/22/2013 08:52:26.000000", + "Signature": "0xbeef0004L", + "RefNum": "217849-1" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "Internet Explorer", + "ParentEntryNum": 197705, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 6, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 804464, + "CreationDateTime": "08/22/2013 08:52:25.004329", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": "-pinnedSite -contentTile -formatVersion 0x00000003 -pinnedTimeLow 0xab980917 -pinnedTimeHigh 0x01cecc6e -securityFlags 0x00000000 -tileType 0x00000002 -url 0x00000019 http://www.wpcentral.com/", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\36337.Donald.-21032278930.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\36980.Donald.txt_12014267_en-US.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\37037.Donald.txt_4149799324_en-US.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": "-pinnedSite -contentTile -formatVersion 0x00000003 -pinnedTimeLow 0x3be81542 -pinnedTimeHigh 0x01cecc6f -securityFlags 0x00000000 -tileType 0x00000003 -url 0x00000013 http://www.cnn.com/", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\37239.Donald.-6642553740.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\39050.Donald.txt_3037234875_en-us.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\39095.Donald.com.amazon.kindle.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "SEC-NFLX-1193125-12-53009.pdf", + "WorkingDir": "C:\\Users\\Donald\\Documents\\NETFLIX SEC Filings", + "LocalPath": "C:\\Users\\Donald\\Documents\\NETFLIX SEC Filings\\SEC-NFLX-1193125-12-53009.pdf", + "ModificationDateTime": "09/01/2013 16:53:08.294901", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\4058.Donald.SEC-NFLX-1193125-12-53009.lnk", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "09/01/2013 16:53:05.023355", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x0L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ExtentionListing": "", + "ItemCount": 6, + "ParentRefStr": null, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "031e4825-7b94-4dc3-b131-e946b44c8dd5", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": "..\\..\\..\\..\\..\\Documents\\NETFLIX SEC Filings\\SEC-NFLX-1193125-12-53009.pdf", + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "pdf", + "NetworkPath": "\\\\BIFROST\\Users\\Donald\\Documents\\NETFLIX SEC Filings\\SEC-NFLX-1193125-12-53009.pdf", + "FileSize": 817273, + "CreationDateTime": "09/01/2013 16:53:07.982816", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\4200.Donald.txt_2004011219_en-US.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\42358.Donald.AppexFinance.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\42375.Donald.AppexTravel.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\42420.Donald.AppexSports.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\42430.Donald.Microsoft.ZuneVideo.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\42431.Donald.Microsoft.Reader.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\42438.Donald.App.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\42441.Donald.App.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\42445.Donald.Microsoft.WindowsLive.Mail.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\42448.Donald.AppexNews.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\42450.Donald.App.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\42453.Donald.Microsoft.ZuneMusic.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\42454.Donald.Microsoft.WindowsLive.Calendar.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\42457.Donald.Microsoft.WindowsLive.People.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\42464.Donald.App.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\42468.Donald.App.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "Jordan Boone Article.docx", + "WorkingDir": "C:\\Users\\Donald\\SkyDrive\\Documents\\Articles", + "LocalPath": "C:\\Users\\Donald\\SkyDrive\\Documents\\Articles\\Jordan Boone Article.docx", + "ModificationDateTime": "10/21/2013 20:05:27.683000", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\4260.Donald.Jordan Boone Article.lnk", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "10/21/2013 20:05:13.341847", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "ParentLongName": "Articles", + "DistinctTypesHex": "0x32L;0x31L;0x1fL", + "ParentSeqNum": 20, + "DistinctTypesStr": "root_folder;file_entry", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "DOCUME~1", + "Location": null, + "Comments": null, + "ModificationTime": "10/21/2013 19:59:22.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Documents", + "ExtentionBlockSize": 68, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 127282, + "FileReferenceInt": 844424930259250, + "AccessTime": "10/21/2013 19:59:22.000000", + "CreationTime": "08/12/2013 01:11:04.000000", + "Signature": "0xbeef0004L", + "RefNum": "127282-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Articles", + "Location": null, + "Comments": null, + "ModificationTime": "10/21/2013 20:05:20.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Articles", + "ExtentionBlockSize": 66, + "LocalizedName": null, + "SeqNum": 20, + "EntryNum": 3729, + "FileReferenceInt": 5629499534216849, + "AccessTime": "10/21/2013 20:05:20.000000", + "CreationTime": "10/21/2013 20:05:12.000000", + "Signature": "0xbeef0004L", + "RefNum": "3729-20" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "JORDAN~1.DOC", + "Location": null, + "Comments": null, + "ModificationTime": "10/21/2013 20:05:28.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 76387, + "ExtentionBlocks": [ + { + "LongName": "Jordan Boone Article.docx", + "ExtentionBlockSize": 100, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 4725, + "FileReferenceInt": 844424930136693, + "AccessTime": "10/21/2013 20:05:14.000000", + "CreationTime": "10/21/2013 20:05:14.000000", + "Signature": "0xbeef0004L", + "RefNum": "4725-3" + } + ] + } + ], + "ExtentionListing": "0xbeef0025L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 5, + "ParentRefStr": "3729-20", + "ParentEntryNum": 3729, + "RootFolder": [ + { + "ShellFolderId": "8e74d236-7f35-4720-b138-1fed0b85ea75", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "ExtentionBlockSize": 30, + "Signature": "0xbeef0025L" + } + ] + } + ] + }, + "Description": null, + "RelativePath": "..\\..\\..\\..\\..\\SkyDrive\\Documents\\Articles\\Jordan Boone Article.docx", + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "docx", + "NetworkPath": "\\\\BIFROST\\SkyDrive\\Documents\\Articles\\Jordan Boone Article.docx", + "FileSize": 76387, + "CreationDateTime": "10/21/2013 20:05:13.341847", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\42618.Donald.txt_2681349743_en-us.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": "DECISION MAKING CONTINGENCIES.doc", + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "10/21/2013 19:46:54.626965", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\4271.Donald.DECISION MAKING CONTINGENCIES.LNK", + "Flags": "Archive;", + "DriveType": "DRIVE_UNKNOWN;", + "AccessDateTime": "10/21/2013 19:46:54.425004", + "DriveSerialNumber": "0000-0000", + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "doc", + "NetworkPath": "\\\\VALHALLA\\USERS\\Public\\Documents\\Articles\\DECISION MAKING CONTINGENCIES.doc", + "FileSize": 154112, + "CreationDateTime": "10/21/2013 19:46:54.425004", + "EnvVarLoc": "\\\\VALHALLA\\Users\\Public\\Documents\\Articles\\DECISION MAKING CONTINGENCIES.doc" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\42720.Donald.iCloud Photos.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": { + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2eL", + "Identifier": "f0d63f85-37ec-4097-b30d-61b4a8917118", + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": null, + "DistinctTypesHex": "0x2eL;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "volume;root_folder", + "ExtentionListing": "", + "ItemCount": 3, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "iCloud Photos.lnk", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": "Lean Startup.pptx", + "WorkingDir": "\\\\VALHALLA\\Users\\Public\\Documents\\Lean startup", + "LocalPath": null, + "ModificationDateTime": "10/21/2013 19:47:23.491690", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\4273.Donald.Lean Startup.lnk", + "Flags": "Archive;", + "DriveType": "DRIVE_UNKNOWN;", + "AccessDateTime": "10/21/2013 19:47:06.659935", + "DriveSerialNumber": "0000-0000", + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "pptx", + "NetworkPath": "\\\\VALHALLA\\USERS\\Public\\Documents\\Lean startup\\Lean Startup.pptx", + "FileSize": 5397212, + "CreationDateTime": "10/21/2013 19:47:06.659935", + "EnvVarLoc": "\\\\VALHALLA\\Users\\Public\\Documents\\Lean startup\\Lean Startup.pptx" + }, + { + "VolumeLabel": null, + "BaseName": "Lean startup", + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "10/21/2013 19:53:29.599870", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\4289.Donald.Lean startup (2).lnk", + "Flags": "Archive;", + "DriveType": "DRIVE_UNKNOWN;", + "AccessDateTime": "10/21/2013 19:53:29.599870", + "DriveSerialNumber": "0000-0000", + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "", + "NetworkPath": "\\\\VALHALLA\\USERS\\Public\\Documents\\Lean startup", + "FileSize": 0, + "CreationDateTime": "10/21/2013 19:46:55.588989", + "EnvVarLoc": "\\\\VALHALLA\\Users\\Public\\Documents\\Lean startup" + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "NETFLIX SEC Filings", + "WorkingDir": null, + "LocalPath": "C:\\Users\\Donald\\Documents\\NETFLIX SEC Filings", + "ModificationDateTime": "09/01/2013 16:53:22.354680", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\4305.Donald.NETFLIX SEC Filings.lnk", + "Flags": "", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "09/01/2013 16:53:22.354680", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x0L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ExtentionListing": "", + "ItemCount": 5, + "ParentRefStr": null, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "031e4825-7b94-4dc3-b131-e946b44c8dd5", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": "..\\..\\..\\..\\..\\Documents\\NETFLIX SEC Filings", + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "", + "NetworkPath": "\\\\BIFROST\\Users\\Donald\\Documents\\NETFLIX SEC Filings", + "FileSize": 4096, + "CreationDateTime": "09/01/2013 16:42:57.621673", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\47287.Donald.Microsoft.SkyDriveProMXApp.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "Dropbox", + "WorkingDir": null, + "LocalPath": "C:\\Users\\Donald\\Dropbox", + "ModificationDateTime": "08/08/2013 19:16:59.932906", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\47290.Donald.Dropbox.lnk", + "Flags": "", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "08/08/2013 19:16:59.932906", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x0L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "LongName": "Dropbox", + "ExtentionBlockSize": 64, + "LocalizedName": null, + "SeqNum": 4, + "EntryNum": 48220, + "FileReferenceInt": 1125899906890844, + "AccessTime": "08/08/2013 19:17:00.000000", + "CreationTime": "08/08/2013 19:17:00.000000", + "Signature": "0xbeef0004L", + "RefNum": "48220-4" + } + ] + } + ], + "ExtentionListing": "0xbeef0025L;0xbeef0004L", + "ItemCount": 3, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "59031a47-3f72-44a7-89c5-5595fe6b30ee", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "ExtentionBlockSize": 30, + "Signature": "0xbeef0025L" + } + ] + } + ] + }, + "Description": "A securely backed up place to put your important files.", + "RelativePath": "..\\..\\..\\..\\..\\Dropbox", + "Codepage": "cp1252", + "IconLoc": "%APPDATA%\\Dropbox\\bin\\Dropbox.exe", + "AppIdName": null, + "FileExt": "", + "NetworkPath": "\\\\BIFROST\\Users\\Donald\\Dropbox", + "FileSize": 0, + "CreationDateTime": "08/08/2013 19:16:59.932906", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\4732.Donald.App.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "Nokia Strategy.docx", + "WorkingDir": null, + "LocalPath": "C:\\Users\\Donald\\Documents\\Nokia Strategy.docx", + "ModificationDateTime": "10/21/2013 18:01:07.385983", + "CmdArgs": "14", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\47752.Donald.Nokia%20Strategy.docx.lnk", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "10/21/2013 18:03:17.090120", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2eL", + "Identifier": "a8cdff1c-4878-43be-b5fd-f8091c1c60d0", + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "ExtentionBlockSize": 30, + "Signature": "0xbeef0025L" + } + ] + } + ], + "ParentLongName": null, + "DistinctTypesHex": "0x2eL;0x32L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "volume;root_folder;file_entry", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "NOKIAS~1.DOC", + "Location": null, + "Comments": null, + "ModificationTime": "10/21/2013 18:01:08.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 117646, + "ExtentionBlocks": [ + { + "LongName": "Nokia Strategy.docx", + "ExtentionBlockSize": 88, + "LocalizedName": null, + "SeqNum": 2, + "EntryNum": 47736, + "FileReferenceInt": 562949953469048, + "AccessTime": "10/21/2013 18:03:18.000000", + "CreationTime": "10/21/2013 18:01:08.000000", + "Signature": "0xbeef0004L", + "RefNum": "47736-2" + } + ] + } + ], + "ExtentionListing": "0xbeef0025L;0xbeef0004L", + "ItemCount": 4, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "Latest version", + "RelativePath": "..\\..\\..\\..\\..\\Documents\\Nokia Strategy.docx", + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "docx", + "NetworkPath": "\\\\BIFROST\\Users\\Donald\\Documents\\Nokia Strategy.docx", + "FileSize": 117646, + "CreationDateTime": "10/21/2013 18:01:07.385983", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "Red Solo Cup (Hip Hop Re-Mix) - Single", + "WorkingDir": null, + "LocalPath": "C:\\Users\\Donald\\Music\\iTunes\\iTunes Media\\Music\\Hip Hop Rednex\\Red Solo Cup (Hip Hop Re-Mix) - Single", + "ModificationDateTime": "10/03/2013 12:08:50.016527", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\4779.Donald.Red Solo Cup (Hip Hop Re-Mix) - Single.lnk", + "Flags": "", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "10/03/2013 12:08:50.016527", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x0L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ExtentionListing": "", + "ItemCount": 9, + "ParentRefStr": null, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "031e4825-7b94-4dc3-b131-e946b44c8dd5", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": "..\\..\\..\\..\\..\\Music\\iTunes\\iTunes Media\\Music\\Hip Hop Rednex\\Red Solo Cup (Hip Hop Re-Mix) - Single", + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "", + "NetworkPath": "\\\\BIFROST\\Users\\Donald\\Music\\iTunes\\iTunes Media\\Music\\Hip Hop Rednex\\Red Solo Cup (Hip Hop Re-Mix) - Single", + "FileSize": 0, + "CreationDateTime": "10/01/2013 02:04:32.312268", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "Documents", + "WorkingDir": null, + "LocalPath": "C:\\Users\\Donald\\Documents", + "ModificationDateTime": "10/21/2013 19:35:39.813921", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\47994.Donald.Documents.LNK", + "Flags": "Read-Only;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "10/21/2013 19:35:39.813921", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x2fL;0x1fL;0x31L", + "ParentSeqNum": 3, + "ParentRefStr": "232315-3", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Users", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 19:20:28.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Users", + "ExtentionBlockSize": 100, + "LocalizedName": "@shell32.dll,-21813", + "SeqNum": 3, + "EntryNum": 200313, + "FileReferenceInt": 844424930332281, + "AccessTime": "09/23/2013 19:20:28.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "200313-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Donald", + "Location": null, + "Comments": null, + "ModificationTime": "08/01/2013 19:22:44.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Donald", + "ExtentionBlockSize": 62, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 232315, + "FileReferenceInt": 844424930364283, + "AccessTime": "08/01/2013 19:22:44.000000", + "CreationTime": "09/23/2013 19:17:32.000000", + "Signature": "0xbeef0004L", + "RefNum": "232315-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "DOCUME~1", + "Location": null, + "Comments": null, + "ModificationTime": "10/21/2013 19:35:26.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Documents", + "ExtentionBlockSize": 108, + "LocalizedName": "@shell32.dll,-21770", + "SeqNum": 3, + "EntryNum": 232344, + "FileReferenceInt": 844424930364312, + "AccessTime": "10/21/2013 19:35:26.000000", + "CreationTime": "09/23/2013 19:17:32.000000", + "Signature": "0xbeef0004L", + "RefNum": "232344-3" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "Donald", + "ParentEntryNum": 232315, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 6, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": "..\\..\\..\\..\\..\\Documents", + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "", + "NetworkPath": "\\\\BIFROST\\Users\\Donald\\Documents", + "FileSize": 8192, + "CreationDateTime": "09/23/2013 19:17:31.367172", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "Doncaster-business-plan.xlsx", + "WorkingDir": null, + "LocalPath": "C:\\Users\\Donald\\Documents\\Doncaster-business-plan.xlsx", + "ModificationDateTime": "10/21/2013 18:45:29.100577", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\48065.Donald.Doncaster-business-plan.LNK", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "10/21/2013 18:45:29.033156", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 3, + "ParentRefStr": "232344-3", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Users", + "Location": null, + "Comments": null, + "ModificationTime": "10/22/2013 16:33:18.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Users", + "ExtentionBlockSize": 100, + "LocalizedName": "@shell32.dll,-21813", + "SeqNum": 3, + "EntryNum": 200313, + "FileReferenceInt": 844424930332281, + "AccessTime": "10/22/2013 16:33:18.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "200313-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Donald", + "Location": null, + "Comments": null, + "ModificationTime": "08/01/2013 19:22:44.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Donald", + "ExtentionBlockSize": 62, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 232315, + "FileReferenceInt": 844424930364283, + "AccessTime": "08/01/2013 19:22:44.000000", + "CreationTime": "09/23/2013 19:17:32.000000", + "Signature": "0xbeef0004L", + "RefNum": "232315-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "DOCUME~1", + "Location": null, + "Comments": null, + "ModificationTime": "10/22/2013 16:33:18.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Documents", + "ExtentionBlockSize": 108, + "LocalizedName": "@shell32.dll,-21770", + "SeqNum": 3, + "EntryNum": 232344, + "FileReferenceInt": 844424930364312, + "AccessTime": "10/22/2013 16:33:18.000000", + "CreationTime": "09/23/2013 19:17:32.000000", + "Signature": "0xbeef0004L", + "RefNum": "232344-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "DONCAS~1.XLS", + "Location": null, + "Comments": null, + "ModificationTime": "10/21/2013 18:45:30.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 32746, + "ExtentionBlocks": [ + { + "LongName": "Doncaster-business-plan.xlsx", + "ExtentionBlockSize": 106, + "LocalizedName": null, + "SeqNum": 2, + "EntryNum": 48343, + "FileReferenceInt": 562949953469655, + "AccessTime": "10/21/2013 18:45:30.000000", + "CreationTime": "10/21/2013 18:38:30.000000", + "Signature": "0xbeef0004L", + "RefNum": "48343-2" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "Documents", + "ParentEntryNum": 232344, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 7, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": "..\\..\\..\\..\\..\\Documents\\Doncaster-business-plan.xlsx", + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "xlsx", + "NetworkPath": "\\\\BIFROST\\Users\\Donald\\Documents\\Doncaster-business-plan.xlsx", + "FileSize": 32746, + "CreationDateTime": "10/21/2013 18:38:28.600612", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "Key Files", + "WorkingDir": null, + "LocalPath": "C:\\Users\\Donald\\SkyDrive\\Documents\\Key Files", + "ModificationDateTime": "10/21/2013 18:50:49.270326", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\48096.Donald.Key Files.lnk", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "10/21/2013 18:50:49.270326", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "ParentLongName": "Documents", + "DistinctTypesHex": "0x31L;0x1fL", + "ParentSeqNum": 3, + "DistinctTypesStr": "root_folder;file_entry", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "DOCUME~1", + "Location": null, + "Comments": null, + "ModificationTime": "10/21/2013 18:33:04.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Documents", + "ExtentionBlockSize": 68, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 127282, + "FileReferenceInt": 844424930259250, + "AccessTime": "10/21/2013 18:33:04.000000", + "CreationTime": "08/12/2013 01:11:04.000000", + "Signature": "0xbeef0004L", + "RefNum": "127282-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "KEYFIL~1", + "Location": null, + "Comments": null, + "ModificationTime": "10/21/2013 18:50:44.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Key Files", + "ExtentionBlockSize": 68, + "LocalizedName": null, + "SeqNum": 9, + "EntryNum": 45234, + "FileReferenceInt": 2533274790441138, + "AccessTime": "10/21/2013 18:50:44.000000", + "CreationTime": "10/21/2013 18:50:44.000000", + "Signature": "0xbeef0004L", + "RefNum": "45234-9" + } + ] + } + ], + "ExtentionListing": "0xbeef0004L;0xbeef0004L", + "ItemCount": 4, + "ParentRefStr": "127282-3", + "ParentEntryNum": 127282, + "RootFolder": [ + { + "ShellFolderId": "8e74d236-7f35-4720-b138-1fed0b85ea75", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": "..\\..\\..\\..\\..\\SkyDrive\\Documents\\Key Files", + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "", + "NetworkPath": "\\\\BIFROST\\SkyDrive\\Documents\\Key Files", + "FileSize": 0, + "CreationDateTime": "10/21/2013 18:50:42.518360", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\48104.Donald.txt_2711820364_en-US.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "067.jpg", + "WorkingDir": "C:\\Users\\Donald\\Pictures\\2013-10-21", + "LocalPath": "C:\\Users\\Donald\\Pictures\\2013-10-21\\067.jpg", + "ModificationDateTime": "10/19/2013 02:17:39.000000", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\48239.Donald.067.lnk", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "10/19/2013 02:17:39.000000", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x0L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ExtentionListing": "", + "ItemCount": 6, + "ParentRefStr": null, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "031e4825-7b94-4dc3-b131-e946b44c8dd5", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": "..\\..\\..\\..\\..\\Pictures\\2013-10-21\\067.jpg", + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "jpg", + "NetworkPath": "\\\\BIFROST\\Users\\Donald\\Pictures\\2013-10-21\\067.jpg", + "FileSize": 2196383, + "CreationDateTime": "10/19/2013 02:17:39.000000", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "2013-10-21", + "WorkingDir": null, + "LocalPath": "C:\\Users\\Donald\\Pictures\\2013-10-21", + "ModificationDateTime": "10/21/2013 17:39:53.391732", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\48242.Donald.2013-10-21.lnk", + "Flags": "", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "10/21/2013 17:39:53.391732", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x0L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ExtentionListing": "", + "ItemCount": 5, + "ParentRefStr": null, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "031e4825-7b94-4dc3-b131-e946b44c8dd5", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": "..\\..\\..\\..\\..\\Pictures\\2013-10-21", + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "", + "NetworkPath": "\\\\BIFROST\\Users\\Donald\\Pictures\\2013-10-21", + "FileSize": 40960, + "CreationDateTime": "10/21/2013 17:39:09.523457", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "iexplore.exe", + "WorkingDir": "%HOMEDRIVE%%HOMEPATH%", + "LocalPath": "C:\\Program Files\\Internet Explorer\\iexplore.exe", + "ModificationDateTime": "08/22/2013 12:34:04.110966", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\48332.Donald.Internet Explorer.lnk", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "08/22/2013 08:52:25.004329", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 6, + "ParentRefStr": "197705-6", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 19:20:24.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files", + "ExtentionBlockSize": 116, + "LocalizedName": "@shell32.dll,-21781", + "SeqNum": 6, + "EntryNum": 197634, + "FileReferenceInt": 1688849860461570, + "AccessTime": "09/23/2013 19:20:24.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "197634-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "INTERN~1", + "Location": null, + "Comments": null, + "ModificationTime": "08/22/2013 19:09:54.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Internet Explorer", + "ExtentionBlockSize": 84, + "LocalizedName": null, + "SeqNum": 6, + "EntryNum": 197705, + "FileReferenceInt": 1688849860461641, + "AccessTime": "08/22/2013 19:09:54.000000", + "CreationTime": "08/22/2013 15:36:32.000000", + "Signature": "0xbeef0004L", + "RefNum": "197705-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "iexplore.exe", + "Location": null, + "Comments": null, + "ModificationTime": "08/22/2013 12:34:06.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 804464, + "ExtentionBlocks": [ + { + "LongName": "iexplore.exe", + "ExtentionBlockSize": 74, + "LocalizedName": null, + "SeqNum": 1, + "EntryNum": 217849, + "FileReferenceInt": 281474976928505, + "AccessTime": "08/22/2013 08:52:26.000000", + "CreationTime": "08/22/2013 08:52:26.000000", + "Signature": "0xbeef0004L", + "RefNum": "217849-1" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "Internet Explorer", + "ParentEntryNum": 197705, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 6, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "@\"%windir%\\System32\\ie4uinit.exe\",-732", + "RelativePath": "..\\..\\..\\..\\..\\..\\..\\..\\Program Files\\Internet Explorer\\iexplore.exe", + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 804464, + "CreationDateTime": "08/22/2013 08:52:25.004329", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\48349.Donald.File Explorer.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x1fL", + "ParentSeqNum": null, + "ParentLongName": null, + "ParentEntryNum": null, + "DistinctTypesStr": "root_folder", + "ExtentionListing": "", + "ItemCount": 2, + "RootFolder": [ + { + "ShellFolderId": "52205fd8-5dfb-447d-801a-d0b52f2e83e1", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "@%SystemRoot%\\system32\\Shell32.dll,-22579", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\explorer.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": "USB", + "BaseName": "", + "WorkingDir": null, + "LocalPath": "F:\\", + "ModificationDateTime": "01/01/1980 04:00:00.000000", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\48350.Donald.USB (F).LNK", + "Flags": "", + "DriveType": "DRIVE_REMOVABLE;", + "AccessDateTime": "01/01/1980 04:00:00.000000", + "DriveSerialNumber": "39c7-1beb", + "AppIdCode": null, + "LnkTrgData": { + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "F:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": null, + "DistinctTypesHex": "0x2fL;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "volume;root_folder", + "ExtentionListing": "", + "ItemCount": 3, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "", + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "01/01/1980 04:00:00.000000", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "Dropbox", + "WorkingDir": null, + "LocalPath": "C:\\Users\\Donald\\Dropbox", + "ModificationDateTime": "08/01/2013 19:20:59.710846", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\48404.Donald.Dropbox.LNK", + "Flags": "Read-Only;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "08/01/2013 19:20:59.710846", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x2fL;0x1fL;0x31L", + "ParentSeqNum": 3, + "ParentRefStr": "232315-3", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Users", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 19:20:28.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Users", + "ExtentionBlockSize": 100, + "LocalizedName": "@shell32.dll,-21813", + "SeqNum": 3, + "EntryNum": 200313, + "FileReferenceInt": 844424930332281, + "AccessTime": "09/23/2013 19:20:28.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "200313-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Donald", + "Location": null, + "Comments": null, + "ModificationTime": "08/08/2013 19:17:00.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Donald", + "ExtentionBlockSize": 62, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 232315, + "FileReferenceInt": 844424930364283, + "AccessTime": "08/08/2013 19:17:00.000000", + "CreationTime": "09/23/2013 19:17:32.000000", + "Signature": "0xbeef0004L", + "RefNum": "232315-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Dropbox", + "Location": null, + "Comments": null, + "ModificationTime": "08/01/2013 19:21:00.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Dropbox", + "ExtentionBlockSize": 64, + "LocalizedName": null, + "SeqNum": 4, + "EntryNum": 48220, + "FileReferenceInt": 1125899906890844, + "AccessTime": "08/01/2013 19:21:00.000000", + "CreationTime": "08/08/2013 19:17:00.000000", + "Signature": "0xbeef0004L", + "RefNum": "48220-4" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "Donald", + "ParentEntryNum": 232315, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 6, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": "..\\..\\..\\..\\..\\Dropbox", + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "", + "NetworkPath": "\\\\BIFROST\\Users\\Donald\\Dropbox", + "FileSize": 4096, + "CreationDateTime": "08/08/2013 19:16:59.932906", + "EnvVarLoc": null + }, + { + "VolumeLabel": "USB", + "BaseName": "business_plan1.doc", + "WorkingDir": null, + "LocalPath": "F:\\Templates\\business_plan1.doc", + "ModificationDateTime": "10/21/2013 19:47:30.000000", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\48409.Donald.business_plan1.LNK", + "Flags": "Archive;", + "DriveType": "DRIVE_REMOVABLE;", + "AccessDateTime": "10/21/2013 04:00:00.000000", + "DriveSerialNumber": "39c7-1beb", + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 0, + "ParentRefStr": "253312-0", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "TEMPLA~1", + "Location": null, + "Comments": null, + "ModificationTime": "10/21/2013 20:04:18.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Templates", + "ExtentionBlockSize": 68, + "LocalizedName": null, + "SeqNum": 0, + "EntryNum": 253312, + "FileReferenceInt": 253312, + "AccessTime": "10/21/2013 04:00:00.000000", + "CreationTime": "10/21/2013 20:16:24.000000", + "Signature": "0xbeef0004L", + "RefNum": "253312-0" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "BUSINE~3.DOC", + "Location": null, + "Comments": null, + "ModificationTime": "10/21/2013 19:47:30.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 153600, + "ExtentionBlocks": [ + { + "LongName": "business_plan1.doc", + "ExtentionBlockSize": 86, + "LocalizedName": null, + "SeqNum": 0, + "EntryNum": 2494848, + "FileReferenceInt": 2494848, + "AccessTime": "10/21/2013 04:00:00.000000", + "CreationTime": "10/21/2013 20:16:26.000000", + "Signature": "0xbeef0004L", + "RefNum": "2494848-0" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "F:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "Templates", + "ParentEntryNum": 253312, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L", + "ItemCount": 5, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "doc", + "NetworkPath": null, + "FileSize": 153600, + "CreationDateTime": "10/21/2013 20:16:24.870000", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "Business_Plan_Mail_Order_Pharmacy2.docx", + "WorkingDir": null, + "LocalPath": "C:\\Users\\Donald\\Documents\\Business_Plan_Mail_Order_Pharmacy2.docx", + "ModificationDateTime": "10/21/2013 18:39:57.951604", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\48452.Donald.Business_Plan_Mail_Order_Pharmacy2.LNK", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "10/21/2013 18:39:57.832760", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 3, + "ParentRefStr": "232344-3", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Users", + "Location": null, + "Comments": null, + "ModificationTime": "10/22/2013 16:33:18.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Users", + "ExtentionBlockSize": 100, + "LocalizedName": "@shell32.dll,-21813", + "SeqNum": 3, + "EntryNum": 200313, + "FileReferenceInt": 844424930332281, + "AccessTime": "10/22/2013 16:33:18.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "200313-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Donald", + "Location": null, + "Comments": null, + "ModificationTime": "08/01/2013 19:22:44.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Donald", + "ExtentionBlockSize": 62, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 232315, + "FileReferenceInt": 844424930364283, + "AccessTime": "08/01/2013 19:22:44.000000", + "CreationTime": "09/23/2013 19:17:32.000000", + "Signature": "0xbeef0004L", + "RefNum": "232315-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "DOCUME~1", + "Location": null, + "Comments": null, + "ModificationTime": "10/22/2013 16:33:40.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Documents", + "ExtentionBlockSize": 108, + "LocalizedName": "@shell32.dll,-21770", + "SeqNum": 3, + "EntryNum": 232344, + "FileReferenceInt": 844424930364312, + "AccessTime": "10/22/2013 16:33:40.000000", + "CreationTime": "09/23/2013 19:17:32.000000", + "Signature": "0xbeef0004L", + "RefNum": "232344-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "BUSINE~3.DOC", + "Location": null, + "Comments": null, + "ModificationTime": "10/21/2013 18:39:58.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 504872, + "ExtentionBlocks": [ + { + "LongName": "Business_Plan_Mail_Order_Pharmacy2.docx", + "ExtentionBlockSize": 128, + "LocalizedName": null, + "SeqNum": 7, + "EntryNum": 48227, + "FileReferenceInt": 1970324837022819, + "AccessTime": "10/21/2013 18:39:58.000000", + "CreationTime": "10/21/2013 18:39:54.000000", + "Signature": "0xbeef0004L", + "RefNum": "48227-7" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "Documents", + "ParentEntryNum": 232344, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 7, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": "..\\..\\..\\..\\..\\Documents\\Business_Plan_Mail_Order_Pharmacy2.docx", + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "docx", + "NetworkPath": "\\\\BIFROST\\Users\\Donald\\Documents\\Business_Plan_Mail_Order_Pharmacy2.docx", + "FileSize": 504872, + "CreationDateTime": "10/21/2013 18:39:52.221974", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "System Ninja.exe", + "WorkingDir": "C:\\Program Files (x86)\\System Ninja", + "LocalPath": "C:\\Program Files (x86)\\System Ninja\\System Ninja.exe", + "ModificationDateTime": "07/12/2013 01:01:08.000000", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\5502..System Ninja.lnk", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "09/23/2013 20:10:15.273501", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 4, + "ParentRefStr": "4761-4", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~2", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:10:16.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files (x86)", + "ExtentionBlockSize": 128, + "LocalizedName": "@shell32.dll,-21817", + "SeqNum": 3, + "EntryNum": 200140, + "FileReferenceInt": 844424930332108, + "AccessTime": "09/23/2013 20:10:16.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "200140-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "SYSTEM~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:10:16.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "System Ninja", + "ExtentionBlockSize": 74, + "LocalizedName": null, + "SeqNum": 4, + "EntryNum": 4761, + "FileReferenceInt": 1125899906847385, + "AccessTime": "09/23/2013 20:10:16.000000", + "CreationTime": "09/23/2013 20:10:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "4761-4" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "SYSTEM~1.EXE", + "Location": null, + "Comments": null, + "ModificationTime": "07/12/2013 01:01:08.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 579072, + "ExtentionBlocks": [ + { + "LongName": "System Ninja.exe", + "ExtentionBlockSize": 82, + "LocalizedName": null, + "SeqNum": 4, + "EntryNum": 5466, + "FileReferenceInt": 1125899906848090, + "AccessTime": "09/23/2013 20:10:16.000000", + "CreationTime": "09/23/2013 20:10:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "5466-4" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "System Ninja", + "ParentEntryNum": 4761, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 6, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": "..\\..\\..\\..\\..\\..\\Program Files (x86)\\System Ninja\\System Ninja.exe", + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 579072, + "CreationDateTime": "09/23/2013 20:10:15.273501", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "unins000.exe", + "WorkingDir": "C:\\Program Files (x86)\\System Ninja", + "LocalPath": "C:\\Program Files (x86)\\System Ninja\\unins000.exe", + "ModificationDateTime": "09/23/2013 20:09:25.415878", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\5504..Uninstall System Ninja.lnk", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "09/23/2013 20:10:15.257876", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 4, + "ParentRefStr": "4761-4", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~2", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:10:16.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files (x86)", + "ExtentionBlockSize": 128, + "LocalizedName": "@shell32.dll,-21817", + "SeqNum": 3, + "EntryNum": 200140, + "FileReferenceInt": 844424930332108, + "AccessTime": "09/23/2013 20:10:16.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "200140-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "SYSTEM~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:10:16.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "System Ninja", + "ExtentionBlockSize": 74, + "LocalizedName": null, + "SeqNum": 4, + "EntryNum": 4761, + "FileReferenceInt": 1125899906847385, + "AccessTime": "09/23/2013 20:10:16.000000", + "CreationTime": "09/23/2013 20:10:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "4761-4" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "unins000.exe", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:09:26.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 1066657, + "ExtentionBlocks": [ + { + "LongName": "unins000.exe", + "ExtentionBlockSize": 74, + "LocalizedName": null, + "SeqNum": 4, + "EntryNum": 5464, + "FileReferenceInt": 1125899906848088, + "AccessTime": "09/23/2013 20:10:16.000000", + "CreationTime": "09/23/2013 20:10:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "5464-4" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "System Ninja", + "ParentEntryNum": 4761, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 6, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": "..\\..\\..\\..\\..\\..\\Program Files (x86)\\System Ninja\\unins000.exe", + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 1066657, + "CreationDateTime": "09/23/2013 20:10:15.257876", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "HighFiveBusinessPlanV20.docx", + "WorkingDir": null, + "LocalPath": "C:\\Users\\Donald\\Documents\\HighFiveBusinessPlanV20.docx", + "ModificationDateTime": "10/21/2013 18:40:34.772638", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\6351.Donald.HighFiveBusinessPlanV20.LNK", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "10/21/2013 18:40:34.572502", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 3, + "ParentRefStr": "232344-3", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Users", + "Location": null, + "Comments": null, + "ModificationTime": "10/22/2013 16:33:18.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Users", + "ExtentionBlockSize": 100, + "LocalizedName": "@shell32.dll,-21813", + "SeqNum": 3, + "EntryNum": 200313, + "FileReferenceInt": 844424930332281, + "AccessTime": "10/22/2013 16:33:18.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "200313-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Donald", + "Location": null, + "Comments": null, + "ModificationTime": "08/01/2013 19:22:44.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Donald", + "ExtentionBlockSize": 62, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 232315, + "FileReferenceInt": 844424930364283, + "AccessTime": "08/01/2013 19:22:44.000000", + "CreationTime": "09/23/2013 19:17:32.000000", + "Signature": "0xbeef0004L", + "RefNum": "232315-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "DOCUME~1", + "Location": null, + "Comments": null, + "ModificationTime": "10/22/2013 16:33:18.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Documents", + "ExtentionBlockSize": 108, + "LocalizedName": "@shell32.dll,-21770", + "SeqNum": 3, + "EntryNum": 232344, + "FileReferenceInt": 844424930364312, + "AccessTime": "10/22/2013 16:33:18.000000", + "CreationTime": "09/23/2013 19:17:32.000000", + "Signature": "0xbeef0004L", + "RefNum": "232344-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "HIGHFI~1.DOC", + "Location": null, + "Comments": null, + "ModificationTime": "10/21/2013 18:40:36.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 82297, + "ExtentionBlocks": [ + { + "LongName": "HighFiveBusinessPlanV20.docx", + "ExtentionBlockSize": 106, + "LocalizedName": null, + "SeqNum": 4, + "EntryNum": 48267, + "FileReferenceInt": 1125899906890891, + "AccessTime": "10/21/2013 18:40:36.000000", + "CreationTime": "10/21/2013 18:40:28.000000", + "Signature": "0xbeef0004L", + "RefNum": "48267-4" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "Documents", + "ParentEntryNum": 232344, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 7, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": "..\\..\\..\\..\\..\\Documents\\HighFiveBusinessPlanV20.docx", + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "docx", + "NetworkPath": "\\\\BIFROST\\Users\\Donald\\Documents\\HighFiveBusinessPlanV20.docx", + "FileSize": 82297, + "CreationDateTime": "10/21/2013 18:40:27.821180", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\665.Donald.txt_3353893625_en-US.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": "Lean Startups & IP.pptx", + "WorkingDir": "\\\\VALHALLA\\Users\\Public\\Documents\\Lean startup", + "LocalPath": null, + "ModificationDateTime": "10/21/2013 19:47:24.104000", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\6696.Donald.Lean Startups & IP.lnk", + "Flags": "Archive;", + "DriveType": "DRIVE_UNKNOWN;", + "AccessDateTime": "10/21/2013 19:47:23.512954", + "DriveSerialNumber": "0000-0000", + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "pptx", + "NetworkPath": "\\\\VALHALLA\\USERS\\Public\\Documents\\Lean startup\\Lean Startups & IP.pptx", + "FileSize": 185978, + "CreationDateTime": "10/21/2013 19:47:23.512954", + "EnvVarLoc": "\\\\VALHALLA\\Users\\Public\\Documents\\Lean startup\\Lean Startups & IP.pptx" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\704.Donald.set_2779249290_en-us.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x0L", + "ParentSeqNum": null, + "ParentRefStr": null, + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "ExtentionBlockSize": 42, + "Signature": "0xbeef0013L" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": null, + "ParentEntryNum": null, + "DistinctTypesStr": "item", + "ExtentionListing": "0xbeef0013L", + "ItemCount": 3 + }, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": "Successfully-Apply-Lean-Start-Up-Principles-to-University-Spinouts-PM399.ppt", + "WorkingDir": "\\\\VALHALLA\\Users\\Public\\Documents\\Lean startup", + "LocalPath": null, + "ModificationDateTime": "10/21/2013 19:47:27.830156", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\7271.Donald.Successfully-Apply-Lean-Start-Up-Principles-to-University-Spinouts-PM399.lnk", + "Flags": "Archive;", + "DriveType": "DRIVE_UNKNOWN;", + "AccessDateTime": "10/21/2013 19:47:24.902387", + "DriveSerialNumber": "0000-0000", + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "ppt", + "NetworkPath": "\\\\VALHALLA\\USERS\\Public\\Documents\\Lean startup\\Successfully-Apply-Lean-Start-Up-Principles-to-University-Spinouts-PM399.ppt", + "FileSize": 2851840, + "CreationDateTime": "10/21/2013 19:47:24.902387", + "EnvVarLoc": "\\\\VALHALLA\\Users\\Public\\Documents\\Lean startup\\Successfully-Apply-Lean-Start-Up-Principles-to-University-Spinouts-PM399.ppt" + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\7293.Donald.set_1858484634_en-us.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x0L", + "ParentSeqNum": null, + "ParentRefStr": null, + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "ExtentionBlockSize": 42, + "Signature": "0xbeef0013L" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": null, + "ParentEntryNum": null, + "DistinctTypesStr": "item", + "ExtentionListing": "0xbeef0013L", + "ItemCount": 3 + }, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": "Successfully-Apply-Lean-Start-Up-Principles-to-University-Spinouts-PM399.ppt", + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "10/21/2013 19:47:27.830156", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\7449.Donald.Successfully-Apply-Lean-Start-Up-Principles-to-University-Spinouts-PM399.LNK", + "Flags": "Archive;", + "DriveType": "DRIVE_UNKNOWN;", + "AccessDateTime": "10/21/2013 19:47:24.902387", + "DriveSerialNumber": "0000-0000", + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "ppt", + "NetworkPath": "\\\\VALHALLA\\USERS\\Public\\Documents\\Lean startup\\Successfully-Apply-Lean-Start-Up-Principles-to-University-Spinouts-PM399.ppt", + "FileSize": 2849792, + "CreationDateTime": "10/21/2013 19:47:24.902387", + "EnvVarLoc": "\\\\VALHALLA\\Users\\Public\\Documents\\Lean startup\\Successfully-Apply-Lean-Start-Up-Principles-to-University-Spinouts-PM399.ppt" + }, + { + "VolumeLabel": null, + "BaseName": "grv_icons.exe", + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\7464..F6282DA2-BC5A-46A0-818F-AFCB5FE11FC1.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 2, + "ParentRefStr": "7429-2", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Windows", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:13:24.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Windows", + "ExtentionBlockSize": 64, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 200365, + "FileReferenceInt": 844424930332333, + "AccessTime": "09/23/2013 20:13:24.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "200365-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "INSTAL~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:13:36.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Installer", + "ExtentionBlockSize": 68, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 201141, + "FileReferenceInt": 844424930333109, + "AccessTime": "09/23/2013 20:13:36.000000", + "CreationTime": "08/22/2013 15:36:32.000000", + "Signature": "0xbeef0004L", + "RefNum": "201141-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "{91150~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:13:36.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "{91150000-00BA-0000-1000-0000000FF1CE}", + "ExtentionBlockSize": 126, + "LocalizedName": null, + "SeqNum": 2, + "EntryNum": 7429, + "FileReferenceInt": 562949953428741, + "AccessTime": "09/23/2013 20:13:36.000000", + "CreationTime": "09/23/2013 20:13:36.000000", + "Signature": "0xbeef0004L", + "RefNum": "7429-2" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "GRV_IC~1.EXE", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:13:36.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 236144, + "ExtentionBlocks": [ + { + "LongName": "grv_icons.exe", + "ExtentionBlockSize": 76, + "LocalizedName": null, + "SeqNum": 2, + "EntryNum": 7453, + "FileReferenceInt": 562949953428765, + "AccessTime": "09/23/2013 20:13:36.000000", + "CreationTime": "09/23/2013 20:13:36.000000", + "Signature": "0xbeef0004L", + "RefNum": "7453-2" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "{91150000-00BA-0000-1000-0000000FF1CE}", + "ParentEntryNum": 7429, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 7, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "Sync SharePoint documents to your computer and work with the content as if you were connected using Microsoft SkyDrive Pro.", + "RelativePath": "..\\..\\..\\..\\..\\..\\Windows\\Installer\\{91150000-00BA-0000-1000-0000000FF1CE}\\grv_icons.exe", + "Codepage": "cp1252", + "IconLoc": "%SystemRoot%\\Installer\\{91150000-00BA-0000-1000-0000000FF1CE}\\grv_icons.exe", + "AppIdName": null, + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": "%HOMEDRIVE%%HOMEPATH%", + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\8092.Windows.Browser Choice.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": "@{BrowserChoice_6.2.0.0_neutral_neutral_cw5n1h2txyewy|ms-resource://BrowserChoice/Resources/TileDescription}", + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": "%windir%\\BrowserChoice\\BrowserChoice.exe", + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": "%windir%\\BrowserChoice\\html\\default.html" + }, + { + "VolumeLabel": null, + "BaseName": "guided-cash-flow-statement.xls", + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "10/21/2013 19:47:28.642041", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\8415.Donald.guided-cash-flow-statement.LNK", + "Flags": "Archive;", + "DriveType": "DRIVE_UNKNOWN;", + "AccessDateTime": "10/21/2013 19:47:28.555417", + "DriveSerialNumber": "0000-0000", + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "xls", + "NetworkPath": "\\\\VALHALLA\\USERS\\Public\\Documents\\Templates\\guided-cash-flow-statement.xls", + "FileSize": 45056, + "CreationDateTime": "10/21/2013 19:47:28.555417", + "EnvVarLoc": "\\\\VALHALLA\\Users\\Public\\Documents\\Templates\\guided-cash-flow-statement.xls" + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "ONENOTEM.EXE", + "WorkingDir": null, + "LocalPath": "C:\\Program Files\\Microsoft Office 15\\root\\office15\\ONENOTEM.EXE", + "ModificationDateTime": "09/23/2013 20:27:39.630588", + "CmdArgs": "/tsr", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\91185.Donald.Send to OneNote.lnk", + "Flags": "Sparse File;Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "09/23/2013 20:24:21.305918", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 6, + "ParentRefStr": "5225-6", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~1", + "Location": null, + "Comments": null, + "ModificationTime": "10/18/2013 00:28:36.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files", + "ExtentionBlockSize": 116, + "LocalizedName": "@shell32.dll,-21781", + "SeqNum": 6, + "EntryNum": 197634, + "FileReferenceInt": 1688849860461570, + "AccessTime": "10/18/2013 00:28:36.000000", + "CreationTime": "08/22/2013 13:36:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "197634-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "MICROS~1", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:24:20.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Microsoft Office 15", + "ExtentionBlockSize": 88, + "LocalizedName": null, + "SeqNum": 15, + "EntryNum": 4229, + "FileReferenceInt": 4222124650664069, + "AccessTime": "09/23/2013 20:24:20.000000", + "CreationTime": "09/23/2013 20:23:56.000000", + "Signature": "0xbeef0004L", + "RefNum": "4229-15" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "root", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:24:22.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "root", + "ExtentionBlockSize": 58, + "LocalizedName": null, + "SeqNum": 9, + "EntryNum": 5190, + "FileReferenceInt": 2533274790401094, + "AccessTime": "09/23/2013 20:24:22.000000", + "CreationTime": "09/23/2013 20:24:08.000000", + "Signature": "0xbeef0004L", + "RefNum": "5190-9" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "office15", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:40:10.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "office15", + "ExtentionBlockSize": 66, + "LocalizedName": null, + "SeqNum": 6, + "EntryNum": 5225, + "FileReferenceInt": 1688849860269161, + "AccessTime": "09/23/2013 20:40:10.000000", + "CreationTime": "09/23/2013 20:24:16.000000", + "Signature": "0xbeef0004L", + "RefNum": "5225-6" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "ONENOTEM.EXE", + "Location": null, + "Comments": null, + "ModificationTime": "09/23/2013 20:27:40.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 186544, + "ExtentionBlocks": [ + { + "LongName": "ONENOTEM.EXE", + "ExtentionBlockSize": 74, + "LocalizedName": null, + "SeqNum": 2, + "EntryNum": 29241, + "FileReferenceInt": 562949953450553, + "AccessTime": "09/23/2013 20:24:22.000000", + "CreationTime": "09/23/2013 20:24:22.000000", + "Signature": "0xbeef0004L", + "RefNum": "29241-2" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "office15", + "ParentEntryNum": 5225, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 8, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "Send to OneNote", + "RelativePath": "..\\..\\..\\..\\..\\..\\..\\..\\..\\Program Files\\Microsoft Office 15\\root\\office15\\ONENOTEM.EXE", + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "EXE", + "NetworkPath": null, + "FileSize": 186544, + "CreationDateTime": "09/23/2013 20:24:21.305918", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\91228.Donald.RecentPlaces.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x1fL", + "ParentSeqNum": null, + "ParentLongName": null, + "ParentEntryNum": null, + "DistinctTypesStr": "root_folder", + "ExtentionListing": "", + "ItemCount": 2, + "RootFolder": [ + { + "ShellFolderId": "22877a6d-37a1-461a-91b0-dbda5aaebc99", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "Desktop", + "WorkingDir": null, + "LocalPath": "C:\\Users\\Donald\\Desktop", + "ModificationDateTime": "10/19/2013 01:51:57.520517", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\91229.Donald.Desktop.lnk", + "Flags": "Read-Only;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "09/23/2013 19:24:07.425181", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "", + "ParentSeqNum": null, + "DistinctTypesStr": "", + "ExtentionListing": "", + "ItemCount": 1, + "ParentEntryNum": null + }, + "Description": null, + "RelativePath": "..\\Desktop", + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "", + "NetworkPath": "\\\\BIFROST\\Users\\Donald\\Desktop", + "FileSize": 0, + "CreationDateTime": "09/23/2013 19:17:31.382798", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "Downloads", + "WorkingDir": null, + "LocalPath": "C:\\Users\\Donald\\Downloads", + "ModificationDateTime": "10/19/2013 01:51:57.848660", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\91230.Donald.Downloads.lnk", + "Flags": "Read-Only;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "10/18/2013 00:30:03.037727", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2eL", + "Identifier": "374de290-123f-4565-9164-39c4925e467b", + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "ExtentionBlockSize": 30, + "Signature": "0xbeef0025L" + } + ] + } + ], + "ParentLongName": null, + "DistinctTypesHex": "0x2eL;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "volume;root_folder", + "ExtentionListing": "0xbeef0025L", + "ItemCount": 3, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": "..\\Downloads", + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "", + "NetworkPath": "\\\\BIFROST\\Users\\Donald\\Downloads", + "FileSize": 4096, + "CreationDateTime": "08/10/2013 03:03:23.667207", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "iexplore.exe", + "WorkingDir": "%HOMEDRIVE%%HOMEPATH%", + "LocalPath": "C:\\Program Files\\Internet Explorer\\iexplore.exe", + "ModificationDateTime": "11/08/2012 06:58:26.531047", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\91788.Donald.Launch Internet Explorer Browser.lnk", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "06/02/2013 03:28:23.026210", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 1, + "ParentRefStr": "146-1", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~1", + "Location": null, + "Comments": null, + "ModificationTime": "06/02/2013 03:57:10.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files", + "ExtentionBlockSize": 112, + "LocalizedName": "@shell32.dll,-21781", + "SeqNum": 1, + "EntryNum": 76, + "FileReferenceInt": 281474976710732, + "AccessTime": "06/02/2013 03:57:10.000000", + "CreationTime": "07/26/2012 05:38:00.000000", + "Signature": "0xbeef0004L", + "RefNum": "76-1" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "INTERN~1", + "Location": null, + "Comments": null, + "ModificationTime": "06/02/2013 03:31:16.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Internet Explorer", + "ExtentionBlockSize": 80, + "LocalizedName": null, + "SeqNum": 1, + "EntryNum": 146, + "FileReferenceInt": 281474976710802, + "AccessTime": "06/02/2013 03:31:16.000000", + "CreationTime": "07/26/2012 08:13:00.000000", + "Signature": "0xbeef0004L", + "RefNum": "146-1" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "iexplore.exe", + "Location": null, + "Comments": null, + "ModificationTime": "11/08/2012 06:58:28.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 775152, + "ExtentionBlocks": [ + { + "LongName": "iexplore.exe", + "ExtentionBlockSize": 70, + "LocalizedName": null, + "SeqNum": 6, + "EntryNum": 139688, + "FileReferenceInt": 1688849860403624, + "AccessTime": "06/02/2013 03:28:24.000000", + "CreationTime": "06/02/2013 03:28:24.000000", + "Signature": "0xbeef0004L", + "RefNum": "139688-6" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "Internet Explorer", + "ParentEntryNum": 146, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 6, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "@\"%windir%\\System32\\ie4uinit.exe\",-732", + "RelativePath": "..\\..\\..\\..\\..\\..\\..\\Program Files\\Internet Explorer\\iexplore.exe", + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 775152, + "CreationDateTime": "06/02/2013 03:28:23.026210", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "AppUp.exe", + "WorkingDir": "C:\\Program Files (x86)\\Intel\\IntelAppStore\\bin", + "LocalPath": "C:\\Program Files (x86)\\Intel\\IntelAppStore\\bin\\AppUp.exe", + "ModificationDateTime": "06/19/2013 18:10:45.000000", + "CmdArgs": "--domain F0399437-FD0C-4A48-B101-F0314A6172E4", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\93020..Lenovo App Shop.lnk", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "06/19/2013 18:11:10.000000", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 1, + "ParentRefStr": "159087-1", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~2", + "Location": null, + "Comments": null, + "ModificationTime": "08/12/2013 01:02:20.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files (x86)", + "ExtentionBlockSize": 124, + "LocalizedName": "@shell32.dll,-21817", + "SeqNum": 1, + "EntryNum": 3725, + "FileReferenceInt": 281474976714381, + "AccessTime": "08/12/2013 01:02:20.000000", + "CreationTime": "07/26/2012 05:38:00.000000", + "Signature": "0xbeef0004L", + "RefNum": "3725-1" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Intel", + "Location": null, + "Comments": null, + "ModificationTime": "06/02/2013 03:55:42.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Intel", + "ExtentionBlockSize": 56, + "LocalizedName": null, + "SeqNum": 2, + "EntryNum": 103656, + "FileReferenceInt": 562949953524968, + "AccessTime": "06/02/2013 03:55:42.000000", + "CreationTime": "06/02/2013 03:30:54.000000", + "Signature": "0xbeef0004L", + "RefNum": "103656-2" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "INTELA~1", + "Location": null, + "Comments": null, + "ModificationTime": "08/12/2013 03:38:12.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "IntelAppStore", + "ExtentionBlockSize": 72, + "LocalizedName": null, + "SeqNum": 1, + "EntryNum": 159077, + "FileReferenceInt": 281474976869733, + "AccessTime": "08/12/2013 03:38:12.000000", + "CreationTime": "06/02/2013 03:55:42.000000", + "Signature": "0xbeef0004L", + "RefNum": "159077-1" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "bin", + "Location": null, + "Comments": null, + "ModificationTime": "08/12/2013 03:38:20.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "bin", + "ExtentionBlockSize": 52, + "LocalizedName": null, + "SeqNum": 1, + "EntryNum": 159087, + "FileReferenceInt": 281474976869743, + "AccessTime": "08/12/2013 03:38:20.000000", + "CreationTime": "06/02/2013 03:55:42.000000", + "Signature": "0xbeef0004L", + "RefNum": "159087-1" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "AppUp.exe", + "Location": null, + "Comments": null, + "ModificationTime": "06/19/2013 18:10:46.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 921808, + "ExtentionBlocks": [ + { + "LongName": "AppUp.exe", + "ExtentionBlockSize": 64, + "LocalizedName": null, + "SeqNum": 5, + "EntryNum": 93082, + "FileReferenceInt": 1407374883646362, + "AccessTime": "06/19/2013 18:11:10.000000", + "CreationTime": "06/02/2013 03:55:44.000000", + "Signature": "0xbeef0004L", + "RefNum": "93082-5" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "bin", + "ParentEntryNum": 159087, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 8, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": "..\\Program Files (x86)\\Intel\\IntelAppStore\\bin\\AppUp.exe", + "Codepage": "cp1252", + "IconLoc": "%SystemDrive%/PROGRA~2/Intel/INTELA~1/bin/appup.ico", + "AppIdName": null, + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 921808, + "CreationDateTime": "06/02/2013 03:55:42.453973", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "01 Red Solo Cup (Hip Hop Re-Mix).m4a", + "WorkingDir": "C:\\Users\\Donald\\Music\\iTunes\\iTunes Media\\Music\\Hip Hop Rednex\\Red Solo Cup (Hip Hop Re-Mix) - Single", + "LocalPath": "C:\\Users\\Donald\\Music\\iTunes\\iTunes Media\\Music\\Hip Hop Rednex\\Red Solo Cup (Hip Hop Re-Mix) - Single\\01 Red Solo Cup (Hip Hop Re-Mix).m4a", + "ModificationDateTime": "10/01/2013 02:04:32.118535", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\932.Donald.01 Red Solo Cup (Hip Hop Re-Mix).lnk", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "10/01/2013 02:04:21.012504", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x0L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ExtentionListing": "", + "ItemCount": 10, + "ParentRefStr": null, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "031e4825-7b94-4dc3-b131-e946b44c8dd5", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": "..\\..\\..\\..\\..\\Music\\iTunes\\iTunes Media\\Music\\Hip Hop Rednex\\Red Solo Cup (Hip Hop Re-Mix) - Single\\01 Red Solo Cup (Hip Hop Re-Mix).m4a", + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "m4a", + "NetworkPath": "\\\\BIFROST\\Users\\Donald\\Music\\iTunes\\iTunes Media\\Music\\Hip Hop Rednex\\Red Solo Cup (Hip Hop Re-Mix) - Single\\01 Red Solo Cup (Hip Hop Re-Mix).m4a", + "FileSize": 8283501, + "CreationDateTime": "10/01/2013 02:04:21.012504", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "chrome.exe", + "WorkingDir": "C:\\Program Files (x86)\\Google\\Chrome\\Application", + "LocalPath": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", + "ModificationDateTime": "07/25/2013 00:49:49.016392", + "CmdArgs": "--show-app-list", + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\97349.Donald.Chrome App Launcher.lnk", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "08/12/2013 00:53:19.096107", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "DistinctTypesHex": "0x32L;0x2fL;0x1fL;0x31L", + "ParentSeqNum": 4, + "ParentRefStr": "116035-4", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "PROGRA~2", + "Location": null, + "Comments": null, + "ModificationTime": "09/03/2013 02:19:26.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Program Files (x86)", + "ExtentionBlockSize": 124, + "LocalizedName": "@shell32.dll,-21817", + "SeqNum": 1, + "EntryNum": 3725, + "FileReferenceInt": 281474976714381, + "AccessTime": "09/03/2013 02:19:26.000000", + "CreationTime": "07/26/2012 05:38:00.000000", + "Signature": "0xbeef0004L", + "RefNum": "3725-1" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Google", + "Location": null, + "Comments": null, + "ModificationTime": "08/12/2013 00:53:08.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Google", + "ExtentionBlockSize": 58, + "LocalizedName": null, + "SeqNum": 9, + "EntryNum": 115147, + "FileReferenceInt": 2533274790511051, + "AccessTime": "08/12/2013 00:53:08.000000", + "CreationTime": "08/12/2013 00:52:36.000000", + "Signature": "0xbeef0004L", + "RefNum": "115147-9" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "Chrome", + "Location": null, + "Comments": null, + "ModificationTime": "08/12/2013 00:53:20.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Chrome", + "ExtentionBlockSize": 58, + "LocalizedName": null, + "SeqNum": 4, + "EntryNum": 115732, + "FileReferenceInt": 1125899906958356, + "AccessTime": "08/12/2013 00:53:20.000000", + "CreationTime": "08/12/2013 00:53:08.000000", + "Signature": "0xbeef0004L", + "RefNum": "115732-4" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "APPLIC~1", + "Location": null, + "Comments": null, + "ModificationTime": "08/12/2013 00:53:20.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Application", + "ExtentionBlockSize": 68, + "LocalizedName": null, + "SeqNum": 4, + "EntryNum": 116035, + "FileReferenceInt": 1125899906958659, + "AccessTime": "08/12/2013 00:53:20.000000", + "CreationTime": "08/12/2013 00:53:20.000000", + "Signature": "0xbeef0004L", + "RefNum": "116035-4" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "chrome.exe", + "Location": null, + "Comments": null, + "ModificationTime": "07/25/2013 00:49:50.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 846288, + "ExtentionBlocks": [ + { + "LongName": "chrome.exe", + "ExtentionBlockSize": 66, + "LocalizedName": null, + "SeqNum": 4, + "EntryNum": 116036, + "FileReferenceInt": 1125899906958660, + "AccessTime": "08/12/2013 00:53:20.000000", + "CreationTime": "08/12/2013 00:53:20.000000", + "Signature": "0xbeef0004L", + "RefNum": "116036-4" + } + ] + } + ], + "Volume": [ + { + "ShellFolderId": "00000000-0000-0000-0000-000000000000", + "ShellItemTypeHex": "0x2fL", + "Identifier": "00000000-0000-0000-0000-000000000000", + "Name": "C:\\", + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "volume", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ParentLongName": "Application", + "ParentEntryNum": 116035, + "DistinctTypesStr": "volume;root_folder;file_entry", + "ExtentionListing": "0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L;0xbeef0004L", + "ItemCount": 8, + "RootFolder": [ + { + "ShellFolderId": "20d04fe0-3aea-1069-a2d8-08002b30309d", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": "Chrome App Launcher", + "RelativePath": "..\\..\\..\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", + "Codepage": "cp1252", + "IconLoc": "%ProgramFiles%\\Google\\Chrome\\Application\\chrome.exe", + "AppIdName": null, + "FileExt": "exe", + "NetworkPath": null, + "FileSize": 846288, + "CreationDateTime": "08/12/2013 00:53:19.096107", + "EnvVarLoc": null + }, + { + "VolumeLabel": null, + "BaseName": null, + "WorkingDir": null, + "LocalPath": null, + "ModificationDateTime": "1601-01-01 00:00:00", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\980.Donald.App.lnk", + "Flags": "", + "DriveType": null, + "AccessDateTime": "1601-01-01 00:00:00", + "DriveSerialNumber": null, + "AppIdCode": null, + "LnkTrgData": null, + "Description": null, + "RelativePath": null, + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": null, + "NetworkPath": null, + "FileSize": 0, + "CreationDateTime": "1601-01-01 00:00:00", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "WACC Calc Spreadsheet.xls", + "WorkingDir": "C:\\Users\\Donald\\SkyDrive\\Documents", + "LocalPath": "C:\\Users\\Donald\\SkyDrive\\Documents\\WACC Calc Spreadsheet.xls", + "ModificationDateTime": "08/08/2013 03:59:09.343000", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\987.Donald.WACC Calc Spreadsheet.lnk", + "Flags": "Archive;", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "09/23/2013 19:48:50.000000", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "ParentLongName": "Documents", + "DistinctTypesHex": "0x32L;0x31L;0x1fL", + "ParentSeqNum": 3, + "DistinctTypesStr": "root_folder;file_entry", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x31L", + "Identifier": null, + "Name": "DOCUME~1", + "Location": null, + "Comments": null, + "ModificationTime": "10/21/2013 18:50:46.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 0, + "ExtentionBlocks": [ + { + "LongName": "Documents", + "ExtentionBlockSize": 68, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 127282, + "FileReferenceInt": 844424930259250, + "AccessTime": "10/21/2013 18:50:46.000000", + "CreationTime": "08/12/2013 01:11:04.000000", + "Signature": "0xbeef0004L", + "RefNum": "127282-3" + } + ] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x32L", + "Identifier": null, + "Name": "WACCCA~2.XLS", + "Location": null, + "Comments": null, + "ModificationTime": "08/08/2013 03:59:10.000000", + "ShellItemTypeStr": "file_entry", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": 16384, + "ExtentionBlocks": [ + { + "LongName": "WACC Calc Spreadsheet.xls", + "ExtentionBlockSize": 100, + "LocalizedName": null, + "SeqNum": 3, + "EntryNum": 127314, + "FileReferenceInt": 844424930259282, + "AccessTime": "09/23/2013 19:48:50.000000", + "CreationTime": "08/08/2013 03:57:36.000000", + "Signature": "0xbeef0004L", + "RefNum": "127314-3" + } + ] + } + ], + "ExtentionListing": "0xbeef0025L;0xbeef0004L;0xbeef0004L", + "ItemCount": 4, + "ParentRefStr": "127282-3", + "ParentEntryNum": 127282, + "RootFolder": [ + { + "ShellFolderId": "8e74d236-7f35-4720-b138-1fed0b85ea75", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 1, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [ + { + "ExtentionBlockSize": 30, + "Signature": "0xbeef0025L" + } + ] + } + ] + }, + "Description": null, + "RelativePath": "..\\..\\..\\..\\..\\SkyDrive\\Documents\\WACC Calc Spreadsheet.xls", + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "xls", + "NetworkPath": "\\\\BIFROST\\SkyDrive\\Documents\\WACC Calc Spreadsheet.xls", + "FileSize": 16384, + "CreationDateTime": "08/08/2013 03:57:34.463000", + "EnvVarLoc": null + }, + { + "VolumeLabel": "Windows8_OS", + "BaseName": "VC Files", + "WorkingDir": null, + "LocalPath": "C:\\Users\\Donald\\Documents\\VC Files", + "ModificationDateTime": "09/27/2013 02:57:51.136572", + "CmdArgs": null, + "Source": "F:\\SANS408\\Donald_Blake_Evidence\\C-Drive\\Extracts\\SANS408\\p1-sys\\link-files\\988.Donald.VC Files.lnk", + "Flags": "", + "DriveType": "DRIVE_FIXED;", + "AccessDateTime": "09/27/2013 02:57:51.136572", + "DriveSerialNumber": "7e58-aab0", + "AppIdCode": null, + "LnkTrgData": { + "ParentLongName": null, + "DistinctTypesHex": "0x0L;0x1fL", + "ParentSeqNum": null, + "DistinctTypesStr": "item;root_folder", + "FileEntries": [ + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + }, + { + "ShellFolderId": null, + "ShellItemTypeHex": "0x0L", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "item", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ], + "ExtentionListing": "", + "ItemCount": 5, + "ParentRefStr": null, + "ParentEntryNum": null, + "RootFolder": [ + { + "ShellFolderId": "031e4825-7b94-4dc3-b131-e946b44c8dd5", + "ShellItemTypeHex": "0x1fL", + "Identifier": null, + "Name": null, + "Location": null, + "Comments": null, + "ModificationTime": null, + "ShellItemTypeStr": "root_folder", + "ExtentionBlockCount": 0, + "Description": null, + "FileSize": null, + "ExtentionBlocks": [] + } + ] + }, + "Description": null, + "RelativePath": "..\\..\\..\\..\\..\\Documents\\VC Files", + "Codepage": "cp1252", + "IconLoc": null, + "AppIdName": null, + "FileExt": "", + "NetworkPath": null, + "FileSize": 4096, + "CreationDateTime": "08/31/2013 03:53:21.305843", + "EnvVarLoc": null + } + ] +}