Archive for June, 2011

UserInfo (Windows)

Posted by:  /  Tags: , ,  /  Comments: 2

Author Name
Corey Harrell

Artifact Name

Artifact/Program Version
Windows Registry

Microsoft Office documents contain metadata that show when a file was
created, modified, and user names. The user names in Microsoft Office
documents’ metadata is pulled from the UserInfo registry key of the
user account’s registry hive performing the actions. The values
responsible in the UserInfo registry are the UserName and Company

The population of the data in the UserName and Company registry values
varies. The values are populated in the user account that installed
Microsoft Office with the user name and company entered during
installation. For the user accounts that are using Microsoft Office
but didn’t install it, the values are populated a little different.
The first time the user launches an Office application a dialog box
appears asking for the user name and initials. The information entered
in the dialog box is what results in the UserName value in the user’s
UserInfo registry key. The location of the UserInfo registry key
varies depending on the version of Microsoft Office installed on the

Registry Keys
Microsoft Office 2007: HCU\Software\Microsoft\Office\Common\UserInfo
Microsoft Office 2003:

Research Links

Forensic Programs of Use
Registry viewer such as the free MiTeC Windows Registry Recovery

NetworkList (Vista/Windows 7)

Posted by:  /  Tags: , , , ,  /  Comments: 2

Author Name
H. Carvey

Artifact Name

Artifact/Program Version
RegRipper w/ plugin v.20090812

Vista and Windows 7 maintain a Registry key named
HKLM\Microsoft\Windows NT\CurrentVersion\NetworkList

This key appears to contain profiles regarding managed and
unmanaged networks, including wireless networks that the system has
connected to, including SSID, the date the profile was created, the
date last connected, the MAC address of the WAP, etc. This MAC can be
looked up in the SkyHook database, and possibly converted to a Google

Registry Keys
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList (Updated 6/3- Thanks to Troy)

File Locations
Software Hive

Forensic Programs of Use
RegRipper w/ plugin

Evernote note storage

Posted by:  /  Tags: ,  /  Comments: 1

Author Name
Joseph W Shaw II

Artifact Name
Evernote note storage

Program Version

Evernote is a tool used to capture, store, and share ideas and
information in the form of multimedia notes mixing text, images, pdfs,
and other document types into searchable “notes.” These notes are
stored in an SQLite database format. Records are appended to the end
of the database. As records are deleted, they are overwritten by new
records. However, data records can be retained inside of the database
when the SQLIite database is viewed in Text or Hex view.

File Locations
On Windows 7: C:\Users\\AppData\Local\Evernote\Evernote\Database\.exb

Forensic Programs of Use
SQLite Database Browser
EnCase 64bit

Old Record Search Hit

System Version (Mac)

Posted by:  /  Tags: , , , , , ,

Author Name
Douglas Brush

Artifact Name

Artifact/Program Version
OS X 10.x (Client)

When you start your Macintosh investigation it is important to know
what version of the operating system is installed on the computer. The
version of OS X (10.4, 10.5, 10.6) can shape and direct the analysis
as each version has certain unique characteristics for other artifacts
as well as their locations on the disk.

Macintosh operating systems use plist files (.plist) as repositories
for system and program settings/information. Plist files can wither be
in a binary-encoded format (bplist file header) or as XML.

To get the operating system version the first plist files you will
want to examine is the “SystemVersion.plist” located in
“/System/Library/CoreServices/” folder. With this knowledge you
can be aware of other plists and system artifacts that are unique to
the OS under inspection.

File Locations

Research Links

Forensic Programs of Use
plist Edit Pro (Mac):

plist Editor Pro (Win):