0.000s - DEBUG: Starting... 0.032s - DEBUG: 2017/10/30, 16:9:27 0.063s - DEBUG: OSForensics 5.1 build 1002 64-bit 0.078s - DEBUG OS: Windows 10 build 15063 (64-bit) 0.094s - DEBUG Path: C:\Program Files\OSForensics 0.141s - Main: Set security OK 0.157s - Main: Creating temp folder C:\ProgramData\PassMark\OSForensics\Temp\10756 0.188s - Main: Regproc check 0.344s - Main: Available phys mem: 26370195456 0.360s - Main: Load OSF config 0.391s - Main: Init OSFMount interface OK 0.453s - Main: Init direct access OK 0.469s - Main: Register disk events 0.500s - Main: init dialog 0.578s - CfgMain: Creating start window 0.657s - CfgMain: Creating hash set window 0.688s - CfgMain: Creating create sig window 0.735s - CfgMain: Creating compare sig window 0.797s - CfgMain: Creating hash window 0.875s - CfgMain: Creating file name search window 1.032s - CfgMain: Creating mismatch search window 1.125s - CfgMain: Creating create index window 1.188s - CfgMain: Creating search index window 1.266s - CfgMain: Creating recent activity window 1.375s - CfgMain: Creating deleted file search window 1.485s - DEBUG: FileCarving: Parsing File Formats (File: C:\ProgramData\PassMark\OSForensics\osf_filecarve.conf) 1.516s - CfgMain: Creating mem viewer window 1.657s - CfgMain: Creating prefetch viewer window 1.719s - CfgMain: Creating raw disk viewer window 1.735s - DEBUG: FileCarving: Parsing File Formats (File: C:\ProgramData\PassMark\OSForensics\osf_filecarve.conf) 1.875s - CfgMain: Creating sys info window 1.969s - CfgMain: Creating drive prep window 2.016s - CfgMain: Creating password window 2.032s - Pswd: Creating Passwords & keys tab 2.094s - Pswd: Creating Windows Login tab 2.125s - Pswd: Initializing rainbow 2.157s - Rainbow: Loading charsets from C:\ProgramData\PassMark\OSForensics\RainbowTables\charset.txt 2.172s - Rainbow: Initializing SSL 2.203s - Rainbow: Initializing SSL 2.219s - Rainbow: Initializing Rainbow Table 2.235s - Rainbow: Initializing RainbowTable 2.297s - Pswd: Creating Rainbow Generate tab 2.422s - Pswd: Creating Rainbow Retrieval tab 2.500s - Pswd: Creating Decryption tab 2.563s - CfgMain: Creating forensic imaging window 2.860s - CfgMain: Creating SQLite browser window 2.891s - CfgMain: Creating manage case window 2.938s - CaseManagementInitWindow: start 2.985s - initCaseSelectionListWnd: start 3.000s - initCaseSelectionListWnd: add mydocs 3.032s - initCaseSelectionListWnd: add cases 3.047s - initCaseSelectionListWnd: end 3.078s - initCaseManagementListWnd: start 3.094s - initCaseManagementListWnd: end 3.125s - CaseManagementInitWindow: end 19.985s - GetLocalFolderNames: DocumentsAndSettingsLocalName: Registry Info drive: C 20.016s - CreateTempRegFileIfNeeded: A 20.032s - CreateTempRegFileIfNeeded: B 20.047s - CreateTempRegFileIfNeeded: C 20.078s - CreateTempRegFileIfNeeded: DA 20.094s - CreateTempRegFileIfNeeded: DB 20.110s - CreateTempRegFileIfNeeded: DC 20.141s - ShadowCopyFiles entry 20.157s - ShadowCopyFiles: Trying to create shadow volume 20.172s - CreateShadowVolumeForFC entry 20.203s - CreateShadowVolumeForFC Initialize VSS client 20.266s - CreateShadowVolumeForFC Get unique vol name for: C:\ 20.282s - unique vol name: \\?\Volume{38d9f3bf-7727-40fa-b5d0-3504ca271250}\ 20.313s - CreateShadowVolumeForFC create snapshot set 29.157s - CreateShadowVolumeForFC getLatestSnapshotIdListt 29.266s - CreateShadowVolumeForFC GetSnapshotDeviceName 29.297s - CreateShadowVolumeForFC exit 29.344s - ShadowCopyFiles: created shadow volume 29.391s - ShadowCopyFiles: 1 files to copy 29.438s - ShadowCopyFiles: curent file: C:\Windows\System32\Config\SOFTWARE 29.500s - ShadowCopyFiles: SourceFile: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy8\Windows\System32\Config\SOFTWARE 29.532s - ShadowCopyFiles: DestFile: C:\ProgramData\PassMark\OSForensics\Temp\10756\C5C5DF0374B591538BDD691D36926784 30.610s - ShadowCopyFiles done 30.860s - Classes BlockType invalid: \x72\x69 31.250s - Microsoft\Office\15.0\ClickToRun\appvMachineRegistryStore\Integration\Ownership\SOFTWARE\Classes\Interface BlockType invalid: \x72\x69 31.516s - Microsoft\Office\15.0\ClickToRun\appvMachineRegistryStore\Integration\Ownership\SOFTWARE\Classes\Wow6432Node\Interface BlockType invalid: \x72\x69 31.578s - Microsoft\Office\15.0\ClickToRun\REGISTRY\MACHINE\Software\Classes BlockType invalid: \x72\x69 31.657s - Microsoft\Office\15.0\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components BlockType invalid: \x72\x69 31.766s - Microsoft\SystemSettings\SettingId BlockType invalid: \x72\x69 31.860s - Microsoft\Windows\CurrentVersion\Component Based Servicing\ComponentDetect BlockType invalid: \x72\x69 31.922s - Microsoft\Windows\CurrentVersion\Component Based Servicing\PackageDetect BlockType invalid: \x72\x69 32.000s - Microsoft\Windows\CurrentVersion\Component Based Servicing\PackageIndex BlockType invalid: \x72\x69 32.032s - Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages BlockType invalid: \x72\x69 32.157s - Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components BlockType invalid: \x72\x69 32.375s - Microsoft\Windows\CurrentVersion\SideBySide\Winners BlockType invalid: \x72\x69 32.469s - Microsoft\Windows\CurrentVersion\WINEVT\Channels BlockType invalid: \x72\x69 32.594s - Microsoft\WindowsRuntime\ActivatableClassId BlockType invalid: \x72\x69 32.641s - Microsoft\WindowsRuntime\CLSID BlockType invalid: \x72\x69 32.953s - WOW6432Node\Microsoft\WindowsRuntime\ActivatableClassId BlockType invalid: \x72\x69 33.078s - WOW6432Node\Microsoft\WindowsRuntime\CLSID BlockType invalid: \x72\x69 33.141s - GetLocalFolderNames: C:\Windows\System32\Config\SOFTWARE loaded successfully. Opening key: Microsoft\Windows\CurrentVersion\Explorer\Shell Folders 33.172s - GetLocalFolderNames: Key Microsoft\Windows\CurrentVersion\Explorer\Shell Folders found. Number of values: 12 33.235s - GetLocalFolderNames: Found value: "Common Administrative Tools"="C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools" 33.266s - GetLocalFolderNames: Found value: "Common AppData"="C:\ProgramData" 33.297s - GetLocaFolderNames: Common AppData C:\ProgramData 33.313s - GetLocaFolderNames: CommonAppDataLocalName ProgramData 33.328s - GetLocalFolderNames: Found value: "Common Desktop"="C:\Users\Public\Desktop" 33.360s - GetLocalFolderNames: Found value: "Common Documents"="C:\Users\Public\Documents" 33.375s - GetLocaFolderNames: Common Documents C:\Users\Public\Documents 33.438s - GetLocaFolderNames: DocumentsAndSettingsLocalName Users 33.469s - GetLocalFolderNames: Found value: "Common Programs"="C:\ProgramData\Microsoft\Windows\Start Menu\Programs" 33.500s - GetLocalFolderNames: Found value: "Common Start Menu"="C:\ProgramData\Microsoft\Windows\Start Menu" 33.532s - GetLocalFolderNames: Found value: "Common Startup"="C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup" 33.610s - GetLocalFolderNames: Found value: "Common Templates"="C:\ProgramData\Microsoft\Windows\Templates" 33.688s - GetLocalFolderNames: Found value: "CommonMusic"="C:\Users\Public\Music" 33.750s - GetLocalFolderNames: Found value: "CommonPictures"="C:\Users\Public\Pictures" 33.844s - GetLocalFolderNames: Found value: "CommonVideo"="C:\Users\Public\Videos" 33.875s - GetLocalFolderNames: Found value: "OEM Links"="C:\ProgramData\OEM\Links" 33.907s - GetLocalFolderNames: Registry Info drive: C 33.922s - LocalOSEnv::GetNextUser start 33.953s - LocalOSEnv::GetNextUser xp check 33.969s - LocalOSEnv::GetNextUser cleanup profile path 33.985s - LocalOSEnv::GetNextUser win7/mac check 34.016s - LocalOSEnv::GetNextUser cleanup profile path 34.032s - . 34.047s - .. 34.078s - All Users 34.094s - LocalOSEnv::GetNextUser finish 34.125s - GetLocalFolderNames: registryFile: C:\Users\All Users\NTUSER.DAT 34.141s - CreateTempRegFileIfNeeded: A 34.172s - CreateTempRegFileIfNeeded: B 34.188s - CreateTempRegFileIfNeeded: E 34.328s - GetLocaFolderNames: Registry Info: Could not load C:\Users\All Users\NTUSER.DAT 34.360s - Could not open file, error: 2 34.375s - LocalOSEnv::GetNextUser start 34.407s - Default 34.422s - LocalOSEnv::GetNextUser finish 34.438s - GetLocalFolderNames: registryFile: C:\Users\Default\NTUSER.DAT 34.469s - CreateTempRegFileIfNeeded: A 34.516s - CreateTempRegFileIfNeeded: B 34.563s - CreateTempRegFileIfNeeded: E 34.610s - LocalOSEnv::GetNextUser start 34.657s - Default User 34.672s - LocalOSEnv::GetNextUser finish 34.688s - GetLocalFolderNames: registryFile: C:\Users\Default User\NTUSER.DAT 34.750s - CreateTempRegFileIfNeeded: A 34.766s - CreateTempRegFileIfNeeded: B 34.797s - CreateTempRegFileIfNeeded: E 34.813s - LocalOSEnv::GetNextUser start 34.828s - Default.migrated 34.844s - LocalOSEnv::GetNextUser finish 34.891s - GetLocalFolderNames: registryFile: C:\Users\Default.migrated\NTUSER.DAT 34.969s - CreateTempRegFileIfNeeded: A 35.047s - CreateTempRegFileIfNeeded: B 35.125s - CreateTempRegFileIfNeeded: E 35.172s - GetLocaFolderNames: Registry Info: Could not load C:\Users\Default.migrated\NTUSER.DAT 35.188s - Could not open file, error: 2 35.203s - LocalOSEnv::GetNextUser start 35.235s - desktop.ini 35.250s - Lew 35.282s - LocalOSEnv::GetNextUser finish 35.313s - GetLocalFolderNames: registryFile: C:\Users\Lew\NTUSER.DAT 35.328s - CreateTempRegFileIfNeeded: A 35.360s - CreateTempRegFileIfNeeded: B 35.375s - CreateTempRegFileIfNeeded: C 35.407s - CreateTempRegFileIfNeeded: DA 35.422s - CreateTempRegFileIfNeeded: DB 35.438s - CreateTempRegFileIfNeeded: DC 35.469s - ShadowCopyFiles entry 35.485s - ShadowCopyFiles: Trying to create shadow volume 35.500s - CreateShadowVolumeForFC entry 35.532s - CreateShadowVolumeForFC Initialize VSS client 35.578s - CreateShadowVolumeForFC Get unique vol name for: C:\ 35.594s - unique vol name: \\?\Volume{38d9f3bf-7727-40fa-b5d0-3504ca271250}\ 35.610s - CreateShadowVolumeForFC create snapshot set 42.750s - CreateShadowVolumeForFC getLatestSnapshotIdListt 42.844s - CreateShadowVolumeForFC GetSnapshotDeviceName 42.875s - CreateShadowVolumeForFC exit 42.891s - ShadowCopyFiles: created shadow volume 42.922s - ShadowCopyFiles: 1 files to copy 42.938s - ShadowCopyFiles: curent file: C:\Users\Lew\NTUSER.DAT 42.953s - ShadowCopyFiles: SourceFile: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy9\Users\Lew\NTUSER.DAT 42.985s - ShadowCopyFiles: DestFile: C:\ProgramData\PassMark\OSForensics\Temp\10756\4B1AA9AD2A09EF66D7CD301855A32979 43.500s - ShadowCopyFiles done 43.782s - GetLocaFolderNames: AppDataLocalName 43.938s - GetLocaFolderNames: HistoryLocalName 43.953s - GetLocaFolderNames: LocalAppDataLocalName 44.063s - GetLocaFolderNames: RecentLocalName 44.110s - LocalOSEnv::GetNextUser start 44.157s - Public 44.203s - LocalOSEnv::GetNextUser finish 44.282s - LocalOSEnv::GetNextUser start 44.344s - LocalOSEnv::GetNextUser xp check 44.391s - LocalOSEnv::GetNextUser cleanup profile path 44.422s - LocalOSEnv::GetNextUser win7/mac check 44.453s - LocalOSEnv::GetNextUser cleanup profile path 44.563s - . 44.594s - .. 44.641s - All Users 44.688s - LocalOSEnv::GetNextUser finish 44.735s - LocalOSEnv::GetNextUser start 44.813s - Default 44.953s - LocalOSEnv::GetNextUser finish 45.063s - LocalOSEnv::GetNextUser start 45.125s - Default User 45.235s - LocalOSEnv::GetNextUser finish 45.313s - LocalOSEnv::GetNextUser start 45.344s - Default.migrated 45.407s - LocalOSEnv::GetNextUser finish 45.438s - LocalOSEnv::GetNextUser start 45.485s - desktop.ini 45.547s - Lew 45.610s - LocalOSEnv::GetNextUser finish 45.750s - LocalOSEnv::GetNextUser start 45.797s - Public 45.891s - LocalOSEnv::GetNextUser finish 45.953s - LocalOSEnv::GetNextUser start 46.032s - Will 46.078s - LocalOSEnv::GetNextUser finish 46.125s - LocalOSEnv::GetNextUser start 46.157s - LocalOSEnv::GetNextUser ubununtu check 46.188s - LocalOSEnv::GetNextUser cleanup profile path 46.282s - LocalOSEnv::GetNextUser cleanup profile path 46.344s - LocalOSEnv::GetNextUser end