Information specific to individual users is maintained in the NTUSER.DAT hive file that is located in the user profile. As such, this file will be discussed in greater detail in chapter Analyzing the System Hives. This file is not part of what we refer to as the Windows Registry, but it does seem to contain data pertinent to forensic analysts and follows the same structure as the Registry hive files.
#ENCASE FREE FILE VIEWER UPDATE#
Then, in January 2015, I noticed that at some point near the end of 2014, update installed on my Windows 7 systems (host systems, as well as testing VMs) had resulted in the AmCache.hve file being created on those systems, as well.
#ENCASE FREE FILE VIEWER WINDOWS 10#
After I created a Windows 10 Technical Preview virtual machine (VM) in VirtualBox, I saw that the Windows 10 system also had this file.
![encase free file viewer encase free file viewer](https://www.oreilly.com/library/view/ence-encase-computer/9781118058985/image_fi/901069bapp02/bapp02f001.png)
I then opened the file in a Registry viewer application (several viewers are discussed in chapter Processes and Tools) and saw that the viewer application did, indeed, parse and display the contents of the file. I initially opened this file in a hex editor and almost immediately noticed that it appeared to have a structure similar to a Registry hive file. When I first began working with a Windows 8 (and later Windows 8.1) system, one of the items about this system was “new,” was the existence of a file named “AmCache.hve” in the C:\Windows\AppCompat\Programs folder. References were also found within the UsrClass.dat registry files when the Dropbox client software was used, but not when a browser was used to access Dropbox. Dropbox software file references were located in the SOFTWARE and SYSTEM registry hives when the Dropbox client software was installed, but not when a browser was used to access or download data from Dropbox.
![encase free file viewer encase free file viewer](https://i.ytimg.com/vi/bw0OsZ0ASsM/maxresdefault.jpg)
Deleted Dropbox information was located within the NTUSER.dat registry files in the Chrome and IE CCleaner-VMs, such as filenames and URL references, but not in the Firefox CCleaner-VM. There were no references to the Dropbox username within the registry files in any of the VMs. Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs **All values printed in MRUList\MRUListEx order. For example, the “RecentDocs” key in the NTUSER.dat registry file provided a list of Dropbox and Enron related files and folders, and a sample RegRipper output is listed as follows:
![encase free file viewer encase free file viewer](https://apprize.best/security/encase/encase.files/image455.png)
In the Upload-VM, Access-VM, and Download-VM registry files, there were references to the Dropbox URL, Dropbox software files and folders, the Dropbox sample files, and the Enron test files. Analysis revealed there were no references to Dropbox or the Enron sample files in the four control Base-VM hard drives. Registry files were analyzed using AccessData Registry Viewer 1.6.3.34 and RegRipper version 20080909.