Hi guys,
Come across a few issues with recent versions of IEF, specifically versions 6.52.0766 and 6.70.0447.
One particular concern is that it does not appear to pull out Shareaza search terms from NTUSER.dat, the Shareaza version running on the suspects machine is V2.6.0.0 which isn't exactly new.
The most recent version of IEF (v6.70.0447) fails to acknowledge any Shareaza artefacts at all despite previous IEF versions managing to locate items in Pagesys or unallocated clusters.
Main reason of this post is to alert others that they may be missing important information and to ask if others have experienced similar problems in other areas that should be noted.
It's worth logging this with IEF Support (if you've not already done so) as they're pretty good at getting back to you in a timely fashion.
They have been notified, albeit that the issue was with V2.7 of Shareaza.
They acknowledged that Shareaza had been updated to V2.7.7.0 last month and recommended updating to IEF V6.6.3.0744. But the issue is still there even with an older Shareaza version and an updated IEF.
I've received a further reply, they say that current keyword results are limited to the Searches.dat file and Unallocated clusters, they are looking into adding back NTUSER.dat results soon.
Have you looked at writing a regripper plugin to pull out the search results from the ntuser.dat?
Hopefully IEF support will return soon so I won't have to, currently using AD's Reg Viewer.