I'm trying to to tie the VSN which is parsed form JumpLists and .LNK files (I used TZWorks LP64/JMP64) to the VSN which is parsed from the EMDMGMT key (Harlan's EMDMGMT plugin); I am aware that this doesn't always work as VSNs can change on devices. I have already determined usingt eh TZWorks product (and backed up with others) that the user (who has handed in his notice and is moving to a competitor) had accessed some files which wouldn't normally be within his remit on on external media, now I've been asked to identify the specific media if I can.
But none of the VSNs form TZWorks output appears in the EMDMGMT key (I have checked manually). In fact, there are only 4 keys under the EMDMGMT key, compared to 72 records extracted by a couple of different USB analysis products. The software hive is approx 60MB and apparently has creation date of 14th July 2009 and modification date of 21st July 2015, both of which make sense.
So I have two questions (a) is there another method of identifying specifically which media files were accessed on, and (b) what could have happened to the Software hive file that there are so few EMDMGMT keys? I'm pretty sure that the answer to (a) is 'no' but would feel a whole heap better with confirmation.
I'm working from a single-segment DD image made off-line using FTK Imager Lite from a WinFE USB stick
System is Win7 Enterprise SP1
Cheers
Is a possible answer that ReadyBoost was disabled as the internal drive is SSD?
I'm not in a position to tell if the drive was SSD as I wasn't able to remove it from the host (lifting tab was ripped and I was pushed for time as well) - but fromm the Dell manual it looked more like a SATA drive than SSD (
Also, there are a couple of EMDMGMT records with last write times of around the date/time of when the system was installed - surely if ReadyBoost was disabled then it was disabled and wouldn't be Enabled then Disabled?
Comments welcome
Cheers