Wrong inode number used for muicache from usrclass.dat on slide NIST_Data...01_...pptx #11
Description
Hi,
I've observed, that the muicache sample on slide NIST_Data_Leakage_01_Registry_Correction.pptx uses the wrong inode number. (Slide 52, last page).
Would it be correct like the following?
`┌──(root㉿forensiclinux)-[/FORENSIC/lab_data_leaks_Win]
└─# fls -rF -o 206848 cfreds_2015_data_leakage_pc.dd|grep -i usrclass.dat$
r/r 63765-128-3: Users/admin11/AppData/Local/Microsoft/Windows/UsrClass.dat
r/r 13929-128-3: Users/informant/AppData/Local/Microsoft/Windows/UsrClass.dat
r/r 70107-128-3: Users/temporary/AppData/Local/Microsoft/Windows/UsrClass.dat
┌──(root㉿forensiclinux)-[/FORENSIC/lab_data_leaks_Win]
└─# icat -o 206848 cfreds_2015_data_leakage_pc.dd 13929 > usrclass_informant.dat
┌──(root㉿forensiclinux)-[/FORENSIC/lab_data_leaks_Win]
└─# rip.pl -r usrclass_informant.dat -p muicache
Launching muicache v.20200525
muicache v.20200525
(NTUSER.DAT,USRCLASS.DAT) Gets EXEs from user's MUICache key
Software\Microsoft\Windows\ShellNoRoam\MUICache not found.
Local Settings\Software\Microsoft\Windows\Shell\MUICache
LastWrite Time 2015-03-25 15:29:12Z
C:\Windows\system32\WFS.exe (Microsoft Windows Fax and Scan)
C:\Program Files\Internet Explorer\iexplore.exe (Internet Explorer)
C:\Users\informant\Desktop\Download\IE11-Windows6.1-x64-en-us.exe (Internet Explorer 11 Setup utility)
C:\Windows\System32\xpsrchvw.exe (XPS Viewer)
`