=========================================================================== ----------------- SYSTEM INFORMATION ----------------------Operating System:Windows XP Service Pack 1 Operating System Version: 5.1.2600 User Information: Owner: Organization: Admin: No Admin Rights: Yes Network Information: Host: TEST User: aaa IP: 192.168.192.133 NIC: 000c29e2a738 Domain: Detected Drives: A:\ (Removable drive) C:\ (Logical drive) D:\ (CD/DVD-ROM drive) E:\ (Logical drive) F:\ (Logical drive) -----------------------------------------------------------10:46:20 - Helix displayed the System Information page. 10:46:30 - Helix displayed the Live Acquisition page. 10:57:51 - The Acquire button was executed. 10:57:54 - A live Acquisition was made with the following options: dd.exe if=\\.\PhysicalMemory of="h:\suspect_memory_image.dd" conv=noerror --md5sum --verifymd5 --md5out="h:\suspect_memory_image.dd.md5" --log="h:\suspect_memory_image.dd_audit.log" 11:19:41 - Helix displayed the Live Acquisition page 2. 11:19:54 - Helix displayed the Incident Response page 1. 11:20:01 - Helix displayed the Incident Response page 2. 11:21:39 - The WinAudit utility was executed successfully. 11:26:04 - The PC On/Off Time checker program was executed successfully. 11:27:06 - Helix displayed the Incident Response page 3. 11:27:23 - The Protected Storage viewer program was executed. 11:27:49 - Helix displayed the Incident Response page 2. 11:27:52 - Helix displayed the Incident Response page 1. ###################### INVESTIGATIVE NOTES ################################ ########################################################################### =========================================================================== Helix Stopped on: 07/18/2008 at 11:28:55