reg query "HKLM\SYSTEM\ControlSet001\Services\DOLLARS ON THE NET"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DOLLARS ON THE NET
    Type    REG_DWORD    0x10
    Start    REG_DWORD    0x2
    ErrorControl    REG_DWORD    0x1
    ImagePath    REG_EXPAND_SZ    \??\C:\Shift4\UTIL\dotn_pa.exe
    DisplayName    REG_SZ    DOLLARS ON THE NET PA-DSS Module
    ObjectName    REG_SZ    LocalSystem
    Description    REG_SZ    Provides PA-DSS validated payment application processing and web service communications.
    WOW64    REG_DWORD    0x1

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DOLLARS ON THE NET\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DOLLARS ON THE NET\Security

reg query "HKLM\SYSTEM\ControlSet002\Services\DOLLARS ON THE NET"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\DOLLARS ON THE NET
    Type    REG_DWORD    0x10
    Start    REG_DWORD    0x2
    ErrorControl    REG_DWORD    0x1
    ImagePath    REG_EXPAND_SZ    \??\C:\Shift4\UTIL\dotn_pa.exe
    DisplayName    REG_SZ    DOLLARS ON THE NET PA-DSS Module
    ObjectName    REG_SZ    LocalSystem
    Description    REG_SZ    Provides PA-DSS validated payment application processing and web service communications.
    WOW64    REG_DWORD    0x1

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\DOLLARS ON THE NET\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\DOLLARS ON THE NET\Security

reg query "HKLM\SYSTEM\CurrentControlSet\Services\DOLLARS ON THE NET"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DOLLARS ON THE NET
    Type    REG_DWORD    0x10
    Start    REG_DWORD    0x2
    ErrorControl    REG_DWORD    0x1
    ImagePath    REG_EXPAND_SZ    \??\C:\Shift4\UTIL\dotn_pa.exe
    DisplayName    REG_SZ    DOLLARS ON THE NET PA-DSS Module
    ObjectName    REG_SZ    LocalSystem
    Description    REG_SZ    Provides PA-DSS validated payment application processing and web service communications.
    WOW64    REG_DWORD    0x1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DOLLARS ON THE NET\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DOLLARS ON THE NET\Security

reg query "HKLM\SYSTEM\ControlSet001\Services\DOLLARS ON THE NET"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DOLLARS ON THE NET
    Type    REG_DWORD    0x10
    Start    REG_DWORD    0x2
    ErrorControl    REG_DWORD    0x1
    ImagePath    REG_EXPAND_SZ    \??\C:\Shift4\UTIL\dotn_pa.exe
    DisplayName    REG_SZ    DOLLARS ON THE NET PA-DSS Module
    ObjectName    REG_SZ    LocalSystem
    Description    REG_SZ    Provides PA-DSS validated payment application processing and web service communications.
    WOW64    REG_DWORD    0x1

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DOLLARS ON THE NET\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DOLLARS ON THE NET\Security

reg query "HKLM\SYSTEM\ControlSet002\Services\DOLLARS ON THE NET"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\DOLLARS ON THE NET
    Type    REG_DWORD    0x10
    Start    REG_DWORD    0x2
    ErrorControl    REG_DWORD    0x1
    ImagePath    REG_EXPAND_SZ    \??\C:\Shift4\UTIL\dotn_pa.exe
    DisplayName    REG_SZ    DOLLARS ON THE NET PA-DSS Module
    ObjectName    REG_SZ    LocalSystem
    Description    REG_SZ    Provides PA-DSS validated payment application processing and web service communications.
    WOW64    REG_DWORD    0x1

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\DOLLARS ON THE NET\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\DOLLARS ON THE NET\Security

reg query "HKLM\SYSTEM\CurrentControlSet\Services\DOLLARS ON THE NET"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DOLLARS ON THE NET
    Type    REG_DWORD    0x10
    Start    REG_DWORD    0x2
    ErrorControl    REG_DWORD    0x1
    ImagePath    REG_EXPAND_SZ    \??\C:\Shift4\UTIL\dotn_pa.exe
    DisplayName    REG_SZ    DOLLARS ON THE NET PA-DSS Module
    ObjectName    REG_SZ    LocalSystem
    Description    REG_SZ    Provides PA-DSS validated payment application processing and web service communications.
    WOW64    REG_DWORD    0x1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DOLLARS ON THE NET\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DOLLARS ON THE NET\Security

From: J.D. Oder II
To: Taylor Oder
Sent: 1/18/2019 9:15:15 AM EST
Subject:

You are going to be the best man at my wedding

From: Taylor Oder
To: J.D. Oder II
Sent: 1/18/2019 9:15:28 AM EST
Subject:

Dude..........

From: J.D. Oder II
To: Taylor Oder
Sent: 1/18/2019 9:15:50 AM EST
Subject:

You always have been and always will be the best man i know

From: Taylor Oder
To: J.D. Oder II
Sent: 1/18/2019 9:16:01 AM EST
Subject:

I love you man. I am honored

From: J.D. Oder II
To: Taylor Oder
Sent: 1/18/2019 9:16:45 AM EST
Subject:

Now let's go kick some ass. The offer letter went out for signature this morning. I also gave him equity in the parent so he is fully aligned

From: Taylor Oder
To: J.D. Oder II
Sent: 1/18/2019 9:20:17 AM EST
Subject:

I think that's great. You are building a fucking army.

From: J.D. Oder II
To: Taylor Oder
Sent: 1/18/2019 12:31:37 PM EST
Subject:

So I just got off the phone with [REDACTED] and at first he was pissed about the comp and I explained to him that the equity covers that and that once this thing turns into a rocket ship he is going to make so much fucking money and the equity is just an added bonus. He now sounds happy and will sign the offer letter today. I just can't believe that  [REDACTED] ,  [REDACTED] And [REDACTED] Have all agree to offers for compensation packages that are far less than their current pay. The vision is compelling and they are seeing through the short term pain.

From: Taylor Oder
To: J.D. Oder II
Sent: 1/18/2019 12:33:29 PM EST
Subject:

You should do a conf call and tell them how excited you are to have them all.

From: J.D. Oder II
To: Nate Hirshberg
Sent: 1/18/2019 3:44:06 PM EST
Subject: Re:

Hell yeah!

From: Nate Hirshberg
To: J.D. Oder II
Sent: 1/18/2019 3:43:29 PM EST
Subject: Re:

We got ourselves a squad! Welcome [REDACTED]!

From: J.D. Oder II
To: Dan Charron
Sent: 5/8/2019 10:38:24 PM EST
Subject:

Hey quick question... when you ran global payments at first data did you run that whole division or were their other
people above you

From: Dan Charron
To: J.D. Oder II
Sent: 5/8/2019 10:38:45 PM EST
Subject:

Above and below

From: J.D. Oder II
To: Taylor Oder
Sent: 6/10/2019 10:16:59 PM EST
Subject:

So for the next few days I have back to back 15 minute meetings scheduled with the people I want to get offers out to

From: Taylor Oder
To: J.D. Oder II
Sent: 6/10/2019 10:17:13 PM EST
Subject:

Perfect.

From: J.D. Oder II
To: Taylor Oder
Sent: 6/10/2019 10:17:23 PM EST
Subject:

The goal is to do 3 this week

From: J.D. Oder II
To: Taylor Oder
Sent: 6/10/2019 10:17:44 PM EST
Subject:

And then gauge each week from there depending on how the first 3 accept

From: Taylor Oder
To: J.D. Oder II
Sent: 6/11/2019 9:19:47 AM EST
Subject:

How did Don take the news?

From: J.D. Oder II
To: Taylor Oder
Sent: 6/11/2019 9:20:03 AM EST
Subject:

He acted weird.

From: J.D. Oder II
To: Taylor Oder
Sent: 6/11/2019 9:20:39 AM EST
Subject:

Said he loves working here and the team but this is a once in a lifetime opportunity

From: J.D. Oder II
To: Taylor Oder
Sent: 6/11/2019 9:21:11 AM EST
Subject:

Said he is rooting for me from a far and is going to miss me a ton and that I "built a rockstar team"

From: Taylor Oder
To: J.D. Oder II
Sent: 6/11/2019 9:21:34 AM EST
Subject:

That's good man. I'm glad he didn't threaten you.

From: Taylor Oder
To: J.D. Oder II
Sent: 7/14/2019 5:42:41 AM EST
Subject:

I should have clarified. I'm going to send a summary of payments news, not shift4 capabilities.

From: J.D. Oder II
To: Taylor Oder
Sent: 7/14/2019 5:43:10 AM EST
Subject:

Ok

From: R[REDACTED]
To: J.D. Oder II
Sent: 7/26/2019 12:02:12 PM EST
Subject:

Got It! I'll let you know if anything comes back.

From: J.D. Oder II
To: [REDACTED]
Sent: 7/26/2019 12:01:48 PM EST
Subject:

Perfect. I'm going to recirculate it in a few days too.

From: [REDACTED]
To: J.D. Oder II
Sent: 7/26/2019 12:01:28 PM EST
Subject:

Resend it to me

From: J.D. Oder II
To: [REDACTED]
Sent: 7/26/2019 12:01:15 PM EST
Subject:

It will get flagged

From: [REDACTED]
To: J.D. Oder II
Sent: 7/26/2019 12:01:11 PM EST
Subject:

Yeah

From: J.D. Oder II
To: [REDACTED]
Sent: 7/26/2019 12:01:01 PM EST
Subject:

If you reply all they can track that

From: [REDACTED]
To: J.D. Oder II
Sent: 7/26/2019 12:00:47 PM EST
Subject:

Just don't include me I. The email

From: J.D. Oder II
To: [REDACTED]
Sent: 7/26/2019 12:00:36 PM EST
Subject:

I'm on it.

From: J.D. Oder II
To: [REDACTED]
Sent: 7/26/2019 12:00:33 PM EST
Subject:

I have their personal emails

From: [REDACTED]
To: J.D. Oder II
Sent: 7/26/2019 12:00:23 PM EST
Subject:

Ok. Do u have all of their personal emails?

From: J.D. Oder II
To: [REDACTED]
Sent: 7/26/2019 12:00:19 PM EST
Subject:

I need you on this

From: J.D. Oder II
To: [REDACTED]
Sent: 7/26/2019 12:00:14 PM EST
Subject:

I'm using a shift4 email

    REPORT
    Forensic Report of J.D. Oder II's Windows Registry
    Prepared For:
    Shift4 Payments, LLC
    Prepared By:
    4Discovery
    May 13, 2022
    4Discovery Project Number: 21-088-003

INTRODUCTION
4Discovery was engaged by Shift4 Payments, LLC ("Shift4") to perform a forensic
analysis of the Windows Registry extracted from the following computer system (collectively,
the "Subject Computer"):
• Dell laptop, model Latitude 5400, assigned to J.D. Oder, service tag 9FF413 (the "Oder
Laptop").1
4Discovery understands that, during the relevant time period, J.D. Oder II ("Oder") was
employed by Card Connect, LLC ("CardConnect"), a subsidiary of First Data Corporation and
Fiserv, Inc. (collectively, "Fiserv"). 4Discovery further understands that Oder resigned from
CardConnect on or around June 10, 2019 and subsequently began working for Shift4.
1 The Oder Laptop was imaged by D4 LLC on or about August 19, 2021. That image was subsequently provided to
4Discovery for purposes of this analysis.
21-088-003
Page 1 of 17

At the request of Shift4, this report summarizes 4Discovery's analysis of the Windows
Registry related to the following:
• Evidence of USB storage devices connected to the Oder Laptop;
• Evidence of Oder mounting the image of a laptop assigned to Nicole Ward
("Ward")2 connected to the Oder Laptop;
• Evidence of anti-forensic and/or wiping tools installed or executed on the Oder
Laptop, including CCleaner, Eraser, and BleachBit; and
• Evidence regarding the execution, deletion, and/or existence of files identified
on the Oder Laptop and determined to be responsive to certain requests for
production propounded by Fiserv in the above-referenced matter.
2 D4 LLC extracted and provided a forensic image of the computer assigned to Nicole Ward. The forensic image file
had a name of "LWG3MP3-Nicole-Ward-E01-20210820-105407.E01." D4 LLC indicated that the original computer
was a Dell Latitude 5490 assigned to Nicole Ward.
21-088-003
Page 2 of 17

SUMMARY OF FINDINGS
USB Storage Devices
•    At least 20 unique USB storage devices were connected to the Oder Laptop during
the relevant time. See Appendix A for a list of USB storage devices identified by
4Discovery.
Nicole Ward Image
•    On June 10, 2019, at 9:26:25 PM UTC, the image of Nicole Ward's computer was
mounted to the Oder Laptop via a USB connection of a storage device containing
that image.
Anti-Forensic and/or Wiping Tools
•    Registry artifacts indicate that CCleaner was installed and run on the Oder Laptop.
Specifically, CCleaner.exe had a file path of "C:\Program Files\CCleaner\CCleaner.exe"
and was installed on March 7, 2019, at 8:24:40 PM UTC. The last recorded execution of
CCleaner was June 10, 2019, at 9:40:01 PM UTC.
Production Files
•    The Windows Registry contained evidence regarding the existence, execution,
and/or deletion of certain files responsive to Fiserv's production requests, as
identified to 4Discovery by counsel for Shift4. A more detailed description of this
evidence is outlined in Appendix B.
21-088-003

Page 3 of 17

METHODOLOGY
4Discovery utilized EnCase Forensic v8.12 ("Encase") to analyze the Windows Registry
extracted from the Oder Laptop. Below is a description of the artifacts reviewed to complete
this report. Consistent with digital forensic best practices, 4Discovery verified its findings using
the Windows Registry navigation tool, RegRipper.
USB Storage Devices
To identify evidence of USB storage devices connected to the Oder Laptop, 4Discovery
reviewed the following Windows Registry artifacts.
USBSTOR
The USBSTOR key is created by the system upon the enumeration of a USB device, which
generally occurs when a USB device is connected to the system. The USBSTOR key contains
information about USB storage devices that have been connected to the computer.
The USBSTOR key is located in the following location in the SYSTEM hive:
•    SYSTEM\ControlSet00x\Enum\USBSTOR3
The USBSTOR key contains subkeys that are typically formatted as follows:
Disk&Ven_[VENDOR]&Prod_[PRODUCT]&Rev_[REVISION]
[SERIAL_NUMBER]
The [SERIAL_NUMBER] subkey is unique to each USB storage device. If a USB
storage device does not have a serial number, Windows will automatically create a unique
serial number.
3 "ControlSet00x" refers to the multiple Control Sets that exist within the Windows Registry, where "x" is a numeral.
Forensic tools often examine multiple Control Sets (e.g., ControlSet001, ControlSet002) to ensure comprehensive
analysis, as the active control set can vary.
21-088-003

Page 4 of 17

Mounted Devices
The MountedDevices key is a registry key that contains information about all mounted
devices, such as USB drives, CD/DVD drives, and network shares. It is located under the
following registry path:
•    SYSTEM\MountedDevices
The MountedDevices key contains a list of all mounted devices, along with their associated
drive letters and volume GUIDs. Each entry in the key has a value name that represents the
drive letter or volume GUID, and a value data that contains a binary structure with device
information.
When a USB storage device is connected, the operating system creates an entry in the
MountedDevices key. This entry is used to track volume information and the assigned drive
letter for future use.
DeviceClasses
The DeviceClasses key is a registry key that stores information about all device classes
installed on the computer. It is located under the following registry path:
•    SYSTEM\CurrentControlSet\Control\DeviceClasses
Each device class is represented by a GUID-named subkey. The subkeys contain information
about each device that belongs to that class.
When a USB storage device is connected to the system, a new entry is created under the
corresponding device class subkey. One of the tracked device classes is portable devices, which
is listed under the GUID of {884b96c3-56ef-11d1-bc8c-00a0c91405dd}. When a new USB
storage device is connected, subkeys are created relating to the specific USB device and
tracking when the device was connected.
21-088-003

Page 5 of 17

Nicole Ward Image
To identify whether the image file of Nicole Ward's computer was mounted to the Oder
Laptop, 4Discovery reviewed the USBSTOR and MountedDevices keys in the SYSTEM hive
(described above).
Anti-Forensic and/or Wiping Tools
To locate evidence of anti-forensic and/or wiping tools, 4Discovery analyzed the following
the Windows Registry artifacts.
ShimCache
The ShimCache, also known as Application Compatibility Cache, is a component of the
Windows operating system designed to identify application compatibility issues. ShimCache
stores various metadata about files, including the full file path, file size, last modified time, and
last execution time.
The ShimCache entries are located in the following locations in the SYSTEM hive:
•    SYSTEM\ControlSet00x\Control\Session Manager\AppCompatCache
4Discovery reviewed the ShimCache entries to determine whether there was
evidence of the execution of wiping and/or anti-forensic tools, such as CCleaner, Eraser,
and BleachBit.
21-088-003

Page 6 of 17

UserAssist
The UserAssist key is a registry key that records information about programs executed by a
specific user through the Windows graphical user interface (GUI). It tracks data such as the
name of the executable, the full file path, the number of times the program was run, and the
last execution time. The UserAssist key is located under the following registry path:
•    SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
The UserAssist key contains subkeys, each identified by a GUID. Within each GUID subkey,
there are further subkeys, including a "Count" subkey. This "Count" subkey stores the execution
information.
4Discovery reviewed the UserAssist key entries to determine whether there was
evidence of the execution of wiping and/or anti-forensic tools, such as CCleaner, Eraser, and
BleachBit.
MUICache
The MUICache (Multilingual User Interface Cache) is a registry key that stores a list of
applications executed on the system. The MUICache entry contains information about executable
names, which may include the file path. The MUICache key is located under the following
registry path:
•    SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
4Discovery reviewed the MUICache key entries to determine whether there was
evidence of the execution of wiping and/or anti-forensic tools, such as CCleaner, Eraser, and
BleachBit.
21-088-003
Page 7 of 17

Installed Programs
To determine evidence of the installation of anti-forensic and/or wiping tools, 4Discovery
analyzed the Uninstall key. The Uninstall key keeps a record of programs that have been
installed on a Windows system and includes information, including the name of the program
and its installation location.
The Uninstall key is in the following locations in the SOFTWARE hive:
•    SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
•    SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall
Production Files
To locate evidence of files Fiserv requested for production (the "Production Files"),
4Discovery analyzed UserAssist, ShimCache, and MUICache entries, described above.
Additionally, 4Discovery analyzed the following Windows Registry artifacts.
OpenSavePidlMRU
The OpenSavePidlMRU (Most Recently Used) key is a registry key that stores a list of files
that have been opened or saved using the common file dialog box. This key tracks the
filenames, paths, and extensions of the files accessed through this dialog. The
OpenSavePidlMRU key is located under the following registry path:
•    SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU
Within the OpenSavePidlMRU key, subkeys are organized by file type, such as "docx" or
"pdf," and each subkey contains a list of recently opened or saved files of that type ordered
by a numerical value. 4Discovery reviewed the OpenSavePidlMRU to determine whether
there was evidence of the Production Files.
21-088-003

Page 8 of 17

LastVisitedPidlMRU
Similar to the OpenSavePidlMRU, the LastVisitedPidlMRU key is a registry key that stores
a list of the last locations accessed by the user through the common file dialog box. However,
the LastVisitedPidlMRU key keeps a record of the locations used to open files and the
locations used to save files. The LastVisitedPidlMRU key is located under the following
registry path:
•    SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU
4Discovery reviewed the LastVisitedPidlMRU to determine whether there was
evidence of the Production Files being opened or saved.
RunMRU
The RunMRU key is a registry key that maintains a list of commands executed via the "Run"
dialog box. This key tracks the commands entered by the user, which could include executable
files, scripts, or system commands. The RunMRU key is located under the following registry path:
•    SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
Each command is stored as a string value with an associated letter, and an additional
"MRUList" value specifies the order in which the commands were executed. 4Discovery
reviewed the RunMRU to determine whether there was evidence of the Production Files.
RecentDocs
The RecentDocs key is a registry key that keeps track of recently opened documents. The
RecentDocs key is organized by file extension and contains MRU entries, keeping a record of
the files that have been opened by a particular user. The RecentDocs key is located under the
following registry path:
•    SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
4Discovery reviewed the RecentDocs to determine whether there was evidence of the
Production Files.
21-088-003

Page 9 of 17

ShellBags
The ShellBags keys are a set of registry keys that store information about the views and
settings of folders. These keys record details such as folder display settings, icon sizes, window
positions, and sort order. ShellBags keys are located under the following registry paths:
•    USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\Bags
•    USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
•    SOFTWARE\Microsoft\Windows\Shell\Bags
•    SOFTWARE\Microsoft\Windows\Shell\BagMRU
When a user opens and interacts with a folder, the operating system creates or updates entries
within the ShellBags keys. These entries store the folder's unique identifier, known as its
Shell ID, along with its configuration. 4Discovery reviewed the ShellBags to determine whether
there was evidence of the Production Files.
WordWheelQuery
The WordWheelQuery key is a registry key that stores a history of searches made through
Windows Explorer. The WordWheelQuery key is located in the following locations in the
SOFTWARE hive:
•    SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery
4Discovery reviewed the WordWheelQuery entries to determine whether there was
evidence of searches relating to the Production Files.
21-088-003

Page 10 of 17

FINDINGS
USB Storage Devices
4Discovery identified the following artifacts regarding USB storage devices connected to
the Oder Laptop.
USBSTOR
4Discovery identified at least 20 unique USB storage devices that were connected to the
Oder Laptop between March 29, 2019, and June 10, 2019. The last write time of [SERIAL_NUMBER]
subkey from the USBSTOR key reflects the last time a particular USB storage device
connected to the-computer.
The table in Appendix A identifies each of those USB devices and includes information
such as the vendor, product, serial number, and the last time the [SERIAL_NUMBER] subkey
was written.
Mounted Devices
4Discovery observed that the following registry value name had a last write time of June
10, 2019, at 9:26:25 PM UTC and a registry value data that referenced a device consistent
with a SanDisk Cruzer Glide:
•    \DosDevices\E:
The registry data associated with the "\DosDevices\E:" value name contained the following:
•    ??\USBSTOR#Disk&Ven_SanDisk&Prod_Cruzer_Glide&Rev_1.27#4C532
007011015103471&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
As shown in the table in Appendix A, there was a SanDisk Cruzer Glide device with a serial
number of "4C532007011015103471." The last written time of registry subkey for that device
was also June 10, 2019, at 9:26:25 PM UTC.
21-088-003

Page 11 of 17

Additionally, 4Discovery observed that the following registry value name had a last write
time of June 10, 2019, at 9:26:25 PM UTC and a registry value data that referenced a
removable device:
•    \??\Volume{14d71265-0000-0000-0000-100000000000}
The registry data associated with the above value name contained the following:
•    ??\STORAGE#RemovableMedia#7&3685046&0&RM#{53f5630d-b6bf-11d0-
94f2-00a0c91efb8b}
Nicole Ward Image
Based on 4Discovery's review of the above-referenced registry keys, 4Discovery identified
evidence that a SanDisk Cruzer Glide USB storage device containing the image file of Nicole
Ward's computer was connected to the Oder Laptop on June 10, 2019, at 9:26:25 PM UTC.
The evidence demonstrated that the image was enumerated and mounted as a removable device
assigned to drive letter "E:".
Anti-Forensic and/or Wiping Tools
4Discovery identified the following artifacts regarding the installation and execution of
anti-forensic and/or wiping tools, specifically CCleaner, Eraser, and BleachBit.
ShimCache
The ShimCache contained one entry for "CCleaner.exe" located at "C:\Program
Files\CCleaner\CCleaner.exe." This entry had a last modified date of March 7, 2019, at 8:24:40
PM UTC and a last execution time of June 10, 2019, at 9:36:23 PM UTC.
4Discovery did not identify any ShimCache entries for Eraser or BleachBit.
21-088-003

Page 12 of 17

UserAssist
The UserAssist key contained entries for "CCleaner.exe" with a file path of "C:\Program
Files\CCleaner\CCleaner.exe." The last execution time recorded in the UserAssist key for
CCleaner was June 10, 2019, at 9:40:01 PM UTC.
The UserAssist key also contained one entry for "CCleaner64.exe" with a file path of
"C:\Program Files\CCleaner\CCleaner64.exe." The last execution time recorded in the
UserAssist key for CCleaner64 was May 16, 2019, at 10:14:45 AM UTC.
4Discovery did not identify any UserAssist key entries for Eraser or BleachBit.
MUICache
The MUICache key contained two entries for "CCleaner.exe" with a file path of "C:\Program
Files\CCleaner\CCleaner.exe."
The MUICache key contained one entry for "CCleaner64.exe" with a file path of
"C:\Program Files\CCleaner\CCleaner64.exe."
4Discovery did not identify any MUICache key entries for Eraser or BleachBit.
Installed Programs
The Uninstall key contained one entry for CCleaner, which also contained the following
information:
•    Display Name: CCleaner
•    Install Location: C:\Program Files\CCleaner
•    Publisher: Piriform Software Ltd
•    Install Date: 20190307 (March 7, 2019)
4Discovery did not identify any installed programs relating to Eraser or BleachBit.
21-088-003

Page 13 of 17