Find3M Report Specification: * Enumerate the directories: * Program Files * Common Program Files * Enumerate files modified more recently than 3 months ago: * AppData * Common App Data * Systemdrive * Systemroot * Systemroot\System32 * Userprofile * If OS is Vista or later, enumerate files in these directories more than 3 months ago: * All User's Profile * The above comprise list 1. Discard entries which do not have extensions bat|cmd|reg|vbs|wsf|vbe|msi|msp|com|pif|ren|vir|tmp|dll|scr|sys|exe|bin|drv, or begin with 'MZ' * Enumerate files modified more recently than 3 months ago, recursively * Systemroot\System * Systemroot\System32\Wbem * Systemroot\System32\GroupPolicy\Machine\Scripts\Shutdown * Systemroot\System32\GroupPolicy\User\Scripts\Logoff * This comprises list 2. Discard entries which are not PE executables and have extension com|pif|ren|vir|tmp|dll|scr|sys|exe|bin|dat|drv, or those entries which are files and have extension bat|cmd|reg|vbs|wsf|vbe|msi|msp * Enumerate files beginning with 'MZ' in the following directory: * Systemroot\System32\Spool\prtprocs\w32x86 * If this is a 64 bit machine: * Enumerate the following directories: * Program Files (x86) * Common Program Files (x86) * Enumerate files modified more recently than three months ago in * Systemroot\Syswow64 * Enumerate files recursively modified more recently than three months ago in * Systemroot\Syswow64\Drivers * Systemroot\Syswow64\wbem * This forms list 3. Follow the same rules for throwing out entries from list 1. * Enumerate files modified in the last 3 months in the following directories recursively: * %Systemroot%\java * %Systemroot%\msapps * %Systemroot%\pif * %Systemroot%\Registration * %Systemroot%\help * %Systemroot%\web * %Systemroot%\pchealth * %Systemroot%\srchasst * %Systemroot%\tasks * %Systemroot%\apppatch * %Systemroot%\Internet Logs * %Systemroot%\Media * %Systemroot%\prefetch * %Systemroot%\cursors * Systemroot\inf * This forms list 4. Follow the same rules for throwing out entries from list 1. * Enumerate files in Systemroot\fonts recursively, which are either have size greater than 1500 bytes, are MZ executables, and have extension com|pif|ren|vir|tmp|dll|scr|sys|exe|bin|dat|drv, or which are files between 1500 and 2000 bytes in size. This forms list 5. * Combine lists 1-5 * Sort according to creation date * A run is defined as as a set of files, where for each file, the time difference between file N and file N + 1 is less than one second * Remove runs which contain more than 12 files * Remove files/directories in the whitelist * Remove files/directories already enumerated as part of Find1M * Chop to maximum of 100 lines (And report of chop occurred)