[Vol-dev] probably a really dump question RE: the new dumpfiles plugin

Hi, I'd been looking forward to the new dumpfiles plugin for a while, so I immediately downloaded it and tried it out as soon as possible after I saw it had finally been committed to the source tree the other day. (I'm freely admitting I'm using the thing without any documentation, since that still hasn't been committed, and probably have no idea what I'm really doing.) Now, I have a dumb question. The names of the dumped files are all of the format: file.<number>.<hex number>.< dat |img |vacb> In addition, the dumping process produces a bunch of output, of the form: <DataSectionObject|ImageSectionObject|SharedCacheMap> <hex number> <number> <file path> with no column header or other indication of what exactly these values refer to. (If I had to guess, maybe the hex value is the data offset within the image?) Looking at this format (without knowing for sure exactly what the numbers are referring to) would lead me to expect that the <number> and <hex number> fields from the output should correspond to the ones in the dumped filenames, and thus the file paths should have some correspondence to the dumped file data, if the values match up. Not necessarily being the contents of exact file to which the path corresponds, but being related in some way. But I'm not seeing the same hex value show up anywhere in the output and in ANY filename... Trying for a specific correspondence, I went looking through the dumped files, and was able to positively identify the Software registry hive. The associated filename was file.4.0x8697a2b8.vacb. Looking through the output for entries associated with this file identified the following two entries: DataSectionObject 0x89291f90 4 \Device\HarddiskVolume1\WINDOWS\system32\config\software SharedCacheMap 0x89291f90 4 \Device\HarddiskVolume1\WINDOWS\system32\config\software I'm probably just completely misinterpreting the output, but could somebody throw me a bone? Thanks much John