Tuesday, November 20, 2018

Daily Blog #544: Forensic Lunch Test Kitchen 11/20/18

Hello Reader,
          Tonight we continued our journey into the shimcache and amcache. Here is what we learned:

  • The extracted executable file from the command line that was not executed was still not present in the shimcache
  • Simply viewing the directory in the GUI that the extracted but not executed executable was in was enough to get it added to the shimcache
  • No new entries from the downloads directories were present in the Amcache

Tomorrow night we will see if the Amcache needed even more time, suggesting its a schedule task

You can watch the video here:

Monday, November 19, 2018

Daily Blog #543: Forensic Lunch Test Kitchen 11/19/18

Hello Reader,
     Tonight we continue to go down further into the application compatibility cache and its associated artifacts. Thanks to tonight's BFFs (Best forensic friends) Phill Moore, Jessica Hyde and Mike Cary for participating in the testing! Here is what we learned:

  • Approximately 6 hours or so after the tests were done on 11/16/18 in the prior video (https://www.hecfblog.com/2018/11/daily-blog-540-forensic-lunch-test.html) the entries we expected to show up in the Amcache were written to the registry 
  • In addition to the programs we executed being delayed in their writes, we also had more programs we extracted in the GUI but did not execute show up in Amcache
  • The timestamp of the key here did not reflect when the program executed but rather when it was added to the Amcache hive! We are setting up more testing to determine what the triggers are for Amcache updating
  • Extracting an executable from a zip file in the command line did not result in a Shimcache or Amcache entry being made, as suggested by Mike Cary on twitter. 
  • Executing an executable from the command line did get an entry in the shimcache on shutdown and reboot
  • We had an inconsistent result in the amcache on execution where once it appeared after shutdown and another time it didn't
  • We have enabled process creation event logging and the VM will run overnight to see when and what hopefully is updating the Amcache

You can watch the video here:

Sunday, November 18, 2018

Daily Blog #542: Sunday Funday 11/18/18

Hello Reader,
         We've had some great submissions the last couple of weeks and hoping to get that trend up this week! Following on from this weeks topics lets see how well you can work your forensic tool for registry analysis.

The Prize:
$100 Amazon Giftcard

The Rules:

  1. You must post your answer before Friday 11/23/18 7PM CST (GMT -5)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtful
  6. Anonymous entries are allowed, please email them to dcowen@g-cpartners.com. Please state in your email if you would like to be anonymous or not if you win.
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post

The Challenge:
What keys and or files are created/modified when you:
1. First plug in a USB 3.0 drive using the storport driver
2. The last time you plug in a USB 3.0 drive using the storport driver

Saturday, November 17, 2018

Daily Blog #541: Solution Saturday 11/17/18

Hello Reader,
          This week a new champion emerges and enters the winners circle. Congratulations to Oleg Skulkin who grabbed a win this week with his testing! Make sure to come back tomorrow to see next weeks' challenge for your chance at $100!

The Challenge:
We've tested what happens for copies to NTFS drives. Now let's change it up. What changes occur to files when you copy and paste as well as cut and paste to a FAT32 drive

The Winning Answer:
Olegl Skulkin

I created 6 files, 1 DOCX, 1 TXT, 1 JPG on an NTFS volume for copying, and 1 DOCX, 1 TXT, 1 JPG for cutting and pasting. I used Windows 10 both for copying and cutting, and a freshly formatted FAT32 flash drive.

I created two folders on the flash drive – “copy - paste” and “cut - paste”. I copied and pasted first three files to “copy - paste”, and next three files to “cut - paste”. Then I imaged the flash drive with FTK Imager ( and used Autopsy (4.9.0) to examine the image.

Here are the results:

The DOCX file saved its Modified timestamp, lost time for Accessed, and its Created timestamp changed. Despite the fact I used UTC as the timezone in Autopsy, the timestamps were shown in UTC +3. 

The same results were observed for the TXT file: 

And for the JPG file:

As for cutting and pasting, the DOCX file saved its Modified and Created timestamps, but lost time for Accessed timestamp (again, timestamps are in UTC +3):

The same happened with the TXT file:

And with the JPG file:

Copy – paste: 

Cut – paste