Hello Reader,
I've had the pleasure of teaching the SANS FOR500 Windows Forensics around the world the last couple of years. In that time I've been doing a bit of an experiment in each country and keeping track of where the students were from.
For every class in every country I bring up a spreadsheet of parsed shimcache records, with the header row shown. Each time I always ask the same question without providing any information. I ask:
"What do the dates in the first column mean?"
I say with the header row that says 'Last Modified' shown and they have their books open with the description of the artifact. Every class in every country has always replied with the same assumption first.
"It's the time of execution"
Then I have to explain to them that it's the time of modification for the executable. Then I explain that every other class has said the same thing because our brains and built in bias want that to be the time of execution.
So if there is one things humanity can unite with, it's that we are all wanting shimcache records to indicate when an executable ran. Do me a favor, be a force change and tell your friends that friends don't let friends be wrong about shimcache timestamps. It can drastically skew your analysis and make breaches appear to be worse than they really are.
I've had the pleasure of teaching the SANS FOR500 Windows Forensics around the world the last couple of years. In that time I've been doing a bit of an experiment in each country and keeping track of where the students were from.
For every class in every country I bring up a spreadsheet of parsed shimcache records, with the header row shown. Each time I always ask the same question without providing any information. I ask:
"What do the dates in the first column mean?"
I say with the header row that says 'Last Modified' shown and they have their books open with the description of the artifact. Every class in every country has always replied with the same assumption first.
"It's the time of execution"
Then I have to explain to them that it's the time of modification for the executable. Then I explain that every other class has said the same thing because our brains and built in bias want that to be the time of execution.
So if there is one things humanity can unite with, it's that we are all wanting shimcache records to indicate when an executable ran. Do me a favor, be a force change and tell your friends that friends don't let friends be wrong about shimcache timestamps. It can drastically skew your analysis and make breaches appear to be worse than they really are.
Also Read: Teaching SANS Windows Forensics in the USA
Post a Comment