Top Ad unit 728 × 90

Latest News

random

Daily Blog #540: Forensic Lunch Test Kitchen 11/16/18

Hello Reader,
    Tonight I'm back in my home lab with access to all my handy testing VMs! I decided to start up a series of tests on the Application Compatibility Cache artifacts (including Shimcache and Amcache amongst others to be tested). The tests have already shown more than I expected and here is what we learned tonight:


  • Extracting an executable from a zip into the Desktop directory on Windows 10 is enough to get a shimcache entry
  • There was no corresponding Amcache entry
  • Extracting an executable from a zip into the root of another file system all together on Windows 10 also created a shimcache entry
  • There was no corresponding Amcache entry
  • We also didn't get Amcache entries for the programs we did in fact execute
  • We did have Amcache entries for programs we never executed!
You can watch the video here:

Daily Blog #540: Forensic Lunch Test Kitchen 11/16/18 Reviewed by David Cowen on November 16, 2018 Rating: 5

No comments:

All Rights Reserved by Hacking Exposed Computer Forensics Blog © 2014 - 2020
Powered By Blogger, Designed by Sweetheme

Contact Form

Name

Email *

Message *

Powered by Blogger.