Friday, November 16, 2018

Daily Blog #540: Forensic Lunch Test Kitchen 11/16/18

Hello Reader,
    Tonight I'm back in my home lab with access to all my handy testing VMs! I decided to start up a series of tests on the Application Compatibility Cache artifacts (including Shimcache and Amcache amongst others to be tested). The tests have already shown more than I expected and here is what we learned tonight:


  • Extracting an executable from a zip into the Desktop directory on Windows 10 is enough to get a shimcache entry
  • There was no corresponding Amcache entry
  • Extracting an executable from a zip into the root of another file system all together on Windows 10 also created a shimcache entry
  • There was no corresponding Amcache entry
  • We also didn't get Amcache entries for the programs we did in fact execute
  • We did have Amcache entries for programs we never executed!
You can watch the video here:

No comments:

Post a Comment