Daily Blog #544: Forensic Lunch Test Kitchen 11/20/18 - Discussion on Shimcache, Amcache, and More

Discussion on Shimcache, Amcache, and More  by David Cowen - Hacking Exposed Computer Forensics Blog

Hello Reader,
          Tonight we continued our journey into the shimcache and amcache. Here is what we learned:

  • The extracted executable file from the command line that was not executed was still not present in the shimcache
  • Simply viewing the directory in the GUI that the extracted but not executed executable was in was enough to get it added to the shimcache
  • No new entries from the downloads directories were present in the Amcache

Tomorrow night we will see if the Amcache needed even more time, suggesting its a schedule task

You can watch the video here:

Also Read: Daily Blog #543

Post a Comment