Daily Blog #545: Forensic Lunch Test Kitchen 11/21/18

Hello Reader,
         Tonight we continued looking into Amcache and Shimcache in their parts of the application compatibility cache system. Here is what we learned:

  • Command line executions, without GUIs, are not immediately tracked in Amcache but are in Shimcache after two days 
  • Command line executions, with GUIs, are tracked in Amcache after a shutdown, need to check the transaction logs next time to see if we can get them without reboot/shutdown
  • Command line programs executed from the GUI are tracked in the Amcache
  • The process creation events I turned in the local security policy are not catching user processes, need to check on why
  • Amcache does contain command line programs I never executed, but the dates are 3 days after the extraction

So we need to let the system keep running and see if some automatic sweep will cause the other command line executables to be tracked. 

You can watch the video here:

Post a Comment