Top Ad unit 728 × 90

Latest News

random

Daily Blog #545: Forensic Lunch Test Kitchen 11/21/18

Hello Reader,
         Tonight we continued looking into Amcache and Shimcache in their parts of the application compatibility cache system. Here is what we learned:

  • Command line executions, without GUIs, are not immediately tracked in Amcache but are in Shimcache after two days 
  • Command line executions, with GUIs, are tracked in Amcache after a shutdown, need to check the transaction logs next time to see if we can get them without reboot/shutdown
  • Command line programs executed from the GUI are tracked in the Amcache
  • The process creation events I turned in the local security policy are not catching user processes, need to check on why
  • Amcache does contain command line programs I never executed, but the dates are 3 days after the extraction

So we need to let the system keep running and see if some automatic sweep will cause the other command line executables to be tracked. 

You can watch the video here:

Daily Blog #545: Forensic Lunch Test Kitchen 11/21/18 Reviewed by David Cowen on November 21, 2018 Rating: 5

No comments:

All Rights Reserved by Hacking Exposed Computer Forensics Blog © 2014 - 2020
Powered By Blogger, Designed by Sweetheme

Contact Form

Name

Email *

Message *

Powered by Blogger.