Daily Blog #547: Forensic Lunch Test Kitchen 11/23/18 - Discussion on GUI, Amcache Hive, and More

by David Cowen - Hacking Exposed Computer Forensics Blog

Hello Reader,
            Tonight we had a short late night broadcast as I am enjoying the four day weekend that is Thanksgiving here in the United States. However just because it was short doesn't mean we didn't find out a lot of interesting things! Here is what we learned:

  • The desktop executable rbcmd.exe that I didn't execute but did extract was added to the Amcache 24 hours later after the last video aired
  • The Amcache hive transaction logs do contain all of the most recent GUI executables executed, with a 10 second delay. For 10 seconds after execution there is a buffer likely in memory where the changes are pending
  • If you parse the Amcache hive without the transaction logs you will miss the most recently executed GUI programs
  • Running programs from the command line are not found in the transaction logs immediately after execution
  • Programs not executed in the GUI but executed from the command line in directories other than the desktop have not shown up in the Amcache
You can watch the video here:

Also Read: Daily Blog #546

Post a Comment