Daily Blog #547: Forensic Lunch Test Kitchen 11/23/18
Hello Reader,
Tonight we had a short late night broadcast as I am enjoying the four day weekend that is Thanksgiving here in the United States. However just because it was short doesn't mean we didn't find out a lot of interesting things! Here is what we learned:
Tonight we had a short late night broadcast as I am enjoying the four day weekend that is Thanksgiving here in the United States. However just because it was short doesn't mean we didn't find out a lot of interesting things! Here is what we learned:
- The desktop executable rbcmd.exe that I didn't execute but did extract was added to the Amcache 24 hours later after the last video aired
- The Amcache hive transaction logs do contain all of the most recent GUI executables executed, with a 10 second delay. For 10 seconds after execution there is a buffer likely in memory where the changes are pending
- If you parse the Amcache hive without the transaction logs you will miss the most recently executed GUI programs
- Running programs from the command line are not found in the transaction logs immediately after execution
- Programs not executed in the GUI but executed from the command line in directories other than the desktop have not shown up in the Amcache
You can watch the video here:
Daily Blog #547: Forensic Lunch Test Kitchen 11/23/18
Reviewed by David Cowen
on
November 23, 2018
Rating:
Reviewed by David Cowen
on
November 23, 2018
Rating:
No comments: