Top Ad unit 728 × 90

Latest News

random

Daily Blog #547: Forensic Lunch Test Kitchen 11/23/18

Hello Reader,
            Tonight we had a short late night broadcast as I am enjoying the four day weekend that is Thanksgiving here in the United States. However just because it was short doesn't mean we didn't find out a lot of interesting things! Here is what we learned:

  • The desktop executable rbcmd.exe that I didn't execute but did extract was added to the Amcache 24 hours later after the last video aired
  • The Amcache hive transaction logs do contain all of the most recent GUI executables executed, with a 10 second delay. For 10 seconds after execution there is a buffer likely in memory where the changes are pending
  • If you parse the Amcache hive without the transaction logs you will miss the most recently executed GUI programs
  • Running programs from the command line are not found in the transaction logs immediately after execution
  • Programs not executed in the GUI but executed from the command line in directories other than the desktop have not shown up in the Amcache
You can watch the video here:

Daily Blog #547: Forensic Lunch Test Kitchen 11/23/18 Reviewed by David Cowen on November 23, 2018 Rating: 5

No comments:

All Rights Reserved by Hacking Exposed Computer Forensics Blog © 2014 - 2020
Powered By Blogger, Designed by Sweetheme

Contact Form

Name

Email *

Message *

Powered by Blogger.