Daily Blog #550: Forensic Lunch Test Kitchen 11/26/18 - Shimcache Testing

Shimcache Testing by David Cowen - Hacking Exposed Computer Forensics Blog

Hello Reader,
           Tonight we continued our shimcache testing and here is what we found out tonight:

  • Confirmed again that shimcache will record any executable viewable within the GUI
  • Shimcache will update the record if the executable is modified and then executed
  • Amcache does not immediately update an entry if an executable is modified and executed
  • Sysmon did not get added to the Amcache even though it has some type of GUI window (message box appearing) but this was not the standard win32 gui message box
  • Amcache added the executable we left on the desktop but did not execute on Friday at 5am UTC saturday, the process event log showed it was a background task manager. 
  • Sysmon was installed to see if we can get more detail on the process that is updating Amcache

We are now going to let the system update the registry overnight and see what changes it makes with the executable we left in the desktop and the downloads directory. 

You can watch the video here:

Also Read: Daily Blog #549 

Post a Comment