Top Ad unit 728 × 90

Latest News


Daily Blog #550: Forensic Lunch Test Kitchen 11/26/18

Hello Reader,
           Tonight we continued our shimcache testing and here is what we found out tonight:

  • Confirmed again that shimcache will record any executable viewable within the GUI
  • Shimcache will update the record if the executable is modified and then executed
  • Amcache does not immediately update an entry if an executable is modified and executed
  • Sysmon did not get added to the Amcache even though it has some type of GUI window (message box appearing) but this was not the standard win32 gui message box
  • Amcache added the executable we left on the desktop but did not execute on Friday at 5am UTC saturday, the process event log showed it was a background task manager. 
  • Sysmon was installed to see if we can get more detail on the process that is updating Amcache

We are now going to let the system update the registry overnight and see what changes it makes with the executable we left in the desktop and the downloads directory. 

You can watch the video here:

Daily Blog #550: Forensic Lunch Test Kitchen 11/26/18 Reviewed by David Cowen on November 26, 2018 Rating: 5

No comments:

All Rights Reserved by Hacking Exposed Computer Forensics Blog © 2014 - 2020
Powered By Blogger, Designed by Sweetheme

Contact Form


Email *

Message *

Powered by Blogger.