Daily Blog #558: Forensic Lunch Test Kitchen 12/5/18

Hello Reader,
     Tonight we were testing the Syscache.hve that Maxim Suhanov found in his testing of the Amcache and Recentcache.bcf files, you can read his write up here: https://dfir.ru/2018/12/02/the-cit-database-and-the-syscache-hive/

From our testing tonight here is what we learned:

• The syscache hive has three indexes
• The ObjectID key (no relation to $objid) which is inserted into the hive sequentially as new executables are run (we haven't tested executables being prechecked before running)
• The FileID key which is indexed off of the sequence and entry number of the file being executed
• The Objectlru which appears to connect the two
• The ObjectID keys contain the SHA1 hash of the contents of the executable being checked
• The ObjectID keys contain the MFT reference number of the executable being checked
• The ObjectID key does not contain the name of the executable, but you can find it by looking up the MFT reference number
• The Syscache hive appears to be updated quite quickly and is not using the transaction logs to do so 
• The syscache hive is a Windows 7 feature (haven't tested windows vista) and does not exist in the same location at least in Windows 10
• The key write time appears to be the time of first check for the current hash, we will change the hash of a known executable to test this behavior tomorrow night

You can watch the video here: