Hello Reader,
Tonight we were testing the Syscache.hve that Maxim Suhanov found in his testing of the Amcache and Recentcache.bcf files, you can read his write up here: https://dfir.ru/2018/12/02/the-cit-database-and-the-syscache-hive/
From our testing tonight here is what we learned:
Tonight we were testing the Syscache.hve that Maxim Suhanov found in his testing of the Amcache and Recentcache.bcf files, you can read his write up here: https://dfir.ru/2018/12/02/the-cit-database-and-the-syscache-hive/
From our testing tonight here is what we learned:
- The syscache hive has three indexes
- The ObjectID key (no relation to $objid) which is inserted into the hive sequentially as new executables are run (we haven't tested executables being prechecked before running)
- The FileID key which is indexed off of the sequence and entry number of the file being executed
- The Objectlru which appears to connect the two
- The ObjectID keys contain the SHA1 hash of the contents of the executable being checked
- The ObjectID keys contain the MFT reference number of the executable being checked
- The ObjectID key does not contain the name of the executable, but you can find it by looking up the MFT reference number
- The Syscache hive appears to be updated quite quickly and is not using the transaction logs to do so
- The syscache hive is a Windows 7 feature (haven't tested windows vista) and does not exist in the same location at least in Windows 10
- The key write time appears to be the time of first check for the current hash, we will change the hash of a known executable to test this behavior tomorrow night
You can watch the video here:
Post a Comment