Daily Blog #558: Forensic Lunch Test Kitchen 12/5/18 - Testing Syscache.hve of Amcache and Recentcache.bcf Files

Testing Syscache.hve of Amcache and Recentcache.bcf Files

Hello Reader,
     Tonight we were testing the Syscache.hve that Maxim Suhanov found in his testing of the Amcache and Recentcache.bcf files, you can read his write up here: https://dfir.ru/2018/12/02/the-cit-database-and-the-syscache-hive/

From our testing tonight here is what we learned:

  • The syscache hive has three indexes
    • The ObjectID key (no relation to $objid) which is inserted into the hive sequentially as new executables are run (we haven't tested executables being prechecked before running)
    • The FileID key which is indexed off of the sequence and entry number of the file being executed
    • The Objectlru which appears to connect the two
  • The ObjectID keys contain the SHA1 hash of the contents of the executable being checked
  • The ObjectID keys contain the MFT reference number of the executable being checked
  • The ObjectID key does not contain the name of the executable, but you can find it by looking up the MFT reference number
  • The Syscache hive appears to be updated quite quickly and is not using the transaction logs to do so 
  • The syscache hive is a Windows 7 feature (haven't tested windows vista) and does not exist in the same location at least in Windows 10
  • The key write time appears to be the time of first check for the current hash, we will change the hash of a known executable to test this behavior tomorrow night
You can watch the video here:


Also Read: Changes in the NtfsDisableLastAccessUpdate key

Post a Comment