Monday, December 17, 2018

Daily Blog #570: Forensic Lunch Test Kitchen 12/17/18 Syscache.hve

Hello Reader,
       Tonight in the Test Kitchen we expanded our testing of the Syscache hive by adding more data from our python script that is matching MFT entries to the Syscache entries. Here is what we learned:
  • The syscache hive seems to record atleast exe, dll, bat and cmd files executed
  • The syscache hive like the Amcache hive will store which program by sha1 hash the executable is associated with
  • If there is no associated executable (no MSI installer) it will use the sha1 hash 'da39a3ee5e6b4b0d3255bfef95601890afd80709' which is the empty hash. Meaning like the Amcache it is storing information about executables not associated with any MSI installed program
  • It appears, this needs more testing, that it may record more related executables than the Amcache does when a program is installed/executed

Still much more testing to be done to really make sure we understand what we are really seeing. To  be tested:
  1. Installing a program but not executing it, will it appear
  2. Adding full path support to the python script to understand where the associated files are being pulled from
  3. Checking to see if powershell scripts get logged
  4. Looking to see if deletions of programs/executables change the hive
  5. Testing again to see if programs run from the desktop are include

You can watch the video here:

No comments:

Post a Comment