Top Ad unit 728 × 90

Latest News

random

Daily Blog #572: Forensic Lunch Test Kitchen 12/19/18 Syscache and Python

Hello Reader,
      Tonight we wrote some python code to recover the full path of the files referenced in the Syscache hive, added in the ProgramID and then viewed the data in Timeline Explorer to see the relation between the executables. We learned:

  • That pytsk does not have an attribute for parent reference number, so we had to extract it from the file name attribute
  • That analyzemft has a great set of example code to pull your unpack's from if you are looking to write your own attribute parser
  • That when I grouped my syscache entries by programID I only had 60+ entries which seems more like just what has been executed on this lightly used VM
  • That there is no entry of any program run directly from my Desktop

You can watch the video here:

Daily Blog #572: Forensic Lunch Test Kitchen 12/19/18 Syscache and Python Reviewed by David Cowen on December 19, 2018 Rating: 5

No comments:

All Rights Reserved by Hacking Exposed Computer Forensics Blog © 2014 - 2020
Powered By Blogger, Designed by Sweetheme

Contact Form

Name

Email *

Message *

Powered by Blogger.