Hello Reader,
Tonight we wrote some python code to recover the full path of the files referenced in the Syscache hive, added in the ProgramID and then viewed the data in Timeline Explorer to see the relation between the executables. We learned:
Tonight we wrote some python code to recover the full path of the files referenced in the Syscache hive, added in the ProgramID and then viewed the data in Timeline Explorer to see the relation between the executables. We learned:
- That pytsk does not have an attribute for parent reference number, so we had to extract it from the file name attribute
- That analyzemft has a great set of example code to pull your unpack's from if you are looking to write your own attribute parser
- That when I grouped my syscache entries by programID I only had 60+ entries which seems more like just what has been executed on this lightly used VM
- That there is no entry of any program run directly from my Desktop
You can get the code here: https://github.com/dlcowen/TestKitchen/blob/master/PrintFileNamesByEntry.py
You can watch the video here:
Also Read: Daily Blog #571
Post a Comment