Hello Reader,
Tonight after finding out from you that the Syscache.hve exists on Server 2008 R2 we switched OS's in our testing and focused on Syscahe on Server 2008 R2 and away from Windows 7 for now. Here is what we learned:
Tonight after finding out from you that the Syscache.hve exists on Server 2008 R2 we switched OS's in our testing and focused on Syscahe on Server 2008 R2 and away from Windows 7 for now. Here is what we learned:
- The Syscache hive exists on an unpatched Server 2008 R2 SP1 system
- The syscache hive exists even without Amcache coming into existence
- The syscache hive on server 2008 r2 is catching executables just like Windows 7
- The syscache hive on server 2008 r2 is committing changes to the registry hive within seconds of the execution
- The syscache hive on server 2008 r2 includes executions from the Desktop, unlike Windows 7
- The syscache hive on server 2008 r2 does not appear to be catching bat files like Windows 7 but does catch and executables the bat file calls
More testing to be done! Tune in tomorrow for the Forensic Lunch and next week for more testing!
You can watch the video here:
Also Read: Daily Blog #572
Post a Comment