Daily Blog #579: The meaning of Syscache.hve

The meaning of Syscache.hve by David Cowen - Hacking Exposed Computer Forensics Blog

Hello Reader,
     One of the things I've often repeated the last couple of test kitchens in regards to the Syscache hive is why does it exist. In earlier googling I thought based on its locations in slide presentations that it might be involved in the volume shadow copy system, something Maxim Suhanov does not agree with. This left the question though, what does it relate to?

Well reader long time BFF (Best Forensic Friend) Dr. Vico Marziale at blackbag may have found a pretty huge clue. In his googling, which I must say found things I did not even when searching keywords that existed in the document, found a pdf from Legato/EMC networker release notes form July of 2010.

Within these release notes the backup software states:
"The files syscache.hve, syscache.hve.LOG1, and syscache.hve.LOG2 are skipped during backup 

The files syscache.hve, syscache.hve.LOG1, and syscache.hve.LOG2, located in the %systemdrive%\system volume information folder, will be skipped during backup. These hive files are used for maintaining extended data for executable files on the system, such as SRP (Software Restriction Policies) and AppLocker. Microsoft recommends not restoring these files. These files are created from derived data and will be rebuilt over time"

Source: https://nsrd.info/blog/wp-content/uploads/2010/07/NW753_Release.pdf

So the reason this registry hive was placed in the System Volume Information folder could be that the contents of this special folder are not included in shadow copies. Also Windows Applocker was introduced in Windows 7 (https://en.wikipedia.org/wiki/AppLocker) which coincides with creation of the Syscache hive and was available in Windows Server 2008 R2:(https://blogs.technet.microsoft.com/askperf/2009/10/19/windows-7-windows-server-2008-r2-applocker/)

The included scope of Applocker includes Exes, DLL's and Scripts:

"AppLocker currently supports the following file extensions:
  • Executables (.exe, .com)
  • Dlls (.ocx, .dll)
  • Scripts (.vbs, .js, .ps1, .cmd, .bat)
  • Windows Installers (.msi, .mst, .msp)
  • Packaged app installers (.appx)"

Note that the above link is for Windows 10, in Windows 7 we have not yet seen powershell scripts get logged. 

So this does appear to be the closest thing we've found to a explanation of why Syscache contains the data that it does. Now we need to find out what happened to the hive in later versions of Windows and what else we can infer from its association. 

Tomorrow I plan to return to the test kitchen, just having to much fun over the holidays to do one in time tonight. 

Also Read: Daily Blog #578

Post a Comment