Hello Reader,
Tomorrow on the Forensic Lunch I've asked Oleg Skulkin to join. I mainly asked Oleg to join because he won last week's Sunday Funday contest and this is a new thing I'm trying to start, having the prior winner to come on and talk about what they did in their research. Well in the mean time Oleg went ahead and posted up some entirely new research unrelated to any Sunday Funday. Oleg found a new registry artifact called FeatureUsage which appears to track programs that you launch through the task bar.
Now this is not the only source of this data conceivably, it could overlap artifacts like AmCache, UserAssist, Shimcache and Prefetch. But what's interesting about this is that its tracking a specific time of GUI execution, that being from the taskbar. Which means you could potentially get additional times of execution. Maybe I'm missing something and I'll find out tomorrow when Oleg is on the lunch at Noon CDT (UTC -5)!
You can read Oleg's research here: https://www.group-ib.com/blog/featureusage
Tomorrow on the Forensic Lunch I've asked Oleg Skulkin to join. I mainly asked Oleg to join because he won last week's Sunday Funday contest and this is a new thing I'm trying to start, having the prior winner to come on and talk about what they did in their research. Well in the mean time Oleg went ahead and posted up some entirely new research unrelated to any Sunday Funday. Oleg found a new registry artifact called FeatureUsage which appears to track programs that you launch through the task bar.
Now this is not the only source of this data conceivably, it could overlap artifacts like AmCache, UserAssist, Shimcache and Prefetch. But what's interesting about this is that its tracking a specific time of GUI execution, that being from the taskbar. Which means you could potentially get additional times of execution. Maybe I'm missing something and I'll find out tomorrow when Oleg is on the lunch at Noon CDT (UTC -5)!
You can read Oleg's research here: https://www.group-ib.com/blog/featureusage
Post a Comment