Did It Execute?

I have been looking into the execution artifacts on windows systems over the past few weeks to see not only what artifacts a system may create which may indicate execution, but what the original purpose of these artifacts to get a better understanding of why they exist in the first place and how reliable that makes them.

There are a lot of documented artifacts which are useful in forensic investigation:


  • AppCompactCache (ShimCache)
  • amcache
  • prefetch
  • MUICache
  • UserAssist
  • prefetch and superfetch
  • IconCache
  • SRUDB
  • Windows Event Logs

The way I like to get to know artifacts and methodology on collecting and interrogating them is through experimentation.

I will look into the above and provide some future posts on what they are and how you can use them in forensic investigations. 

Comments

Post a Comment

Popular posts from this blog

Did It Execute? AppCompatCache

Image
Application Compatability(or Shim) Cache The Application Compatibility Cache, which appears to be more commonly referred to as the ShimCache, is used by an element of windows dedicated to, yes you guessed it Application Compatibility. The basics concept of this feature is; when programs are written, they are usually compiled to work with the OS of the day. So as long as everything is as expected, the program runs, calls API's and the OS plays nice (round pegs in round holes). As you can imagine only a clairvoyant would know what changes were to be made in the future, and thus makes the likelihood of any programs being able to future proof themselves highly unlikely. The other problem that exists; is that current programs would be created with excess code to ensure they work on all other previous version. These both lead to the problem of the square peg to a round hole. Microsoft solved this problem for us, as they know what an API is calling and the differences be
Read more

PowerShell FILETIME conversion

I intend to write about the uses of PowerShell on live systems investigations at a later date, for now thought I thought it worth sharing a useful time conversion. If you come across a windows FILETIME and would like it in a human readable format, you can use the following via PowerShell: [DateTime]::FromFileTime(<FILETIME>) The Windows FILETIME is a 64-bit value representing the number of 100-nanosecond intervals since January 1, 1601 (UTC). e.g. PS C:\> [DateTime]::FromFileTime(130689408926752346) 20 February 2015 21:21:32
Read more

Did It Execute? amcahce.hve

amcache.hve? I first came across this when looking into the AppCompatCache, as this file is located in a directory which you would think stores the AppCompatCache Data: <DRIVE>\Windows\AppCompat\Programs\Amcache.hve When researching the Windows Application Comparability however, I found no reference of this hive. Further research indicates it is part of Windows Application Experience and Compatibility features and replaced the RecentFilceCache.bcf file from Windows 8 onwards. Tools: https://github.com/EricZimmerman/AmcacheParser Reference: https://www.swiftforensics.com/2013/12/amcachehve-in-windows-8-goldmine-for.html
Read more