Did It Execute?

I have been looking into the execution artifacts on windows systems over the past few weeks to see not only what artifacts a system may create which may indicate execution, but what the original purpose of these artifacts to get a better understanding of why they exist in the first place and how reliable that makes them.

There are a lot of documented artifacts which are useful in forensic investigation:


  • AppCompactCache (ShimCache)
  • amcache
  • prefetch
  • MUICache
  • UserAssist
  • prefetch and superfetch
  • IconCache
  • SRUDB
  • Windows Event Logs

The way I like to get to know artifacts and methodology on collecting and interrogating them is through experimentation.

I will look into the above and provide some future posts on what they are and how you can use them in forensic investigations. 

Comments

Post a Comment

Popular posts from this blog

Did It Execute? AppCompatCache

Image
Application Compatability(or Shim) Cache The Application Compatibility Cache, which appears to be more commonly referred to as the ShimCache, is used by an element of windows dedicated to, yes you guessed it Application Compatibility. The basics concept of this feature is; when programs are written, they are usually compiled to work with the OS of the day. So as long as everything is as expected, the program runs, calls API's and the OS plays nice (round pegs in round holes). As you can imagine only a clairvoyant would know what changes were to be made in the future, and thus makes the likelihood of any programs being able to future proof themselves highly unlikely. The other problem that exists; is that current programs would be created with excess code to ensure they work on all other previous version. These both lead to the problem of the square peg to a round hole. Microsoft solved this problem for us, as they know what an API is calling and the differences be...
Read more

PowerShell FILETIME conversion

I intend to write about the uses of PowerShell on live systems investigations at a later date, for now thought I thought it worth sharing a useful time conversion. If you come across a windows FILETIME and would like it in a human readable format, you can use the following via PowerShell: [DateTime]::FromFileTime(<FILETIME>) The Windows FILETIME is a 64-bit value representing the number of 100-nanosecond intervals since January 1, 1601 (UTC). e.g. PS C:\> [DateTime]::FromFileTime(130689408926752346) 20 February 2015 21:21:32
Read more

Did It Execute? MUI Cache (Shellbag)

What is the MUI Cache.... What are Shellbags Have you noticed when you open an application GUI using Windows, Windows seems to remember where the windows were, well it stores a bit more than that for this purpose, all of which is useful in an investigation. Location of Data:  Shellbags may be found in a few locations, depending on operating system version and user profile. On a Windows XP system, shellbags may be found under: HKEY\_USERS\{USERID}\Software\Microsoft\Windows\Shell\ HKEY\_USERS\{USERID}\Software\Microsoft\Windows\ShellNoRoam\ The NTUser.dat hive file persists the Registry key HKEY\_USERS\{USERID}\. On a Windows 7 system, shellbags may be found under: HEKY\_USERS\{USERID}\Local Settings\Software\Microsoft\Windows\Shell\ The UsrClass.dat hive file persists the registry key HKEY\_USERS\{USERID}\. Reference: http://www.williballenthin.com/forensics/shellbags/
Read more