B51

Uploaded by

This document discusses advanced evidence of software execution that can be extracted from a system's memory and disk files. It describes several artifacts including prefetch files, the ShimCache application compatibility cache registry entries, the RecentFileCache database, and the Amcache hive file that can contain metadata on recently run executable files. It also mentions tools like PrefetchParser, ShimCacheParser, and Rfc.pl that can extract relevant execution evidence from these sources.

Copyright:

Available Formats

Download as PDF, TXT or read online from Scribd

B51

Uploaded by

nobuyuki

0% found this document useful (0 votes)

77 views1 page

Original Description:

b51

Copyright

Available Formats

PDF, TXT or read online from Scribd

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Download as PDF, TXT or read online from Scribd

Download as pdf or txt

0% found this document useful (0 votes)

77 views1 page

B51

Uploaded by

nobuyuki

Copyright:

Available Formats

Download as PDF, TXT or read online from Scribd

Download as pdf or txt

Jump to Page

You are on page 1of 1

Search inside document

Book 5 Execution Evidence

Thursday, June 2, 2016

2:57 PM

Advanced Evidence of Execution

- Prefetchparser: volatility, comb memory address space for prefetch files not on disk.
Scan virtual memory for prefetch headers.
Strong validation reduce false positives.
Internal metadata.
- ShimCache: Application compatibility cache
AppCompatCache registry key for compatibility.
Track EXE last modification date, file path, file size.
Registry entries are created => notify system.
Most recent events are on top, new entries are written on shutdown
InsertFlag in AppCompatCache entry.
ShimCacheParser.py
Metadata in data structure, when shutdown, data str is serialized into registry
Find registry path, determine format, return data in CSV format or STDOUT.
Search ControlSet and return unique entries by default. ExecFlag true
Shimcache volatility: parse app com shim cache registry key.
RecentFileCache.bcf: Application Experience <-> App Com Cache.
Check DB for known problems using UA.
ProgramDataUpdater uses registry file during process creation.
Maintained by Program Data Updater scheduled service.
Collect MS customer experience improvement program.
Reference to program copied/downloaded/executed on sustem.
Information is cleared when ProgramDataUpdater runs. (12:30AM).
Rfc.pl to extract data
Amcache.hve: replacement of RecentFileCache.bcf
Numeric keys = different exe file run.
Volume GUID and SYSTEM hive's MountedDevice key
- Cafae.exe automate registry extraction
Ntusr.dat hive and usrclass.dat hive for Vista.

Steinberg Page 1

Top 10 Oracle Database Automation Scripts For Enhanced Performance and Security
Document35 pages
Top 10 Oracle Database Automation Scripts For Enhanced Performance and Security
Manuel Guerrero Rangel
No ratings yet
Halwani - Virtue Ethics, Casual Sex, and Objectification
Document7 pages
Halwani - Virtue Ethics, Casual Sex, and Objectification
nobuyuki
100% (1)
What's Really Wrong With Adultery - Michael J Wren
Document5 pages
What's Really Wrong With Adultery - Michael J Wren
nobuyuki
No ratings yet
Archiving Step by Step
Document22 pages
Archiving Step by Step
Mohammad Arif
100% (1)
TB CH 4
Document34 pages
TB CH 4
nobuyuki
100% (1)
Oracle DBA Checklist
Document17 pages
Oracle DBA Checklist
Dileep Eluri
No ratings yet
Creditone Bank
Document10 pages
Creditone Bank
syamson Bevara
No ratings yet
5-Hunting Web Shells Part 2
Document19 pages
5-Hunting Web Shells Part 2
beckbeck20177
No ratings yet
Day To Day Activities
Document7 pages
Day To Day Activities
Patti Prashanth
No ratings yet
STBC
Document4 pages
STBC
sravan.appsdba
No ratings yet
Oracle DBA Checklist
Document3 pages
Oracle DBA Checklist
mvineeta
No ratings yet
SAP System Copy 1721145835
Document9 pages
SAP System Copy 1721145835
yaki_007
No ratings yet
Caches BIG-IP TMOS Operations Guide
Document8 pages
Caches BIG-IP TMOS Operations Guide
AJAY KUMAR
No ratings yet
Cutover Plan
Document8 pages
Cutover Plan
Soorav Mlic
No ratings yet
How Do You Store Data With A Script in A File With WinCC (TIA Portal) PC Runtime
Document3 pages
How Do You Store Data With A Script in A File With WinCC (TIA Portal) PC Runtime
Ravi
100% (1)
Alter Database Backup Controlfile To Trace - PM-DB PDF
Document3 pages
Alter Database Backup Controlfile To Trace - PM-DB PDF
Chander Shekhar
No ratings yet
Network Administration Exam Cheat Sheet.
Document3 pages
Network Administration Exam Cheat Sheet.
Exodius
100% (2)
SQL
Document9 pages
SQL
Meron Vingio
No ratings yet
Recovery and Indexing
Document60 pages
Recovery and Indexing
Mrinaal Malhotra
No ratings yet
How To Set Up PostgreSQL For High Availability and Replication With Hot Standby
Document11 pages
How To Set Up PostgreSQL For High Availability and Replication With Hot Standby
goosie66
No ratings yet
Unit 4th
Document8 pages
Unit 4th
Devika Kachhawaha
No ratings yet
Backing Up and Restoring Progeny Databases
Document19 pages
Backing Up and Restoring Progeny Databases
victordrazon
No ratings yet
Oracle DBA Checklist
Document15 pages
Oracle DBA Checklist
magicmangesh
No ratings yet
Process States
Document20 pages
Process States
rockmrandomaccess
No ratings yet
Oracle DBA Checklist
Document7 pages
Oracle DBA Checklist
rrpawar2003
No ratings yet
Implementation of Simple Stack Allocation Scheme
Document4 pages
Implementation of Simple Stack Allocation Scheme
Samyak Varshney
100% (1)
Name of Solution:: Please Rate This Solution and Share Your Feedback On Website
Document5 pages
Name of Solution:: Please Rate This Solution and Share Your Feedback On Website
Akash Kumar
No ratings yet
Hana Notes
Document4 pages
Hana Notes
Adi Chilukuri
No ratings yet
TPC - Terminal Plugin Controller - FAQ (2024)
Document18 pages
TPC - Terminal Plugin Controller - FAQ (2024)
akshay Puthalath
No ratings yet
Slide 3 Record Layout Diagrams
Document19 pages
Slide 3 Record Layout Diagrams
cnajjemba
No ratings yet
Optimizing The Server Environment For TechSolutions Inc
Document7 pages
Optimizing The Server Environment For TechSolutions Inc
Shreya Ashoka
No ratings yet
Chapter 16 Random Access Files
Document35 pages
Chapter 16 Random Access Files
chakri278
No ratings yet
Welcome To The World of "Cache"
Document37 pages
Welcome To The World of "Cache"
Priya Jain
No ratings yet
Paper Review 1 - Google File System
Document2 pages
Paper Review 1 - Google File System
vicky.vetal
No ratings yet
Kafka
Document3 pages
Kafka
gogula sivannarayana
No ratings yet
Integrating Observeit With HP Arcsight Cef
Document12 pages
Integrating Observeit With HP Arcsight Cef
gabytgv
No ratings yet
DBAPostgre SQL
Document32 pages
DBAPostgre SQL
Stefano Araujo
No ratings yet
CD Unit 4
Document6 pages
CD Unit 4
Akshaya Akshaya
No ratings yet
AMP Update Server Configuration Steps: All Platforms
Document4 pages
AMP Update Server Configuration Steps: All Platforms
DhikaTriJaya
No ratings yet
Performance Bottlenecks
Document21 pages
Performance Bottlenecks
Sulbha Joshi
No ratings yet
Websense Backup Utility
Document3 pages
Websense Backup Utility
Fabrizio Rosina
No ratings yet
Cpphtp5 17 IM
Document34 pages
Cpphtp5 17 IM
Claudio De Conti
No ratings yet
Memory Management
Document66 pages
Memory Management
manmadareddi777
No ratings yet
Address: Number Given To A Memory Location For Identification
Document8 pages
Address: Number Given To A Memory Location For Identification
Ramesh Rayala
No ratings yet
Informatica Repository Backup Script
Document2 pages
Informatica Repository Backup Script
smereddy
No ratings yet
Oracle DBA Checklist
Document15 pages
Oracle DBA Checklist
Arun Ye
33% (3)
Backup Script Documentation
Document16 pages
Backup Script Documentation
menuselect
0% (1)
Custom Log Shipping
Document2 pages
Custom Log Shipping
Kiran Patil
No ratings yet
PostgreSQLInstallation RunBook
Document33 pages
PostgreSQLInstallation RunBook
Raj
100% (1)
PRM Backup Restore
Document10 pages
PRM Backup Restore
atif
No ratings yet
Processing Incremental Data - Databricks Certified Data Engineer Associate Study Guide
Document33 pages
Processing Incremental Data - Databricks Certified Data Engineer Associate Study Guide
Zlukian
No ratings yet
Backup
Document5 pages
Backup
Sanjay Pawar
No ratings yet
How To Determine The Appropriate Page File Size For 64
Document6 pages
How To Determine The Appropriate Page File Size For 64
amsavp
No ratings yet
Day 04 Example 03 FilePolling
Document1 page
Day 04 Example 03 FilePolling
Anil S
No ratings yet
Credential Hunting_OSCP
Document9 pages
Credential Hunting_OSCP
carmafia111
No ratings yet
Recovering An Essbase Application From A Corrupt Data File
Document2 pages
Recovering An Essbase Application From A Corrupt Data File
paliyoj568
No ratings yet
PostgreSQL 17 QuickStart Pro: Add expertise around WAL processing, JSON table, IO performance, logical replication and index vacuuming
From Everand
PostgreSQL 17 QuickStart Pro: Add expertise around WAL processing, JSON table, IO performance, logical replication and index vacuuming
Tessa Vorin
No ratings yet
PostgreSQL 17 QuickStart Pro
From Everand
PostgreSQL 17 QuickStart Pro
Tessa Vorin
No ratings yet
PostgreSQL 9.0 High Performance
From Everand
PostgreSQL 9.0 High Performance
Gregory Smith
Rating: 4 out of 5 stars
4/5 (1)
Red Hat Enterprise Linux Troubleshooting Guide
From Everand
Red Hat Enterprise Linux Troubleshooting Guide
Cane Benjamin
Rating: 4 out of 5 stars
4/5 (1)
Inspiring Powershell Articles
From Everand
Inspiring Powershell Articles
Murat Yildirimoglu
No ratings yet
PostgreSQL 16 Cookbook, Second Edition: Solve challenges across scalability, performance optimization, essential commands, cloud provisioning, backup, and recovery
From Everand
PostgreSQL 16 Cookbook, Second Edition: Solve challenges across scalability, performance optimization, essential commands, cloud provisioning, backup, and recovery
Peter G
No ratings yet
PostgreSQL 16 Cookbook, Second Edition
From Everand
PostgreSQL 16 Cookbook, Second Edition
Peter G
No ratings yet
Offsec Lab Connectivity Guide
Document7 pages
Offsec Lab Connectivity Guide
nobuyuki
No ratings yet
Kant - Duties Toward The Body
Document4 pages
Kant - Duties Toward The Body
nobuyuki
No ratings yet
Educati On-Responsi Ve HTML 5 Busi Ness Templ Ate: Thanks F or Downl Oad
Document1 page
Educati On-Responsi Ve HTML 5 Busi Ness Templ Ate: Thanks F or Downl Oad
nobuyuki
No ratings yet
Offensive Security: Penetration Test Report For Internal Lab and Exam
Document12 pages
Offensive Security: Penetration Test Report For Internal Lab and Exam
nobuyuki
100% (1)
David Weinstein: Advanced x86: Virtualization With VT-X
Document69 pages
David Weinstein: Advanced x86: Virtualization With VT-X
nobuyuki
No ratings yet
Engineering Risk Benefit Analysis
Document18 pages
Engineering Risk Benefit Analysis
nobuyuki
No ratings yet
Tangled Tapes: Infinity, Interaction and Turing Machines: Paul Cockshott (1), Greg Michaelson
Document10 pages
Tangled Tapes: Infinity, Interaction and Turing Machines: Paul Cockshott (1), Greg Michaelson
nobuyuki
No ratings yet
HW1 FRL383
Document2 pages
HW1 FRL383
nobuyuki
No ratings yet
Ipfs p2p File System
Document11 pages
Ipfs p2p File System
dman00001
No ratings yet
Hw1 Bus424 Sol
Document17 pages
Hw1 Bus424 Sol
nobuyuki
No ratings yet
117 303
Document34 pages
117 303
nobuyuki
No ratings yet
15-16 CalPolyPomonaIntlELI SuppBro
Document54 pages
15-16 CalPolyPomonaIntlELI SuppBro
nobuyuki
No ratings yet
Endeavour Energy Price Fact Sheet
Document2 pages
Endeavour Energy Price Fact Sheet
nobuyuki
No ratings yet
FRL440 Fall 2015
Document9 pages
FRL440 Fall 2015
nobuyuki
No ratings yet
For A Group of Sample Data: 1, 2, 2, 3, 5, 6 A. Find The Mean
Document9 pages
For A Group of Sample Data: 1, 2, 2, 3, 5, 6 A. Find The Mean
nobuyuki
No ratings yet
California State Polytechnic University, Pomona Statistics Quiz 3
Document1 page
California State Polytechnic University, Pomona Statistics Quiz 3
nobuyuki
No ratings yet
California State Polytechnic University, Pomona Statistics Quiz 3
Document1 page
California State Polytechnic University, Pomona Statistics Quiz 3
nobuyuki
No ratings yet