Windows forensic - process running

21 June 2015

Możliwości inwestygacji:

  • Prefetch
  • Shimcache (https://dl.mandiant.com/EE/library/Whitepaper_ShimCacheParser.pdf)
    • projekty:
      • python: https://github.com/mandiant/ShimCacheParser   (https://dl.mandiant.com/EE/library/Whitepaper_ShimCacheParser.pdf)
      • C#: https://github.com/woanware/shimcacheparser
  • MUICache
  • UserAssist

 

Ciekawa prezentacja: https://digital-forensics.sans.org/summit-archives/DFIR_Summit/Johnny-AppCompatCache-the-Ring-of-Malware-Brice-Daniels-and-Mary-Singh.pdf