@port139 Blog

基本的にはデジタル・フォレンジックの技術について取り扱っていますが、記載内容には高確率で誤りが含まれる可能性があります。

USB and Amcache

Note:I translated Japanese into English using Google Translate.
Thank you, Google.  

Have you seen the Amcache season of Forensic Lunch Test Kitchen?

Unfortunately, I have not seen everything yet. I am planning to enjoy them at the weekend.

and I saw @errno_fail tweet. They are very interesting comments.

 

Either way, I have done quite limited tests on USB memory and Amcache.hve.
Since it is not a sufficient test, it may be overlooking something.

First of all, I ran several programs from the USB memory(F:).

Run autorunsc64.exe as CLI program. The following is Sysmon event log.

f:id:hideakii:20181202104636p:plain

And as a GUI program, I executed Dcode.exe.

f:id:hideakii:20181202104831p:plain

The USB memory is still connected to the system.

I waited for the Application Experience task to be executed.(The execution date and time of the task is Japan time.)

f:id:hideakii:20181202104944p:plain

Parse Amcache.hve with AmcacheParser and filter by F:.
Dcode.exe is recorded, but Autorunsc64.exe does not exist.

f:id:hideakii:20181202105306p:plain

FileKeyLastWriteTimestamp(UTC) does not exactly match the date and time of the Sysmon event.(I checked the Sysmon event log that there is no record at 05:54)

 

I removed the USB memory from the system and waited one day. 
There was no change in the parse result of Amcache.hve. I do not know how long F: drive information will be maintained.

 

Next test.
I ran the program from the USB memory and removed the USB memory from the system.

f:id:hideakii:20181202110531p:plain

I waited for the Application Experience task to be executed. At the time when the task is executed, the USB memory is not connected.

As already mentioned by @ errno_fail, records are not recorded if USB is not connected.

f:id:hideakii:20181202110902p:plain

I felt strange about FileKeyLastWriteTimestamp.(The key is being updated before the task is executed.)
Do keys generate according to task execution? When is this key created?

Interestingly, the timestamp of Amcache.hve and LOG file is old. The contents of the file have been updated, but Date modified has not been updated. (This is also seen in the thumbcache_ * file.)

f:id:hideakii:20181202111634p:plain

I tried Shift + Shutdown.

f:id:hideakii:20181202112548p:plain

Muuu...Is it updated when a complete shutdown is performed?(In this system, fast startup is enabled.)

 

I have not tried running the LNK file on the USB memory yet.
I will continue testing.

 

Verification environment: Windows 10 1083

Reference URL:

 

www.hecfblog.com

dfir.ru

 

f:id:hideakii:20181202103010j:plain