Note:I translated Japanese into English using Google Translate.
Thank you, Google.
Have you seen the Amcache season of Forensic Lunch Test Kitchen?
Unfortunately, I have not seen everything yet. I am planning to enjoy them at the weekend.
and I saw @errno_fail tweet. They are very interesting comments.
@HECFBlog Sunday Funday. 1/4— Maxim Suhanov (@errno_fail) November 27, 2018
Windows 7 SP1 (Home Basic, 32-bit): the Amcache hive gets updated when the Microsoft Compatibility Appraiser task is executed. It's scheduled to run at 03:00 every day (it can be executed later if a computer was powered off at that time). #DFIR
Either way, I have done quite limited tests on USB memory and Amcache.hve.
Since it is not a sufficient test, it may be overlooking something.
First of all, I ran several programs from the USB memory(F:).
Run autorunsc64.exe as CLI program. The following is Sysmon event log.
And as a GUI program, I executed Dcode.exe.
The USB memory is still connected to the system.
I waited for the Application Experience task to be executed.(The execution date and time of the task is Japan time.)
Parse Amcache.hve with AmcacheParser and filter by F:.
Dcode.exe is recorded, but Autorunsc64.exe does not exist.
FileKeyLastWriteTimestamp(UTC) does not exactly match the date and time of the Sysmon event.（I checked the Sysmon event log that there is no record at 05:54）
I removed the USB memory from the system and waited one day.
There was no change in the parse result of Amcache.hve. I do not know how long F: drive information will be maintained.
I ran the program from the USB memory and removed the USB memory from the system.
I waited for the Application Experience task to be executed. At the time when the task is executed, the USB memory is not connected.
As already mentioned by @ errno_fail, records are not recorded if USB is not connected.
I felt strange about FileKeyLastWriteTimestamp.(The key is being updated before the task is executed.)
Do keys generate according to task execution? When is this key created?
Interestingly, the timestamp of Amcache.hve and LOG file is old. The contents of the file have been updated, but Date modified has not been updated. (This is also seen in the thumbcache_ * file.)
I tried Shift + Shutdown.
Muuu...Is it updated when a complete shutdown is performed?(In this system, fast startup is enabled.)
I have not tried running the LNK file on the USB memory yet.
I will continue testing.
Verification environment: Windows 10 1083