Note:I translated Japanese into English using Google Translate.
Thank you, Google.  

This is the continuation of the Amcache test.

I connected a USB memory and created an LNK file.
Each LNK file targets the CLI and the GUI program that exist on the USB memory.

Run each LNK file and check the timestamp in the Sysmon event log.

I will wait until it is reflected in Amcahce. (The USB memory is still connected.)

Confirm the parse result.

There was no entry for F: drive in "20181203071331_Amcache_ShortCuts.csv".

Result of 20181203071313_Amcache_UnassociatedFileEntries.csv.

???, There is a record of the CLI program, Autorunsc.exe. (I want to test what happens when PowerShell etc. are embedded in LNK file.)

And the record of the program deleted from F: drive has disappeared.(Record such as fte.exe does not exist.)

Result of 2018120307131331_Amcache_DevicePnps.csv.

Verification environment: Windows 10 1803

Reference URL:

df-stream.com