background preloader

Forensics

Facebook Twitter

Amcache.hve in Windows 8. Corey Harell has uploaded an excellent writeup on the working of Windows Application Experience and Compatibility features. Here he explains how process entries/traces show up in locations such as the ShimCache and RecentFileCache.bcf. For forensic/malware analysts, this is a great place to search for recent processes that were run. This post is a logical continuation of Corey's post. In Windows 8, the 'RecentFileCache.bcf' file has been replaced by a registry hive named 'Amcache.hve'. The location of this file is the same as its predecessor:<DRIVE>\Windows\AppCompat\Programs\Amcache.hve This file stores information about recently run applications/programs. The Hive Amcache is a small hive. File References Under each volume guid are File Reference keys each representing a single unique file.

The Last Modified date on this key may be taken as the first time a particular application was run. The Unexplained There are two Last Modified timestamps (11 and 17). Amcache.hve - Part 2. My last post about the Amcache.hve file only concentrated on the 'File' key since that's where all of the good stuff is! This post describes the remaining contents of the Amcache.hve file, the other files in the AppCompat folder (where Amcache.hve is located) and useful information contained therein. As noted in the earlier post, there are 4 sub-Keys containing data - File, Generic, Orphan, Programs.

There is also one value called Sync as shown below. The Sync value holds an 8 byte FILETIME timestamp. Programs Key The 'Programs' key contains data about installed programs, the same information you can find in the Control Panel -> Programs & Features. Here is the description for values that exist under Programs. Orphan and Generic Keys The Orphan Key contains keys having the name in the format VolumeGuid@FileRef. Other files in this folder Device Information (new in Windows 8) RecentFileCache.bcf. Exploring the Application Experience and Compatibility Feature Microsoft further states why the Application Experience and Compatibility feature is needed: "Because of the nature of software, modifying the function again to resolve this compatibility issue could break additional applications or require Windows to remain the same regardless of the improvement that the alternative implementation could offer.

" The Shim Infrastructure allows for those broken applications to be fixed and ensures they are compatible with newer versions of Windows. The Shim Infrastructure leverages API hooking to accomplish this. Alex Ionescu's goes into more detail about what happens when the external binary calls get redirected to the Shim Infrastructure in his post Secrets of the Application Compatilibity Database (SDB) – Part 1.

There is very little information available about what is the Windows process that the loader calls to perform the compatibility database checks. Exploring Process Creation on Windows. Forensic tools. Software comparasion. Code Suite. CodeSuite® is a collection of patented computer code analysis tools. With a little human help, CodeSuite® automates the process known as "abstraction-filtration-comparison. " The main tools that comprise the suite of tools are described below. BitMatch® BitMatch compares thousands of executable binary files in multiple directories and subdirectories to thousands of other executable binary files or source code files in order to determine which files are the most highly correlated.

BitMatch is particularly useful for finding programs that have been copied, but where you only have access to the program executable binary files and not the source code. CodeCLOC® CodeCLOC calculates development progress across two different versions of software, measuring code changes, the amount of original code in your new code, and the amount of original code. CodeCross® CodeDiff® CodeMatch® SourceDetective® CodeSuite-MP® CodeGrid® CodeSuite or CodeSuite-LT? Which product is right for you? Pricing. Carving tools. Recuva. Belkasoft. R-studio. Foremost. IEF. Internet forensics. Mail forensics. YouTube forensic. Aid4Mail. List of Tools. Forensic Frameworks. SIFT Kit/Workstation. SANS Investigative Forensic Toolkit (SIFT) Workstation Version 3.0 Download SIFT Workstation VMware Appliance Now - 1.5 GB Having trouble downloading?

If you are having trouble downloading the SIFT Kit please contact sift-support@sans.org and include the URL you were given, your IP address, browser type, and if you are using a proxy of any kind. Having trouble with SIFT 3? If you are experiencing errors in SIFT 3 itself, please submit errors, bugs, and recommended updates here: How To: Download Ubuntu 14.04 ISO file and install Ubuntu 14.04 on any system. -> Once installed, open a terminal and run "wget --quiet -O - | sudo bash -s -- -i -s -y" Congrats -- you now have a SIFT workstation!! SIFT Workstation 3.0 Overview "The SIFT Workstation has quickly become my "go to" tool when conducting an exam. Key new features of SIFT 3.0 include: Installation. CAINE. X-ways Forensics. ILooKIX: Perlustro. Starting with the world’s first Law Enforcement Windows forensics toolset, ILookIX, now redefines the future of computer forensic investigations.

Unparalleled in its feature sets, depth of analysis, and ease of use, ILookIX changes the playing field in more ways than any tools have done to date. XFR – Xtreme File Recovery now available for NTFS, FAT HFS, and Extended 4 and 3 linux systems, has no equal in any toolset that exists anywhere. It empowers any end user, from novice to expert, to conduct an investigation quickly, with a reliability scale unmatched in any other tool. At the center of over a decade of investment in quality demanded by intelligence and military agencies, ILookIX now for the first time takes a position as a commercial product.

This integrated and advanced digital evidence toolset includes capabilities not existing in any other commercial forensics platforms: Have you ever wondered why computer forensics interfaces have to be so complex? View larger version. Encase. New with Version 7: EnCase Review Package, Faster Processor and More The powerful and efficient features of EnCase Forensic have made it the trusted standard in corporate and criminal investigations, as well as in courts around the world. No other product offers the same degree of functionality, court acceptance, and performance. Intuitive User Interface A redesign of the user experience has resulted in an easy-to-use tabbed interface that may remind you of your favorite web browser.

Share Your Findings with Ease The EnCase Forensic Review Package lets you share findings with other people involved with your case, including detectives, district attorneys, field agents, and fellow investigators. Tablet and Smartphone Acquisition Acquire data from most popular smartphones and tablets and easily integrate the results into cases. Simple E-Mail Review Understand the context of email-based potential evidence with threading and related conversations for context. Powerful Automation New Evidence Processor. FTK. FTK is a court-accepted digital investigations platform built for speed, stability and ease of use. It provides comprehensive processing and indexing up front, so filtering and searching is faster than with any other product. This means you can zero in on the relevant evidence quickly, dramatically increasing your analysis speed. The database-driven, enterprise-class architecture allows you to handle massive data sets, as it provides stability and processing speeds not possible with other tools.

Furthermore, because of this architecture, FTK can be upgraded easily to expand distributed processing and incorporate web-based case management and collaborative analysis. Data Visualization for Automated Graphical Timeline Construction and Social Analysis Automated graphical timeline construction and analysis of social relationships… two of the most essential but time consuming tasks during an examination. Explicit Image Detection (EID) EID is NOT just detecting flesh tones.

Digital Forensics map.