Brad Garnett

Welcome to my Digital Forensics and Incident Response oasis!

Digital Forensics, Incident Response, and Information Security

2016 Blog Update: Reviving my DFIR Corner

Happy New Year.

I wanted to take a minute to update my blog. It has been a while since I've blogged and a lot of exciting going on in my DFIR corner. Reviving my blog and will post more often.

First, I am happy to report that beginning next week I will be teaching a Basic Cyber Crime and Computer Forensics evening course at a local university this semester. I am excited to begin teaching this undergraduate course to business, technology, and law enforcement majors. Perfect blend of student majors and backgrounds, which should create a good learning environment. During my law enforcement career, I taught recruits at the academy and it's one thing I miss. Nowadays, in my forensic consultancy and caseload, I do not have much free time for instructional development, as it'll be nice to get back into the classroom one evening per week. Speaking of caseload, the last 3 weeks of 2015 and into 2016 has kept me busy. Casework is great, but it leaves little much needed lab time and testing. If you understand the saying, "feast or famine" then you must be a forensic consultant. Friend and fellow forensicator, Hal Pomeranz wrote an excellent series several years ago about getting into the forensic consulting world. If you are looking into forensic consulting, make sure you checkout Hal's series.

Second, on a recent IR engagement I was conducting triage level analysis on a Windows 7 machine. If you new to DFIR you may not be familiar to ShimCache. While I will not go into a high-level of detail of this known artifact in this particular blog post, I wanted to highlight its importance in your intrusion and malware investigations. Corey Harrell has an excellent write-up on this artifact that you must read. According to Microsoft, Windows Application Compatibility Infrastructure, or ShimCache Infrastructure uses a form of API hooking for application compatibility from version to version of Windows.  On a Windows 7 machine, C:\Windows\AppCompat\Programs\ directory. 

 C:\Windows\AppCompat\Programs

C:\Windows\AppCompat\Programs

RecentFileCache.BCF stores full UNC paths of executables recently executed on the system. You can read the RecentFileCache.BCF file with a hex editor.

 RecentFileCache.BCF

RecentFileCache.BCF

 

Harlan released rfc.exe and other tools with his WFA4e book release. Using HC's tool and XWF, I quickly identified malware in VSCs.

 

Usage: 

C:\forensics\rfc.exe %Path%\RecentFilecache.bcf 

Links:

  1. RFC.exe by HC
  2. LRC: Brian Moran's Live Response Collection

 

References:

  1. ForensicsWiki: http://www.forensicswiki.org/wiki/Windows_Application_Compatibility
  2. Journey Into Incident Response: http://journeyintoir.blogspot.com/
  3. Windows Incident Response: http://windowsir.blogspot.com/

 

Well, that's all the time for now folks...

 

Faith. Family. Football. Forensics