System administrators and forensic investigators alike face a multitude of challenges when seeking to identify sources of pertinent data while in the course of their work. The inconsistent identification and acquisition of significant registry keys is frustrating, second only to the common practice of overlooking unique data stored in system memory. Also challenging, is the practice of identifying suspect file signatures from the resulting data. Many tools are available for scanning and identifying suspect files, and as such it makes sense to utilize them where possible. In this paper, we present a PowerShell tool and the accompanying method to acquire, parse, and display not only significant registry data, but also perform live memory acquisition of the application compatibility cache where key registry attributes are stored before being later written to the registry. These keys, stored in memory, are of particular interest since they can be an indicator of executed processes that are not yet recorded in the registry, and therefore potentially helpful to system administrators and investigators. This tool identifies the contents of the Application Compatibility Cache stored in volatile memory, and compares them to the same dataset recorded to disk in the Windows Registry. The items that exist in memory, but are absent from the registry on disk, are hashed and submitted to the VirusTotal.com database where the results are returned and presented in the form of a report. This paper contains not only positive VirusTotal.com results, but also other significant data from the registry that may be of interest to the administrator and investigator.
Primary Language | English |
---|---|
Journal Section | Research Article |
Authors | |
Publication Date | June 1, 2018 |
Published in Issue | Year 2018 Volume: 7 Issue: 2 |