Back in November Mandiant released a new Volatility plugin which looks for the ShimCache registry keys in memory. The Registry keys on the disk get up dated when the system shutdowns which in the case of an investigation is not normally done. This means the list of recently run executables is missed.
For anyoine doing Memory Forensics here is the link:
Shim Shady: Live Investigations of the Application Compatibility Cache « Threat Research | FireEye Inc
Follow on twitter: ITSECSAM
No comments:
Post a Comment