The “Last Access” updates are almost back

The purpose of this post is to record the recent findings related to the NTFS “Last Access” updates in Windows 10.

According to ForensicsWiki:

In Windows Vista (presumably as of Windows XP SP3), NTFS no longer tracks the Last Access time of a file by default.

This is no longer the case in the recent versions of Windows 10.

Continue reading “The “Last Access” updates are almost back”

The CIT database and the Syscache hive

The purpose of this post is to record the recent findings related to artifacts of execution and artifacts of executables present in a system. No major details beyond what was posted on Twitter.

David Cowen began his public testing of Amcache artifacts found in Windows 10 operating systems in Forensic Lunch Test Kitchen 11/16/18 (be sure to watch newer videos on this topic).

During these tests, it was found that the Amcache hive may have artifacts for executables that weren’t executed at all. There were other interesting findings outlined in the videos, but I will not focus on them now.

Continue reading “The CIT database and the Syscache hive”