When it comes to digital forensics, AmCache plays a vital role in identifying malicious activities in Windows systems. This artifact allows the identification of the execution of both benign and malicious software on a machine.
It is managed by the operating system, and at the time of writing this article, there is no known way to modify or remove AmCache data. Thus, in an incident response scenario, it could be the key to identifying lost artifacts (e.g., ransomware that auto-deletes itself), allowing analysts to search for patterns left by the attacker, such as file names and paths.
Read more…
Source: Kaspersky
Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox
Related:
- Antwerp cyber attacks: Mayor says city will not negotiate or pay
December 18, 2022
For over a week, the services of the city of Antwerp have been targeted by a nefarious hacking collective called Play, which alleges to have stolen sensitive data that it will publish if the city fails to pay a ransom by Monday. After a week of administrative services – including libraries, museum booking sites, and council ...
- REvil-hit Medibank to pull plug on IT, shore up defenses
December 8, 2022
Australian health insurance company Medibank will take all of its IT systems offline and close its branches over the weekend as part of its ongoing efforts to improve security and recover from a massive data security breach in October. The planned outage, dubbed Operation Safeguard, begins at 2030 Sydney time on Friday, December 9. The insurer ...
- Rackspace rocked by ‘security incident’ that has taken out hosted Exchange services
December 3, 2022
Some of Rackspace’s hosted Microsoft Exchange services have been taken down by what the company has described as a “security incident”. The company’s most recent incident report at the time of writing, time-stamped 01:57 Eastern Time on December 3rd, offers the following information. “On Friday, Dec 2, 2022, we became aware of an issue impacting our Hosted ...
- Protecting major events: an incident response blueprint
December 2, 2022
The cyber security of major events, whether they are related to sports, professional conferences, expos or other events can be a time-consuming, complex undertaking. It necessitates a multifaceted approach and the involvement of multiple entities, including but not limited to the vendors, hospitality teams and service providers to facilitate a uniform approach to cybersecurity across ...
- Indicators of compromise (IOCs): how to collect and use them
December 2, 2022
It would hardly be an exaggeration to say that the phrase “indicators of compromise” (or IOCs) can be found in every report published on the Securelist. Usually after the phrase there are MD5 hashes, IP addresses and other technical data that should help information security specialists to counter a specific threat. But how exactly can indicators ...
- All India Institute of Medical Sciences restores e-Hospital data after cyber attack
November 30, 2022
The server at the All India Institute of Medical Sciences (AIIMS) in Delhi has been down for the eighth day in a row, and according to reports, more analysts from Delhi are under consideration for suspension for cybersecurity violations after two of them were already suspended. According to the sources quoted by the report, “The sanitising ...