appcompatprocessor icon indicating copy to clipboard operation
appcompatprocessor copied to clipboard
verified publisher icon mbevilacqua

Add Syscache.hve artifact

Open nwf9 opened this issue 7 years ago • 2 comments

Hi Matias,

Do you have plan to add the parsing and analysis for the syscache.hve. You can look into David Cowen research below

https://www.hecfblog.com/2018/12/daily-blog-573-forensic-lunch-test.html?m=1

nwf9 avatar Dec 23 '18 00:12 nwf9

That definitely sounds like it would be a good source of data for ACP. Looks like there's already some folks investigating the artefact and writing up some python code so will monitor and leverage that when available. Thanks!

mbevilacqua avatar Jan 11 '19 09:01 mbevilacqua

With my pleasure, it will be very good to hunt with this artifact. You can also add sccm telemetry.

nwf9 avatar Jan 16 '19 22:01 nwf9