Using Microsoft SCCM for Incident Response
James Habben wrote a post about the “Secret Archives of Execution Evidence: CCM_RecentlyUsedApps”. He says that without digital forensic – medical examination of the artifact, it becomes increasingly difficult to build a chronology of events from all systems involved in incident response.
Microsoft developed software accounting SCCM, to report the use of applications for statistical analysis. SCCM has the ability to collect inventory data from many sources, as well as tracking executable files run is one.
CCM_RecentlyUsedApps records are a great artifact to be identified as executable files and deleted files, if any attacker. Like all forensic artifacts, analysis of these journal entries the software metering agent should only be one part of a complete and well-balanced strategy of the investigation.
James describes the New Python Tool and New tool EnSkript and shares his suspicions, and encourages “use the data deduplication into Excel, because I ran into a number of errors in EnCase trying to make this work EnScript.”