Forum Discussion
Incident Response: Application Shimming
I'm working through the Incident Response: Application Shimming lab and I'm stuck on the final question (but have correctly answered all previous questions).
Without giving away any answers to those reading this, I'm hoping someone can tell me whether I'm following the correct investigation path or if I'm overlooking an artifact.
So far I've:
- Followed the registry keys mentioned in the briefing.
- Identified the affected application and the installed shim database.
- Examined the SDB file with the provided analysis tool.
- Followed the breadcrumb trail from the previous questions.
- Examined the DLL identified in the previous question for URLs, HTTP-related strings, and other obvious indicators.
- Searched the SDB and related files for URLs and network indicators.
- Checked the application's installation directory for additional relevant artifacts.
At this point I can't find anything that appears to answer the final question, and I'm wondering if I'm expected to analyze a different file or use a different tool than the ones provided in the VM.
Could someone give me a nudge in the right direction?
Specifically, I'd like to know:
Am I investigating the correct artifact?
Is there another file or artifact that should be analyzed?
Or is there another technique/tool that the lab expects me to use?
Thanks!