Stay ahead of cyber threats with immersion-style training in Reston, VA! Save $150 thru 1/29.


To attend this webcast, login to your SANS Account or create your Account.

Cache Me If You Can!

  • Thursday, August 27th, 2015 at 11:00 AM EDT (15:00:00 UTC)
  • Matt Bromiley
This webcast has been archived. You can view the webcast presentation and download the slides by logging into your SANS Portal Account or creating an Account. Click the Register Now button after you have logged in to view the Webcast.

You can now attend the webcast using your mobile device!


"Malware can hide, but it must run" are legendary words for any forensic investigator to live by. As we peek days, weeks, months, sometimes even years back in time, what artifacts are available to help us determine if malware did run? If only there was a native artifact that contained execution information...but wait, there is! In this talk, we will examine Windows execution artifacts including the ShimCache, RecentFileCache, and the newer Amcache hive found in Windows 8 and 10. We will examine the structures of these artifacts, as well as the different points of information recorded by each. Lastly, we will also discuss ways for the forensic investigator to include these artifacts in their investigation, including various parsing tools and analysis techniques.

Want to hear more from Matt?
Join him and other speakers at the Data Breach Investigation Summit & Training. The most effective way to improve your readiness and strategy in combating risk and the damage that results from even a minor compromise. The courses will provide you hands-on, immersion training on what it takes to identify, respond, investigate and defend against data breaches in your organization. And, you'll be able to collaborate with fellow attendees facing similar sets of challenges during the complimentary lunch and learns and @Night sessions. Hear from industry renowned speakers, providing you with actionable knowledge of new trends and best practices to help reduce your risk of advanced threats. Learn more and register.

Speaker Bio

Matt Bromiley

Matt Bromiley is a SANS Digital Forensics and Incident Response instructor, teaching FOR508 Advanced Incident Response, Threat Hunting and Digital Forensics and SANS FOR572 Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response. He is also an incident response consultant at a major incident response and forensic analysis company, combining experience in digital forensics, incident response/triage and log analytics. His skills include disk, database, memory and network forensics, as well as network security monitoring.

Need Help? Visit our FAQ page or email

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.