hadar0x

Garth Really appreciate your efforts here, so first of all - thanks. Generally saying, not all forensics investigations end up in court and this could be useful even as a pivot point, and maybe you can find with that other evidence that do hold up in court. But that's a philosophical debate, let's not go into that now In regards of deleted files - Agreed. That's a conclusion one can make based on the evidence. Again - not my goal / focus. Can you elaborate on enabling the AI Class? I have one client setting policy, in which I enabled both softwaremetering, software inventory & hardware inventory I also noticed that not all apps are tracked by the CCM_RUA, and I'm also investigating which applications do get track and which dont't... Hope I'll find something meaningful. What log file are you referring to? In regards of the user - I also see similar things to what you see (and to be honest, he did write that he's not sure about this property). But again, that is not my focus. My focus is to understand which configuration of SCCM affects the CCM_RUA on endpoints to contain the FilePropertiesHash with values in it (as see in here). Thanks again for your help. This is highly appreciated

Hi Garth, Good questions. I care about it for digital forensics purposes. CCM_RecentlyUsedApps is being used as an evidence of execution during forensics investigations. Here's an example blog written by FireEye research group. The finding I was referring to (that only some environments have this information) specifically was found by a guy named James Habben in a post here. In my lab environment the data is also unavailable, i.e. by running a WMI query on an endpoint - wmic /namespace:\\root\CCM\SoftwareMeteringAgent PATH CCM_RecentlyUsedApps get /format:csv I do get a list of processes that were executed, but none of them has value in the FilePropertiesHash property. Since I do have access to SCCM management server (in comparison to him) - I try to find the specific configuration that enables/disables the collection of this data.

Inside the Software Metering Agent, there is a property named FilePropertiesHash. Someone found that It's either all systems in a given environment have value in this property, or they all don't have it. Is there a specific configuration that should be done in order to include this property?