hadar0x Posted August 27, 2017 Report post Posted August 27, 2017 Inside the Software Metering Agent, there is a property named FilePropertiesHash. Someone found that It's either all systems in a given environment have value in this property, or they all don't have it. Is there a specific configuration that should be done in order to include this property? Quote Share this post Link to post Share on other sites More sharing options...
GarthMJ Posted August 27, 2017 Report post Posted August 27, 2017 Who found this? Where exactly are you seeing this? Why do you care about it? Quote Share this post Link to post Share on other sites More sharing options...
hadar0x Posted August 27, 2017 Report post Posted August 27, 2017 Hi Garth, Good questions. I care about it for digital forensics purposes. CCM_RecentlyUsedApps is being used as an evidence of execution during forensics investigations. Here's an example blog written by FireEye research group. The finding I was referring to (that only some environments have this information) specifically was found by a guy named James Habben in a post here. In my lab environment the data is also unavailable, i.e. by running a WMI query on an endpoint - wmic /namespace:\\root\CCM\SoftwareMeteringAgent PATH CCM_RecentlyUsedApps get /format:csv I do get a list of processes that were executed, but none of them has value in the FilePropertiesHash property. Since I do have access to SCCM management server (in comparison to him) - I try to find the specific configuration that enables/disables the collection of this data. Quote Share this post Link to post Share on other sites More sharing options...
GarthMJ Posted August 27, 2017 Report post Posted August 27, 2017 First off nothing within the CM database or WMI can every be used for forensics investigations and have it hold up in any court. On a side note, there are assumption within the first blog that are incorrect. CCM_RecentlyUsedApps will not tell you about deleted files. It will only tell you what was executed only. But by doing a comparison you can determine what executables have bene deleted or rename but nothing else. More than just SW metering needs to be enable the AI class also needs to be enabled too. AI data is collected based on the Hardware Inventory cycle default is 7 days BUT most senior SCCM admins will recommend daily. Not all apps are tracked by CCM_RecentlyUsedApps, you can see this from the log file. In my quick tests, the execution user is incorrectly identified, only the logon user (I assume console user) is shown as show executed the app. Quote Share this post Link to post Share on other sites More sharing options...
hadar0x Posted August 27, 2017 Report post Posted August 27, 2017 Garth Really appreciate your efforts here, so first of all - thanks. Generally saying, not all forensics investigations end up in court and this could be useful even as a pivot point, and maybe you can find with that other evidence that do hold up in court. But that's a philosophical debate, let's not go into that now In regards of deleted files - Agreed. That's a conclusion one can make based on the evidence. Again - not my goal / focus. Can you elaborate on enabling the AI Class? I have one client setting policy, in which I enabled both softwaremetering, software inventory & hardware inventory I also noticed that not all apps are tracked by the CCM_RUA, and I'm also investigating which applications do get track and which dont't... Hope I'll find something meaningful. What log file are you referring to? In regards of the user - I also see similar things to what you see (and to be honest, he did write that he's not sure about this property). But again, that is not my focus. My focus is to understand which configuration of SCCM affects the CCM_RUA on endpoints to contain the FilePropertiesHash with values in it (as see in here). Thanks again for your help. This is highly appreciated Quote Share this post Link to post Share on other sites More sharing options...
