dkovar
commented
10 years ago From http://windowsir.blogspot.com/2013/07/howto-add-intelligence-to-analysis.html:
These should be resident and thus available for analysis.
Java .idx files A while back, I posted about parsing Java deployment cache index (.idx) files, and incorporating the information into a timeline. One of the items I'd seen during analysis that might indicate something suspicious is the last modified time embedded in the server response be relatively close (in time) to when the file was actually sent to the client (indicated by the "date:" field). As such, I added a rule to my own code, and had the script generate an alert if the "last modified" field was within 5 days of the "date" field; this value was purely arbitrary, but it would've thrown an alert when parsing the files that Corey ran across and discussed in his blog.
Consider implementing a mechanism to look for specific things, such as .exe files in ProgramData.