Shimcache

Shimcache (AppCompatCache) Forensics Overview

Shimcache, also known as AppCompatCache, is a valuable forensic artifact in Windows systems. It records metadata about executables that have been accessed or viewed, providing insight into user activities and potential malicious behaviors.

Key Forensic Purposes of Shimcache

  1. Evidence of Executable Execution

    • Shimcache tracks metadata for executables that have been run on the system.

    • While it logs executables, it doesn't guarantee execution without corroborating evidence from other artifacts like Amcache or Prefetch.

  2. Evidence of File Existence

    • Shimcache also records executables simply viewed in File Explorer, even if they weren't executed.

    • Deleted files may still appear, offering historical insights.

Key Characteristics of Shimcache

  • Execution and Viewing: Tracks files seen by the system, either via execution or mere visibility in Explorer.

  • Persistence of Deleted Files: Metadata about files remains in Shimcache even if the files are deleted from the disk.

  • Broad File Coverage: Includes files from local drives, network shares, and removable media.

  • Timestamp Limitations: Provides last modified timestamps, not execution timestamps.

  • No Direct Proof of Execution: Requires other corroborative logs or artifacts to confirm file execution.

Registry Location of Shimcache

  • Registry Path:

    SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache

    • If CurrentControlSet is unavailable, check ControlSet001 or similar paths.

Using AppCompatCacheParser for Shimcache Analysis

AppCompatCacheParser by Eric Zimmerman simplifies parsing Shimcache data for forensic investigations.

Steps for Analysis:

  1. Download and Run AppCompatCacheParser:

    • Obtain the tool from Eric Zimmerman’s suite.

  2. Run Command:

    • Example:

      AppCompatCacheParser.exe --csv "C:\Output\Shimcache.csv" --csvf Shimcache_Output

    • This generates a CSV file with parsed Shimcache data.

  3. Load CSV in Timeline Explorer:

    • Use Timeline Explorer (another Zimmerman tool) for better visualization.

    • Provides a timeline view with sortable columns for timestamps, file paths, and status (e.g., deleted or not executed).

Key Fields in Shimcache Analysis

  • Executable Paths: Full paths of executables logged by Shimcache.

  • Timestamps: Last modified times indicating when the executable was last visible or interacted with.

  • File Status: Identifies files that may have been deleted but still appear in Shimcache.

Practical Use Case: Incident Investigation

Scenario: A company reports a suspected data exfiltration incident. Investigators examine Shimcache to track suspicious executables.

  1. Initial Analysis:

    • Shimcache reveals the presence of malware_exfil.exe, with metadata showing it was accessed around the time of the incident.

  2. Corroborating Evidence:

    • Cross-reference with Amcache and Prefetch to confirm execution.

    • Investigate network logs to identify connections from malware_exfil.exe.

  3. Outcome:

    • Timeline reconstruction points to the malicious executable as the exfiltration vector.

    • Provides actionable insights to contain and remediate the attack.

Conclusion

Shimcache is a powerful artifact for detecting the existence and potential execution of executables. It remains essential for reconstructing attack timelines, identifying malware, and tracking user activity. Combined with tools like AppCompatCacheParser and Timeline Explorer, Shimcache can reveal critical insights in digital forensic investigations.

PreviousShellbagsNextAmcache

Last updated