top of page
  • Writer's pictureInception Security

Shimcache: A Crucial Tool for Digital Forensics and Incident Response

Shimcache, also known as the Application Compatibility Cache, is a feature in the Windows operating system that tracks application compatibility information. It records the execution of applications and the modifications made to the system, allowing the operating system to optimize the loading of applications. From a digital forensics and incident response standpoint, shimcache can be a valuable source of information for investigating and understanding an attacker's or malware's actions. This article will explore how shimcache works and why it is crucial for digital forensics and incident response investigations.


Understanding Shimcache


When an application is executed on a Windows system, the operating system records the execution in the shimcache. This includes information such as the name of the application, the path of the executable file, and the time of execution. Shimcache also records any modifications made to the system due to the application's execution, such as registry changes or the creation of new files.


This information is stored in the shimcache as a series of records known as cache entries. Each cache entry includes the name of the application, the path of the executable file, and the time of execution. Additionally, the shimcache contains a checksum of the executable file, allowing the operating system to verify the integrity of the file.


The Shimcache is in the SYSTEM hive in the directory C:Windows\system32\config. The Registry key that is related to Shimcache is HKLM\SYSTEM\CurrentControlSet\Control\SessionManager\AppCompatCache\AppCompatCache.


The Importance of Shimcache in Digital Forensics and Incident Response


Shimcache proves to be a valuable source of information for digital forensics and incident response investigations for several reasons:


  1. Timeline of activity: By examining the shimcache, investigators can determine which applications were executed and when enabling them to build a timeline of activity on the system.

  2. System modifications: Shimcache can provide information about modifications made to the system as a result of application execution. This is useful for understanding an attacker's or malware's actions, showing which files were created or modified and which registry keys were accessed.

  3. Detection of malicious or unusual activity: Shimcache can help investigators identify malicious or unusual activity on the system. For example, if an unknown or suspicious application is found in the shimcache, it could indicate the presence of malware or an attempted attack.


Analyzing Shimcache


Several tools are available for analyzing shimcache, including the Microsoft Sysinternals tool, sdelete, and the open-source tool, shimcacheparser. These tools allow investigators to extract and analyze the contents of the shimcache, providing a detailed view of activity on the system.


Note that shimcache is only available on systems running Windows 7 or later. On systems running earlier versions of Windows, investigators can use other sources of information, such as the prefetch folder, to gather similar data.


Conclusion


Shimcache is an invaluable source of information for digital forensics and incident response investigations. It provides a timeline of activity on the system and information about modifications made to the system and can help investigators identify malicious or unusual activity. By using tools like sdelete and shimcacheparser, investigators can extract and analyze the contents of the shimcache to gain a deeper understanding of the actions of an attacker or malware on a system. As a digital forensics expert, leveraging shimcache can significantly aid in uncovering the truth and understanding complex cybersecurity incidents.

bottom of page