Amcache and Shimcache in forensic analysis

Amcache and Shimcache can provide a timeline of which program was executed and when it was first run and last modified

In addition, these artifacts provide program information regarding the file path, size, and hash depending on the OS version.


Amcache

The Amcache.hve file is a registry file that stores the information of executed applications.

These executed applications include the execution path, first executed time, deleted time, and first installation.

On Windows 8, Amcache.hve replaces RecentFileCache.bcf and uses the Windows NT Registry File (REGF) format.

A common location for Amcache.hve is:

\%SystemRoot%\AppCompat\Programs\Amcache.hve

Amcache.hve file is also an important artifact to record the traces of anti-forensic programs, portable programs, and external storage devices, and can be analyzed using amcache plugin of RegRipper:

https://github.com/keydet89/RegRipper2.8

How can be leveraged?

Amcache.hve records the recent processes that were run and lists the path of the files that’s executed which can then be used to find the executed program.

It also records the programs SHA1 so it can be researched with databases like VirusTotal for easy identification.


Shimcache

Shimcache, also known as AppCompatCache, is a component of the Application Compatibility Database, which was created by Microsoft (beginning in Windows XP) and used by the operating system to identify application compatibility issues.

The cache stores various file metadata depending on the operating system, such as:

  • File Full Path
  • File Size
  • $Standard_Information (SI) Last Modified time
  • Shimcache Last Updated time
  • Process Execution Flag

Similar to a log file, the Shimcache also “rolls” data, meaning that the oldest data is replaced by new entries.
The amount of data retained varies by operating system.

This helps developers troubleshoot legacy functions and contains data related to Windows features: it is used for quick search to decide whether modules need shimming for compatibility or not.

A Shim is a small library that transparently handles the applications interworking’s to provide support for older APIs in a newer environment or vice-versa.

The Registry Key related to this cache is located at

HKLM\SYSTEM\CurrentControlSet\Control\SessionManager\AppCompatCache\AppCompatCache

Shimcache can be investigated using ShimCacheParser.py, by Mandiant:

https://github.com/mandiant/ShimCacheParser

How can be leveraged?

The Shimcache tracks metadata such as the full file path, last modified date, and file size but only contains the information prior to the system’s last startup, as current entries are stored only in memory

The events in Shimcache.hve are listed in chronological order with the most
recent event first and can be used in timelines to recreate and determine malicious activities.

Comments