Shimcache/Amcache is also know is AppCompatCache. There are certain application which are build to work on the historical version of the OS. Usually if an application needs 'shimming' - windows looks at AppCompatKey registry key to figure out if an application needs shimming or not.
When a program is shimmed, a registry key is updated to notify the system.
When a program is shimmed, a registry key is updated to notify the system.
Use tools like RegRipper to parse it.
Forensics Value:
If you are dealing with an Anti-forensics kind of situation. The adversary might have deleted the logs from prefetch and the file itself. The amcache entries will show if the app existed on the system.
Key things to remember:
Shimcache/Amcache and Prefetch is a very powerful combination for identification of the execution.
Things to keep in mind during shimcache analysis:
1) Each time an exe is modified or renamed - it'll create a new shimcache entry
2) Cannot determine the last time of execution via Shimcache.
Forensics Value:
If you are dealing with an Anti-forensics kind of situation. The adversary might have deleted the logs from prefetch and the file itself. The amcache entries will show if the app existed on the system.
Key things to remember:
- Recent entries are on the top.
- Entries are written on shutdown
Shimcache/Amcache and Prefetch is a very powerful combination for identification of the execution.
Things to keep in mind during shimcache analysis:
1) Each time an exe is modified or renamed - it'll create a new shimcache entry
2) Cannot determine the last time of execution via Shimcache.