DFIR Blog
  • Infosec
    • Blog
    • Threat Landscape
  • Digital Forensics
    • Windows Forensics
    • Mac Forensics
    • Memory Forensics
    • Forensic Resources
  • Incident Response
  • CISSP
    • Domain-1
    • Domain-2
    • Domain-3
    • Domain-4
    • Domain-5
    • Domain-6
    • Domain-7
    • Domain-8
  • Contact
  • HTB
  • Productivity

Windows Forensics

Evidence of Execution - Shimcache

6/23/2019

 
Shimcache/Amcache is also know is AppCompatCache. There are certain application which are build to work on the historical version of the OS.  Usually if an application needs 'shimming' - windows looks at AppCompatKey registry key to figure out if an application needs shimming or not.

When a program is shimmed, a registry key is updated to notify the system.
Picture
Use tools like RegRipper to parse it.
Forensics Value:
If you are dealing with an Anti-forensics kind of situation. The adversary might have deleted the logs from prefetch and the file itself.  The amcache entries will show if the app existed on the system.

Key things to remember:
  • Recent entries are on the top.
  • Entries are written on shutdown

Shimcache/Amcache and Prefetch is a very powerful combination for identification of the execution.

Things to keep in mind during shimcache analysis:
1) Each time an exe is modified or renamed - it'll create a new shimcache entry
2) Cannot determine the last time of execution via Shimcache.
profitcoin
4/27/2021 04:12:53 pm

FOR RECOVERY OF STOLEN BITCOIN / CRYPTOCURRENCY ,  RECOVERY OF LOST FUNDS FROM SCAMMER.  Have  you ever been a victim of a scam?  or have you lost your money to fake hackers online? I implore you to contact this trustworthy hacker and   recovery expert profitcoin.invest25@yahoo.com , I was a victim of fake people posing as  binary options and bitcoin investors,  I lost a sum of $4,000 and 2BTC from my bitcoin wallet to these fakes. It took a while before I realized they were scams and this really hurt .Then an in-law of mine heard about it and recommended to me a specialist with the address -  profitcoin.invest25@yahoo.com  . He helped me recover my lost bitcoins  in less than 72hrs  and the fakes were caught and made to pay for what they did to me .if you have lost any amount to online scams and you're seeking to recover LOST FUNDS from wallet hackers, fake hackers,  online dating scams, BTC wallet hack, recovery of lost funds from fake binary investors  .Reach out to  Wizard Charles Group Hackers  to help you


Comments are closed.

    Archives

    September 2019
    August 2019
    July 2019
    June 2019
    March 2019
    March 2018

    Categories

    All
    ATA
    Detection
    Forensics
    Microsoft
    Rules
    Windows
    Windows Foreniscs

    RSS Feed

  • Infosec
    • Blog
    • Threat Landscape
  • Digital Forensics
    • Windows Forensics
    • Mac Forensics
    • Memory Forensics
    • Forensic Resources
  • Incident Response
  • CISSP
    • Domain-1
    • Domain-2
    • Domain-3
    • Domain-4
    • Domain-5
    • Domain-6
    • Domain-7
    • Domain-8
  • Contact
  • HTB
  • Productivity