Data from Amcache andShimcache can provide a timeline for that, what program was executed, when it was first launched and last modified.
Besides, these artifacts provide information about the program, regarding the file path, its size and hash depending on the OS version.
Amcache
Amcache.hve this is the registry file, which stores information about launched applications on the system.
В Windows 8Amcache.hve replacesRecentFileCache.bcf and uses the formatWindows NT registry file (REGF).
Amcache.hve located:
%SystemRoot%\AppCompat\Programs\Amcache.hveEach entry includes an execution path, first execution time, time of removal and first installation.
The Amcache.hve file is also an important artifact for searching for traces of anti-forensic, portable programs, as well as external storage devices.
The file can be analyzed using the plugin amcache RegRipper :
https://github.com/keydet89/RegRipper2.8
What data can be obtained from the file Amcache.hve?
IN Amcache.hve the last running processes are recorded, and also lists the paths to the executable files, which can then be used to find the required data.
The SHA1 of the running program is also recorded., what allows a researcher program to use databases (For example VirusTotal)
Shimcache
Shimcache, also known asAppCompatCache, is a componentapplication compatibility databases, createdMicrosoft (starting fromWindows XP ) and the operating system used to identify application compatibility issues.
The cache stores different file metadata depending on the operating system, such as:
- Full path to the file
- File size
- $ Standard_Information (AND) Last modified time
- Shimcache latest update
- Process execution flag
Similar to a log file, Shimcache also overwrites data, what does it mean, that the oldest data is replaced by new records.
The amount of data saved depends on the operating system. (1024 records in Win 7/8/10 systems )
It helps developers troubleshoot legacy features and contains data, related to Windows features: it is used for quick search, to decide, does it need to be modulated? “shimming” for compatibility or not.
Shim – this is a small library, which transparently handles communication between applications, to provide support for older APIs in a newer environment or vice versa.
Data is stored in a registry key CacheMainSdb, which can be found:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\AppCompatCache
Shimcache can be converted to human readable form using ShimCacheParser.py от Mandiant:
https://github.com/mandiant/ShimCacheParser
How to use?
Shimcache tracks metadata , such as the full path to the file, last modified date and file size , but contains only information up to the last system startup, since the current data is stored only in memory
Events in Shimcache.hve are listed in chronological order, starting from the most recent event, and they can be used on timelines to reconstruct and identify malicious activities.