Let's Talk About Shimcache - The Most Misunderstood Artifact
Ғылым және технология
In this episode, we'll take an in-depth look at Windows Shimcache (aka AppCompatCache, or "Application Compatibility Cache"). In my experience, this is the most misunderstood Windows forensic artifact. Let's clear up the confusion by reviewing the artiFACTS. Then, we'll jump into a demo and see all of this in action over the course of several reboots.
** If you enjoy this video, please consider supporting 13Cubed on Patreon at patreon.com/13cubed. **
📖 Chapters
00:00 - Intro
08:01 - Demo
09:05 - Demo (Reboot #1)
11:58 - Demo (Reboot #2)
14:27 - Demo (Reboot #3)
16:35 - Demo (Reboot #4)
18:31 - Demo (Reboot #5) and Conclusion
🛠 Resources
Eric Zimmerman Tools:
ericzimmerman.github.io/
#Forensics #DigitalForensics #DFIR #ComputerForensics #WindowsForensics
Пікірлер: 26
Awesome overview Richard! I did some additional testing, and found that if I ran an executable from a command prompt without previously viewing it in Explorer (and confirming it wasn't already listed in shimcache), it would show up in the shimcache following a reboot. This indicates that a user, service, or script could call an executable to run causing it to show in the shimcache. However, it should not be used as the sole artifact to indicate execution, for the reasons demonstrated in your video.
@13Cubed
2 жыл бұрын
Yes! I really wish I had shown that as well. Unfortunately, it's really difficult to incorporate everything, and I usually end up leaving out something. I'll pin this comment to the top, and I thank you for bringing it to my attention!
@miltonjoules8362
2 жыл бұрын
INSTALL SP'YWARES AND BUG: 'S IN YOUR SPOUSES CEL'L P.HONE OR ANY TARGETS ACCOUNT SEARCH *""HACKLORD TOM""* PAGË ŌN FĀCËBooK!!. HE HELPED ME BEFORE..
Still the best forensic videos
Possibly the best explanation I have seen for this yet. Cheers.
best explanation ever on how shimcache works! Thanks, you clarify me a lot of doubts.
Awesome explanation! And indeed I still see some analyst misunderstanding shimcache and treating it as evidence of execution. This video would be a good reference for them.
I love these videos. Been doing forensics for awhile, but I still pick up something new every topic. Great break-down, awesome videos.
Loving the videos. Im newer to the field and they've really caught me up quick. Thanks a bunch, and keep up the awesome work!
Alway very good videos indeed. Keep them conning 😁
thanks again! This has help me a lot while studying for the FOR508.
Great episode as usual
just awesome, no words to describe. a fairly simple stuff with a lot of value was explained in the best possible way. many thanks for this content
@13Cubed
2 жыл бұрын
That's great to hear! Would you mind taking a minute to vote for 13Cubed in the 2021 Forensic 4:cast Awards? It would be much appreciated! Here's the link: docs.google.com/forms/d/e/1FAIpQLSf9qAZhdhf44ImOowUhpG6drvu736a83YmYgjBWBKV_2FAlpw/viewform
Really love your content man! Keep it up!
Great vid!
Thank you so much!❤
I wonder if its possible that Windows is anticipating window resizing movement to improve user experience, thus adding to the shimcache.
How about execution exe from CLI and presence in shimcache on this Win10 version? I know it can change in next Win10 version
@13Cubed
2 жыл бұрын
You can't use this artifact to reliably prove execution. Check out the pinned comment at the top as this may be what you are referring to...
amazing vid...is it possible to retrive that data on a machine that is not active? lets say we only have the ntuser file. or we dont want to run any tools on the machine but still want to retrive this data
@13Cubed
4 ай бұрын
Shimcache is stored in the SYSTEM Registry Hive. It can be parsed offline, but it's not in NTUSER.DAT. You can grab the hive and the transaction logs and take them to a different machine for analysis.
@jondo-vh8tx
4 ай бұрын
@@13Cubed thanks a lot