The main purpose of ShimCache (also known as AppCompatCache) is to provide compatibility for old applications. Meaning it allows users to run older software in newer Windows systems. Executables that are visible in Windows Explorer are added to ShimCache for shimming the file when required, providing a better experience to the users.
ShimCache records the executable file name, file path, and the last modification date and time. By analyzing the entries, we can identify whether an executable was run on a system. In addition to the local drive, executables on removable media and UNC paths are also stored in ShimCache.
ShimCache entries are written into the hard drive when the system reboots or shuts down. This feature makes Anti-Forensics (data wiping of the Registry entries) complicated. Thus, analyzing ShimCache can provide valuable information, especially, during a malware incident analysis.
ShimCache artifact source file is located at C:\Windows\System32\config\SYSTEM. In Windows 7, 8 and 10, the Registry Key is located at;
HKLM\SYSTEM\CurrentControlSet\Control\SessionManager\AppCompatCache\AppCompatCache.
In Windows XP, the Registry Key is located at;
SYSTEM\CurrentControlSet\Control\SessionManager\AppCompatibility
The size of ShimCache is 1024 entries. The latest files entered into ShimCache are listed on the top of the entries with 64-bit timestamps. ShimCache (AppCompatCache) entry in the Registry is a list of files, paths and timestamps. Details are seen at the figure below.
This section will discuss how to use ArtiFast ShimCache Artifact Parser to extract ShimCache artifacts from Windows machines and what kind of digital forensics insight we can gain from the artifact.
As the name indicates, ArtiFast ShimCache Artifact Parser is solely dedicated to analyzing ShimCache’s artifact. After you have created your case and added evidence for the investigation, at the Artifacts Selection Phase, you can select ShimCache Artifact:
Once ArtiFast ShimCache Parser completed processing the artifact for analysis, it can be reviewed via "Artifact View" or "Timeline View," with indexing, filtering, and searching capabilities. Below is a detailed description of ShimCache artifact.
ShimCache Artifact
The artifact contains information related to the Windows ShimCache (AppCompatCache) content. The details you can view include:
Download ArtiFast ShimCache Artifact Parser
For more information or suggestions please contact: asmaa.elkhatib@forensafe.com