M-unition -

Leveraging the Application Compatibility Cache in Forensic Investigations

By on April 17, 2012

Today, we’re launching a new freeware tool, Shim Cache Parser™, which we developed in the course of our incident response investigations.

During keyword searches of compromised systems, we discovered known malicious file names in the Windows Registry.  Further research showed the cache data was generated by the Windows Application Compatibility Database. Along with these file names, other types of file metadata can be recovered such as file size, file last modified times, and last execution time, depending on the operating system version. This data can be very useful during an incident response. It helps identify which systems an attacker may have executed malware on and can also provide information about the time that it may have occurred.

Shim Cache Parser is the proof-of-concept tool we developed to extract this useful forensic evidence. You can download it here.

This script automatically determines the format of the cache data and outputs its contents. The tool supports a number of inputs including system registry hives, raw binary, or the current system’s registry. In addition, MIR XML obtained from registry acquisition sweeps can be parsed for this data.

I have written a white paper that discusses how this cache is implemented on multiple versions of Windows and how its contents can be leveraged for use in a forensic investigation. You can download it here.

If you have any questions about this tool, please leave me a comment below.

Category: The Armory

Comments

    1. By vdagoldo on April 19 at 2:02 am

      Hi Andrew,

      I tested it and its awesome. Some executable’s run from other environment like DOS is hard to trace even from the userassist. I compare the result and indeed this ShimCacheParser give me a hint that I execute some executables (and it did match the activities I did). Anyway, this test is only from a local machine.

      I tried testing a hive’s I extracted from another machine (NTUSER.dat, software, system32, SAM files), I tried using the -r parameter and it says “Hive Parsing

    2. By vdagoldo on April 19 at 2:06 am

      COntinuation……

      I tried testing another hive’s which I extracted from another machine (NTUSER.dat, software, system32, SAM files), I tried using the -r parameter and it says “Hive Parsing requires Registry.py….Didnt find it, bailing..” This is the command Python.exe ShimCacheParse.py -r Software (I run the 4 hives and same result).

      From an acquire Disk Image (mounted in another drive), will it be the same command -r and just point the correct path and directory where the Disk Image is mounted (system32) ?

      Thanks a lot

    3. By Andrew Davis (Author) on April 20 at 11:03 am

      Parsing exported registry hives requires Willi Ballenthin’s python-registry library which is currently included in the ShimCacheParser project or it can be obtained directly from https://github.com/williballenthin/python-registry. Also keep in mind that only the “system” hive contains the Shim Cache data.

      Thanks for the feedback,
      -ad

    Leave a Comment

Get M-Unition in Your Inbox:

Follow @mandiant

Follow @mandiant on twitter.

Career Opps @ Mandiant

We’re growing fast, but we’re as demanding as ever. Our clients come to us in their hours of need, so we need the best. That means more than just the right education and the right experience in information security.

As Mandiant continues to grow, we are able to offer certain positions in multiple locations. For details on the location(s) of each opening, please refer to the position descriptions.

Click here to view available positions.