Leveraging the Application Compatibility Cache in Forensic Investigations
Today, we’re launching a new freeware tool, Shim Cache Parser™, which we developed in the course of our incident response investigations.
During keyword searches of compromised systems, we discovered known malicious file names in the Windows Registry. Further research showed the cache data was generated by the Windows Application Compatibility Database. Along with these file names, other types of file metadata can be recovered such as file size, file last modified times, and last execution time, depending on the operating system version. This data can be very useful during an incident response. It helps identify which systems an attacker may have executed malware on and can also provide information about the time that it may have occurred.
Shim Cache Parser is the proof-of-concept tool we developed to extract this useful forensic evidence. You can download it here.
This script automatically determines the format of the cache data and outputs its contents. The tool supports a number of inputs including system registry hives, raw binary, or the current system’s registry. In addition, MIR XML obtained from registry acquisition sweeps can be parsed for this data.
I have written a white paper that discusses how this cache is implemented on multiple versions of Windows and how its contents can be leveraged for use in a forensic investigation. You can download it here.
If you have any questions about this tool, please leave me a comment below.