Introduction:
In the ever-evolving landscape of digital forensics, understanding the artifacts left behind by operating systems is crucial. One such artifact that plays a pivotal role in forensic investigations is Microsoft's Application Compatibility Cache, commonly known as AppCompatCache.
Understanding AppCompatCache(Shimcache):
AppCompatCache is designed to detect and remediate program compatibility challenges that may arise when a program is launched. It allows a program to invoke properties of different operating system versions, mitigating compatibility issues. This subsystem employs what are known as "shims," and the amalgamation of these compatibility modes is colloquially referred to as ShimCache.
Structure and Default Shims:
By default, hundreds of shims exist on a standard Windows installation, stored in the registry. These shims are utilized to determine if a program requires compatibility adjustments. What makes AppCompatCache particularly intriguing from a forensic standpoint is that information about each executable is checked and added to the registry, irrespective of whether it needs to be shimmed.
Forensic Insights from AppCompatCache(Shimcache):
Forensic analysts can leverage information stored in AppCompatCache to track application execution. This includes details such as the name, full path, last modification time of the executable, file size (on Windows XP), and the last time executed. The data is stored in the registry, and the number of entries varies across different Windows versions.
Registry Paths for AppCompatCache(Shimcache):
The AppCompatCache can be found in the SYSTEM hive of the registry, with different paths for various Windows versions. Understanding these paths is essential for forensic analysis.
Server 2003/2008/2012/2016 Win7-10:
SYSTEM\CurrentControlSet\Control\SessionManager\AppCompatCache\AppCompatCache
Entries: 512 (Server 2003) or 1,024 (Win7-10, Server 2008/2012/2016)
Windows XP:
SYSTEM\CurrentControlSet\Control\SessionManager\AppCompatibility\AppCompatCache
Entries: Limited to 96
************Analyzing AppCompatCache Output:
Forensic analysts should note that the most recent events are listed at the top, and new entries are written only on system shutdown. Entries are committed to the registry during shutdown or, in Windows 10, during a reboot.******************
Forensic Applications:
AppCompatCache becomes a valuable resource in forensics when attackers attempt to cover their tracks by removing tools and corresponding prefetch files. The entries can serve as crucial clues that the application existed, even if prefetch files were deleted. Renaming or modifying an application triggers additional AppCompatCache entries, aiding in tracking file manipulations.
Evolution of AppCompatCache(Shimcache) in Windows Vista Onwards:
Starting with Windows Vista, a new flag named "InsertFlag" was introduced, indicating whether an application executed. Researchers found that the absence of this flag in the data structure suggests non-execution. However, executables can be recorded preemptively by the operating system even before execution, requiring careful interpretation.
Multiple AppCompatCache Databases:
Forensic analysts may encounter multiple AppCompatCache(Shimcache) databases, each in a different control set found in the SYSTEM hive. Reviewing these databases can provide additional historical data, enhancing the depth of forensic analysis.
Key Difference between Amcache.hiv vs Shimcache
*****
Key Differences:
Information Depth:
Amcache provides more detailed information, including file size, and is introduced in later Windows versions.
Shimcache focuses on compatibility and may not have as much detail as Amcache.
They are stored in different registry paths.
Shimcache has been present in Windows for a more extended period, while Amcache was introduced in later versions.
Amcache is designed to be a more comprehensive source of information about program executions.
Shimcache is primarily concerned with compatibility settings invoked during program launches.
*****
Akash Patel
Comments