Search Results

File systems store almost all data in files , but certain special files, collectively known as metadata structures, store essential information about other files and directories . These structures track attributes such as timestamps (created, modified, and accessed), permissions, ownership, file size, and pointers to file locations. Different file systems use unique mechanisms to store clusters allocated to a file. For example: NTFS (New Technology File System)  employs a structure called a "data run" to manage file clusters. FAT (File Allocation Table)  maintains a "chain" of clusters. The Master File Table (MFT) NTFS revolves around the Master File Table (MFT) , a highly structured database storing MFT entries (or MFT records)  for every file and folder on a volume. These entries contain vital metadata, either storing the data directly (for small files) or pointing to clusters where the actual data resides. For files larger than approximately 600 bytes , data is stored in clusters outside the MFT, making them non-resident files . Each NTFS volume has a hidden file called $MFT , which consolidates all MFT entries. NTFS also uses another hidden file, $Bitmap , to track cluster allocation . This file maintains a bit for each cluster, indicating whether it is allocated (1)  or unallocated (0) . Fragmentation occurs when file clusters are non-contiguous, though Windows generally optimizes file storage to minimize fragmentation. The MFT is the Metadata Catalog for NTFS Key NTFS System Files Besides $MFT and $Bitmap, NTFS relies on several other system files, most of which are hidden and start with a $  sign . The first 24 MFT entries are reserved, with the first 12 assigned to these system files: System File MFT Entry $MFT 0 Stores the Master File Table, which tracks all files and directories. $MFTMIRR 1 A backup of the primary MFT to ensure recoverability. $LOGFILE 2 Contains transactional logs to maintain NTFS integrity in case of system crashes. $VOLUME 3 Stores volume information, including the volume name and NTFS version. $ATTRDEF 4 Defines NTFS attributes, detailing metadata structure. “.” 5 The root directory of the NTFS volume. $BITMAP 6 Tracks allocated and unallocated clusters on the volume. $BOOT 7 Stores boot sector information, enabling normal file I/O operations. $BADCLUS 8 Marks physically damaged clusters to prevent data storage in unreliable locations. $SECURE 9 Stores file security details, including ownership and access permissions. $UPCASE 10 Contains Unicode character mappings for case-insensitive file sorting. $EXTEND 11 Holds additional system files introduced in newer NTFS versions. Extended NTFS System Files Beyond the first 12 reserved system files, NTFS also includes several additional $EXTEND  files : Extended System File Purpose $EXTEND$ObjId Tracks object IDs, allowing file tracking despite renaming or movement. $EXTEND$Quota Manages user disk space quotas. $EXTEND$Reparse Stores reparse points, mainly used for symbolic links. $EXTEND$UsnJrnl Maintains the Update Sequence Number (USN) Journal , recording all file changes. Conclusion NTFS is a powerful file system with a robust metadata structure that ensures efficient file management and system integrity. Key system files like $MFT, $Bitmap, $LogFile, and $UsnJrnl  play crucial roles in tracking files, managing disk space, and ensuring recoverability in case of crashes. Understanding these NTFS components is vital for forensic analysts, system administrators, and cybersecurity professionals who need to investigate file system activities or recover lost data. ------------------------------------------------Data--------------------------------------------------

Updated on 17 Feb,2025 When it comes to filesystems, NTFS (New Technology File System) is like the Swiss Army knife of Windows storage. It’s packed with features, built for reliability, and miles ahead of the old FAT (File Allocation Table) system. But let’s be real—most people don’t even use half of what NTFS offers. Some of its capabilities are mainly useful in enterprise environments, while others can be game-changers even for regular users. Let’s break it down in a way that actually makes sense. NTFS: The Highlights 1. Built-in Crash Recovery (Journaling) Ever had your system crash in the middle of saving a file? NTFS has your back. It keeps a log (also called a journal) of changes to the filesystem so it can recover from crashes and prevent data corruption . This is a big deal, especially compared to older filesystems where a sudden shutdown could leave your data in shambles. 2. Tracks File Changes with USN Journal NTFS has a feature called the USN (Update Sequence Number) Journal , which keeps track of every file change. This is super useful for antivirus software and backup tools because they don’t have to scan everything —they just check what’s changed. That means faster scans and backups. 3. Hard Links & Soft Links (File Shortcuts on Steroids) NTFS supports both hard links  and soft links : A hard link  makes it look like a file exists in multiple places, but it's actually just one file with multiple names. A soft link  (or symbolic link) is more like a shortcut—clicking it opens the original file . This is useful for organizing files without creating duplicate copies. 4. Stronger Security (But Not Hacker-Proof) NTFS has built-in security features that let administrators control who can access what files. It’s great for keeping prying eyes out—until someone boots into Linux or uses a forensic tool to bypass those restrictions. (But that’s a topic for another day.) 5. Disk Quotas: No More Hoarding! Ever shared a computer with someone who fills up all the storage with movies and games? NTFS allows admins to set quotas, l imiting how much disk space each user can use . Once they hit their limit, they can’t store any more data until they free up space. 6. Reparse Points: Making Magic Happen This sounds complicated, but it’s really cool. NTFS lets the system interact with files in creative ways using something called reparse points . This is how Windows does things like soft links, volume mount points, and single-instance storage (which we’ll talk about in a second). Developers can even create their own reparse points for custom file behavior. 7. Object IDs: Never Lose a File Again Have you ever renamed or moved a file and then had programs freak out because they can’t find it? NTFS assigns Object IDs  to certain files, allowing Windows to track them no matter where they go. So if a shortcut breaks, the system might still be able to find the file. 8. File-Level Encryption & Compression Encryption : NTFS l ets you encrypt individual files and folders so that only you can open them. This happens in the background without you having to do anything special. Compression : If you’re running low on space, NTFS can automatically compress files to save room. Again, this happens behind the scenes without you noticing a difference. 9. Volume Shadow Copies: Your Undo Button for Files Ever made changes to a file, hit save, and immediately regretted it? NTFS keeps Volume Shadow Copies , which are basically automatic backups of your files . If configured properly, you can restore previous versions of files without needing an external backup. 10. Alternate Data Streams: Hidden File Tricks NTFS lets files have extra hidden data  attached to them. For example, when you download something from the internet, Windows tags it so it can warn you before running it. Unfortunately, hackers also love this feature because they can hide malware inside alternate data streams. So, cool feature—but also a bit risky if misused. 11. Mounting Drives as Folders Instead of having a bunch of drive letters like C: and D:, NTFS lets you mount a second drive inside a folder on another drive . This helps keep things organized, especially in server environments where multiple drives are used. 12. Single Instance Storage: Saving Space on Large Servers Let’s say you work at a company where everyone saves the same massive video file on the shared drive. Instead of keeping multiple copies, NTFS can store one copy and create references (soft links) for everyone else , saving tons of disk space. Final Thoughts NTFS is packed with features that most people don’t even realize exist. While some of these are mainly useful for IT admins and businesses, others—like file recovery, security controls, and file compression—are things regular users can take advantage of every day. Next time you’re managing your files, just remember: NTFS is doing a lot more under the hood than you might think! ------------------------------------------------Dean----------------------------------------------------

Introduction Timeline analysis is a cornerstone of digital forensics, allowing investigators to reconstruct events leading up to and following an incident. When working with massive amounts of forensic data, such as a super timeline generated by Plaso, the key challenge is making sense of thousands—or even millions—of events . The Power of Super Timelines A super timeline consolidates data from multiple sources, including file system metadata, registry changes, event logs, and web history. After parsing data with log2timeline, the tool psort helps filter and organize this data into meaningful insights. However, once the timeline is loaded into a tool like Timeline Explorer, the sheer volume of entries can be overwhelming. The goal is not to analyze every single row but to apply strategic filtering techniques to extract actionable intelligence. This is where pivot points, filtering, and visualization become crucial . Understanding the Core Fields in Timeline Analysis When working with a super timeline, you'll encounter multiple fields. Here are some key columns to focus on: Date & Time  – The timestamp of the event in MM/DD/YYYY and HH:MM:SS format. Timezone  – Helps standardize timestamps across different system logs. MACB  – Indicates if the event modified (M), accessed (A), changed (C), or was created (B). Source & Source Type  – Identifies the origin of the artifact, such as registry keys (REG), web history (WEBHIST), or log files (LOG). Event Type  – Describes the nature of the event, e.g., file creation, process execution, or a website visit. User & Hostname  – Useful when investigating multi-user systems. Filename & Path  – Identifies where the file resides in the system. Notes & Extra Fields  – May contain additional insights depending on the data source. Filtering and Data Reduction: The Key to Efficiency With thousands of rows to sift through, filtering is your best friend. Here’s how to break down the data efficiently: 1. Start with the Big Picture Before zooming into specifics, look at broad trends. For example: What are the peak activity hours? Are there gaps in timestamps that indicate potential log tampering? 2. Use Color Coding and Sorting Tools like Timeline Explorer automatically highlight different types of events (e.g., executed programs in red, file opens in green, and USB device activity in blue). Use this to your advantage to focus on suspicious patterns. 3. Leverage Advanced Search Techniques Use CTRL-F for quick searches. Use wildcards like % to find variations of keywords. Apply column filters to hide non-essential data and zoom in on specific actions. 4. Pivot on Key Artifacts Instead of getting lost in a sea of data, use key artifacts to guide your analysis: RDP Sessions:  Look at Windows event logs for suspicious remote access. USB Activity:  Filter by removable media insertion events to track external device usage. Process Execution:  Investigate software launches to detect malware or unauthorized tools. 5. Export and Annotate Tag critical findings and export them for reports. Timeline Explorer allows tagging rows, which helps in organizing evidence for presentations or case documentation. Beyond Spreadsheets: The Role of Specialized Tools While CSV-based analysis is a good starting point , dedicated tools like Timeline Explorer offer significant advantages: Multi-tab support:  Analyze multiple timelines simultaneously. Detailed Views:  Double-click any row for a structured breakdown of event details. Pre-set Layouts:  Timeline Explorer provides optimized column layouts for different types of forensic investigations. Pro Tips for Your First Timeline Analysis Minimize Distractions  – Hide unnecessary columns to maximize screen space. Stay Organized  – Label key findings and use tags to revisit them easily. Use Comparative Analysis  – If investigating multiple systems, compare hostnames and user activity. Automate Where Possible  – Scripts can help extract high-priority data points quickly. Conclusion Timeline analysis is an incredibly powerful forensic technique, but its effectiveness depends on how well you filter, categorize, and interpret the data. By mastering tools like log2timeline, psort, and Timeline Explorer, you can efficiently reconstruct digital events and uncover critical evidence. As you gain experience, you’ll develop personal best practices and preferred filtering methods. The key is to approach each case systematically, focusing on high-value artifacts while avoiding data overload. Happy hunting! ------------------------------------------Dean-----------------------------------------------------------

In the digital forensics world, understanding how timestamps work is crucial. Modern operating systems, with their complexity, make timestamp analysis both fascinating and challenging. Whether you're tracking file modifications, uncovering malware activity, or investigating lateral movement, timestamps serve as valuable clues. How Timestamps Can Change Unexpectedly Files don’t always follow the expected timestamp update rules. Various software and system activities can modify timestamps, sometimes in ways that obscure forensic evidence. Here are some common offenders: Microsoft Office Applications:  These can update access times even when registry settings disable such changes. Anti-Forensic & Malware Tools:  Attackers use file system APIs to modify timestamps, making malicious files blend in. Archiving Software:  When extracting files from a ZIP or RAR archive, the modification time often reflects the original archive's date rather than when the file was actually unzipped. Security Software & AV Scans:  Some antivirus solutions update access timestamps during routine scans, making forensic analysis trickier. Key Takeaway: Timestamps should never be interpreted in isolation. Always correlate with other evidence, such as logs and system events, to understand why a timestamp changed. Timestamps Over the Network: A Hidden Trail Did you know timestamps follow the same rules even when files are transferred over a network? This has major implications for forensic investigations. Lateral Movement and Timestamps When an attacker moves files across systems using SMB (Server Message Block), the modification time of the file remains the same, while a new creation time is assigned . This tells us two things: The modification time predates the creation time—indicating a copy operation. The creation timestamp on the target system is the exact moment the file was transferred. Why This Matters Pivot Points in Investigations:  The creation time can serve as a reference to correlate with logs and execution events. Detecting Lateral Movement:  Attackers often use net use, WMI, or PsExec to copy and execute malware remotely. SMB traffic analysis (e.g., PCAP files) can reveal timestamps matching those in the filesystem. Registry Clues:  The mountpoints2 NTUSER.DAT registry key can help identify locally and remotely mounted volumes, shedding light on attacker activity. Key Takeaway: Identifying files where the modification time predates the creation time can uncover unauthorized file transfers and lateral movement techniques. Deciphering Timeline Analysis: The “MACB” Model When analyzing a timeline, you'll encounter different timestamp types represented by the “MACB” notation: M  – Modified: Content of the file changed. A  – Accessed: The file was read or executed. C  – Metadata Changed: File attributes or permissions were altered. B  – Birth: The file’s creation time. Example: Understanding a Timeline Entry Let’s say you analyze C:\akash.exe and see these entries: 2025-02-17 16:20:37 m.c. C:\akash.exe 2025-02-17 16:25:12 .a.b C:\akash.exe What This Means: The first line (m.c.) shows that modification and metadata change occurred at 16:20:37. The second line (.a.b) tells us the file was accessed and created (copied) at 16:25:12. Conclusion? The file was copied to the system at 16:25:12 and then modified at 16:20:37 —confirming a past existence before it landed on the target machine. Common Timestamp Combinations Notation Meaning m.cb Modified, metadata changed, birth (created) .a.. Accessed only mac. Modified, accessed, metadata changed Key Takeaway: Timeline analysis isn’t just about reading timestamps—it’s about understanding why  those timestamps exist and what they reveal about past activities. Challenges in Timestamp Forensics Overwritten Evidence:  Timestamps get updated with new modifications, erasing past data. You only see the latest  modification, not the full history. Time Skew Issues :  If a system’s clock was incorrect or tampered with, timestamps could be misleading. File System Differences:  NTFS timestamps differ from FAT32, ext4, and other filesystems, so always consider the OS and format. Final Thoughts: The Investigator’s Approach To master timestamp forensics, you need more than just theoretical knowledge—you need an investigative mindset. Correlate with Logs & Events:  Match file timestamps with Windows Event Logs, Sysmon, and execution artifacts. Leverage Registry Artifacts:  Mountpoints2, shellbags, and recent file lists provide extra context. Test Your Hypotheses:  If something doesn’t add up, replicate it in a controlled environment. By understanding how timestamps behave—and how they can be manipulated—you can uncover hidden traces left by attackers. Keep practicing, keep investigating, and timestamps will become one of your most valuable forensic tools. ------------------------------------------------Dean----------------------------------------------------- 🔍 Want to Learn More?   Explore forensic tools like Plaso, Timesketch, and Velociraptor to take your timeline analysis skills to the next level! Velociraptor: https://www.cyberengage.org/courses-1/mastering-velociraptor%3A-a-comprehensive-guide-to-incident-response-and-digital-forensics Plaso: https://www.cyberengage.org/post/a-deep-dive-into-plaso-log2timeline-forensic-tools https://www.cyberengage.org/post/running-plaso-log2timeline-on-windows

Updated on 17 Feb,2025 When it comes to digital forensics, one of the most valuable tools in an investigator’s arsenal is the filesystem timeline . This technique allows forensic analysts to reconstruct events by examining file metadata, helping to determine when files were created, modified, accessed, or deleted What is a Filesystem Timeline? A filesystem timeline  is a chronological record of file and directory activities within a given storage volume. It includes both allocated and unallocated metadata structures, which means it can provide insights into deleted or orphaned files as well. Different filesystems store timestamps in unique ways, but most record four essential time values: M (Modification Time):  When the file’s content was last changed. A (Access Time):  The last time the file was opened or accessed. C (Change Time):   When the metadata of the file (like permissions, ownership, or name) was altered. B (Birth Time or Creation Time):  When the file was initially created on the system. Supported Filesystems for Timeline Analysis Modern forensic tools can parse timelines from various filesystem types, including: NTFS (Windows) FAT12/16/32 (Older Windows systems, external storage devices) EXT2/3/4 (Linux) ISO9660 (CD/DVD media) HFS+ (Mac systems) UFS1 & UFS2 (Unix-based systems) NTFS Timestamps – The Gold Standard in Windows Forensics The NTFS filesystem, used in most Windows environments, maintains four key timestamps (MACB). However, two timestamps often confuse beginners: Change Time (C):   Updated when a file is renamed, permissions change, or ownership is modified. Access Time (A):   Historically unreliable, as Windows has altered how frequently it updates access times, even delaying updates by up to an hour or disabling them altogether in some versions. For practical forensic work, focusing on Modification (M) and Creation (B) times  is usually the best approach, as they are more reliable indicators of file activity. The Importance of Time Formats One of the most crucial factors in forensic timeline analysis is understanding how different filesystems store timestamps: NTFS timestamps are stored in UTC format,  meaning they remain consistent regardless of time zone changes or daylight savings. FAT timestamps use local time,   which can lead to inconsistencies when analyzing files across different locations. Additionally, NTFS uses a high-resolution 64-bit FILETIME structure , which counts time in 100-nanosecond intervals since January 1, 1601 (UTC). In contrast, UNIX systems count seconds since January 1, 1970. How Actions Affect Timestamps Different file actions impact timestamps in various ways. Here are some key forensic takeaways: File Creation:  All four timestamps (MACB) are set at the time of creation. File Modification:  Updates the M (modification), A (access), and C (metadata change) timestamps. File Rename/Move (on the same volume):  Only the C timestamp is updated. File Deletion:  No timestamps are updated (Windows doesn’t maintain a deletion timestamp). File Copying:  The copied file retains the M timestamp from the original but receives a new B (creation) timestamp, making it possible to detect copied files by spotting instances where the modification date is older than the creation date. Command Line vs. GUI Moves:  Interestingly, moving a file via the command line can produce different timestamp behaviors compared to using drag-and-drop in the Windows GUI. The Challenges of Windows Version Differences Different Windows versions handle timestamps in slightly different ways. For example: Windows Vista disabled access time updates  (later re-enabled in Windows 10 and 11). Windows 10 vs. 11 timestamp behaviors are largely similar , but forensic experts should always test assumptions on a similar system before drawing firm conclusions. Practical Takeaways for Investigators Prioritize M and B timestamps.  They are the most consistent and useful in tracking file activity. Be cautious with A and C timestamps.  These can be misleading due to system behaviors and version differences. Recognize copied files .  If a file’s modified date is older than its creation date, it was likely copied from another source. Validate your findings .  If timestamps play a crucial role in your investigation, test your hypothesis on a similar system to confirm expected behaviors. Final Thoughts Filesystem timelines are an incredibly powerful tool in digital forensics. Understanding how different filesystems handle timestamps, recognizing anomalies, and testing assumptions can make all the difference in an investigation. -------------------------------------------------Dean----------------------------------------------------

Tracking down malicious activity in a digital environment can feel overwhelming. Modern systems generate an endless stream of logs, timestamps, and events—making it difficult to separate suspicious activity from normal operations. However, by using timeline analysis, we can cut through the noise and identify key events that may indicate an intrusion, unauthorized access, or data exfiltration. Why Timeline Analysis Matters Every system generates logs that track user actions, system processes, and interactions with files. Think of these as footprints in the digital sand. However, attackers often try to erase logs, modify timestamps, or use "living-off-the-land" techniques—methods that blend their activity with normal system operations. This is where timeline analysis shines—it reconstructs past events, correlates different data points, and identifies inconsistencies. Understanding Noise vs. Signal When conducting a timeline investigation, you must recognize that most events are unrelated. Imagine listening to multiple music genres simultaneously—jazz, rock, and classical. At first, it sounds chaotic, but with practice, you can isolate specific melodies. Similarly, timeline analysis helps us filter out background system noise and focus on user activity or intrusions. A key principle here is contextual analysis —the ability to differentiate between normal behavior and anomalies. For example, a SYSTEM process opening a web browser is suspicious, whereas a user logging in and accessing files is expected behavior. Key Concepts in Timeline Forensics Pivot Points:  Every investigation needs a starting place, such as a suspicious file, an unusual login time, or a flagged process. Once we identify a pivot point, we work outward—analyzing what happened before and after that event. Temporal Proximity:  Events rarely happen in isolation. Looking at what occurred immediately before and after an incident helps piece together a clearer picture of what transpired. Super Timelines vs. Targeted Timelines: Super timelines  aggregate all available logs, registry changes, browser history, and system events into one massive dataset. While thorough, they can be overwhelming. Targeted timelines  focus on specific artifacts, making analysis more manageable and efficient. Tools of the Trade Forensic analysts rely on powerful tools to extract and analyze timeline data: Plaso (log2timeline.py):  A tool for creating comprehensive super timelines by extracting data from multiple sources. https://www.cyberengage.org/post/a-deep-dive-into-plaso-log2timeline-forensic-tools https://www.cyberengage.org/post/running-plaso-log2timeline-on-windows MFTECmd:  Tools used to extract filesystem metadata and analyze timestamps for file access and modifications. https://www.cyberengage.org/post/mftecmd-mftexplorer-a-forensic-analyst-s-guide KAPE & Timeline Explorer:  Useful for extracting logs and visualizing timeline data in an interactive format. Aurora IR & Velociraptor:  Open-source tools designed for incident response and timeline analysis. How to Conduct Timeline Analysis Define the Scope:   Determine the timeframe of the incident to reduce data overload. Extract Data:   Use tools like Plaso, Sleuthkit, or KAPE to pull logs , registry modifications, browser activity, and event logs. Filter and Organize:  Remove unrelated data to highlight suspicious activity by de-duplicating logs and applying keyword filters. Analyze:  Investigate relationships between artifacts, identify anomalies , and correlate events to reconstruct the sequence of actions. Report Findings:  Document findings clearly, highlighting key events, attack vectors, and any indicators of compromise (IOCs). Real-World Application Imagine investigating a suspected data breach. Your starting point (pivot) is a flagged user login at an unusual time. By analyzing system logs, registry changes, and event timestamps, you notice the user executed PowerShell scripts shortly after logging in. Further analysis reveals that they accessed confidential documents and transferred them to an external USB drive. This sequence of events confirms data exfiltration. Final Thoughts Timeline analysis is one of the most powerful forensic techniques available. It allows us to reconstruct events, pinpoint security incidents, and understand attacker behavior. Whether investigating malware infections, unauthorized access, or data theft, mastering timeline analysis is crucial in uncovering the truth hidden within digital artifacts. With practice and the right tools, you’ll be able to navigate complex datasets and make sense of even the most chaotic digital landscapes. Keep learning, stay curious, and always look for the hidden patterns that reveal the bigger picture. ----------------------------------------------------Dean----------------------------------------------------

Introduction to Baseline Analysis in Digital Forensics Baseline analysis is an essential technique in digital forensics and incident response, allowing analysts to efficiently identify anomalies in large datasets . At its core, baseline analysis involves comparing a suspect dataset with a "known good" dataset to detect outliers. This approach is particularly useful in memory forensics, where analysts must sift through hundreds of processes, drivers, and services to identify malicious activity. One powerful tool that le verages baseline analysis for memory forensics is Memory Baseliner , developed by Csaba Barta. This tool integrates with Volatility 3 to streamline comparisons between a suspect memory image and a baseline memory image, helping analysts quickly filter out known good items and focus on potential threats. ------------------------------------------------------------------------------------------------------------ The Need for Baseline Analysis in Memory Forensics Windows memory is complex, often containing over a hundred processes, each with numerous associated objects. Even seasoned professionals can struggle to pinpoint malware hidden within the sheer volume of data. A baseline memory image from a clean system allows for direct comparison, making it easier to isolate unusual artifacts. By feeding Volatility with both a suspect memory image and a baseline image, Memory Baseliner enables forensic analysts to: Quickly filter out known good artifacts. Identify new or uncommon processes, drivers, and services. Stack multiple images to determine the least frequently occurring artifacts. This approach reduces the dataset to review, making investigations more efficient. ------------------------------------------------------------------------------------------------------------ How Memory Baseliner Works Memory Baseliner supports four types of memory object analysis: Processes and associated DLLs (-proc) Drivers (-drv) Windows Services (-svc) To perform baseline analysis, two memory images must be provided: Baseline Image (-b) : A clean system memory dump. Suspect Image (-i) : The compromised system's memory dump. python memory_baseliner.py -b baseline.raw -i suspect.raw -o output.txt This command compares the suspect memory image against the baseline, saving results to output.txt for further analysis. A useful option is --showknown, which outputs both known and unknown items , allowing for flexible filtering in spreadsheet tools. Key output details include: Process Name & Command Line Parent Process Details Loaded DLLs Import Table Hashes Known/Unknown Status  (Whether the item was in the baseline) Frequency of Occurrence  (Baseline vs. suspect image) These data points help analysts identify anomalies that might indicate malware presence. ------------------------------------------------------------------------------------------------------------ Stacking for Least Frequency of Occurrence Analysis Stacking is another powerful feature of Memory Baseliner that analyzes multiple memory images to detect rare artifacts . Since malware-related items tend to be less common across systems, identifying low-frequency occurrences can highlight suspicious activity. Stacking Example python memory_baseliner.py -d memory_images_folder -procstack -o stacked_output.txt Here, the t ool scans multiple images in the memory_images_folder directory , identifying the l east frequently occurring processes. By focusing on rare executables, DLLs, drivers, or services, analysts can reduce the dataset and prioritize investigative leads. However, false positives may still exist, requiring manual review. ------------------------------------------------------------------------------------------------------------ Speeding Up Analysis with JSON Baselines One challenge of Memory Baseliner is its processing time. Large memory images can take up to 15 minutes to analyz e. To optimize this, the tool allows users to create and reuse JSON baseline files. JSON Baseline Usage Create a JSON Baseline python memory_baseliner.py -b baseline.raw --jsonbaseline baseline.json --savebaseline Load the JSON Baseline for Faster Analysis python memory_baseliner.py -i suspect.raw --jsonbaseline baseline.json --loadbaseline -o output.csv By leveraging JSON files, analysts can bypass re-analysis of the baseline memory image, significantly speeding up the comparison process. ------------------------------------------------------------------------------------------------------------ I know until now we have gone through theory. But lets go with practical execution and analysis as well , So, you will not face errors like I did. So, I wanted to make your experience better—this is how you install this script. Setting Up Memory Baseliner in WSL Before we dive in, let’s set up the tool properly. Clone the repository into your WSL environment: git clone https://github.com/csababarta/memory-baseliner.git Navigate to the cloned directory and move the scripts into the Volatility3 folder: mv memory-baseliner/*.py ~/Memorytool/volatility3/ Verify the setup by running: python3 baseline.py If it runs without errors, you're good to go! ------------------------------------------------------------------------------------------------------------- Using Memory Baseliner: Practical Examples Now that we’re set up, let’s start running some analysis. Step 1: Process Baselining To dump all processes and compare them against a baseline: python3 baseline.py -proc --state -b /mnt/c/Users/Akash's/Downloads/20250213/20250213.mem -i /mnt/c/Users/Akash's/Downloads/20250213Horizon/20250213.mem --showknown -o /mnt/c/Users/Akash's/Downloads/proc_all.txt Step 2: Driver Baselining To dump all loaded drivers: python3 baseline.py -drv -b /mnt/c/Users/Akash's/Downloads/20250213/20250213.mem -i /mnt/c/Users/Akash's/Downloads/20250213Horizon/20250213.mem --showknown -o /mnt/c/Users/Akash's/Downloads/driv-all.txt Step 3: Service Baselining To analyze running services: python3 baseline.py -svc --state -b /mnt/c/Users/Akash's/Downloads/20250213/20250213.mem -i /mnt/c/Users/Akash's/Downloads/20250213Horizon/20250213.mem --showknown -o /mnt/c/Users/Akash's/Downloads/svc-all.txt ------------------------------------------------------------------------------------------------------------ Output: Converting Output for Better Analysis By default, the tool outputs pipe-separated (|) text files , which aren’t ideal for analysis in tools like Timeline Explorer  or Excel . To convert them to CSV: sed -i 's/|/,/g' /mnt/c/Users/Akash's/Downloads/svc-all.txt > /mnt/c/Users/Akash's/Downloads/svc-all.csv Do the same for other files (proc_all.txt, driv-all.txt). ------------------------------------------------------------------------------------------------------------ Key Analysis Techniques Once you have the data, here’s how to make sense of it: Process Baselining -proc: This generates a lot of information. To narrow down the data to just process names, filter for .exe  in the DLL NAME  column . This works because the executable binary (.exe) will also appear in the loaded DLL list. Combine this with PROCESS STATUS=UNKNOWN  to quickly identify processes that were not present in the original baseline image. If you want to investigate loaded DLLs , filter for DLL STATUS=UNKNOWN  and focus on DLLs with the lowest frequency of occurrence in the IMAGE Fo O  column . If a DLL appears in many processes (i.e., has a high occurrence rate), it is less likely to be malicious. The --cmdline option forces a comparison of the full process command line in addition to the process name . This helps detect anomalies, such as the 32-bit version of an application running even though the system typically uses the 64-bit version. You can also compare process owners (--owner) and import hashes (--imphash) . However, these comparisons might be too restrictive unless your baseline image is very similar to the suspect image. Driver Baselining If your baseline image is a close match, you should see only a few new drivers added to the system. Focus on STATUS=UNKNOWN   entries first. Review the PATH  column to check if any drivers are loaded from unusual location s outside the standard \Windows\System32\Drivers\ and \Windows\System32\ paths. Import hashes (ImpHash) can often be calculated for many drivers present in memory. For deeper analysis, add the --imphash comparison option to detect variations of known drivers. Service Baselining The STATE  column shows whether a service was running. As a first step, filter for SERVICE_RUNNING  to focus on active malware. The --state option allows you to compare service configurations . This helps detect services that were disabled  in the baseline but enabled  in the suspect image —a common persistence tactic used by malware. It can also reveal services that were disabled in the suspect image but should be enabled (e.g., Windows updates or security software). Malware attempting to maintain persistence often uses SERVICE_AUTO_START . Filtering for this value can help identify potential threats. Some malware executes only once and then stops . These may use different start types, such as SERVICE_DEMAND_START, and might appear as SERVICE_STOPPED . To get a complete picture, examine all UNKNOWN services , but segmenting the data in different ways can make anomalies more obvious. Most Windows services run under built-in accounts like LOCAL SERVICE or the computer account (HOSTNAME$). Look for services running under user accounts , as these could indicate unauthorized activity. ------------------------------------------------------------------------------------------------------------- Practical Tips for Using Memory Baseliner Use tailored baseline images : A baseline from a similar system build reduces noise. Filter results in Excel : Use UNKNOWN status and .exe filters to highlight suspicious processes. Leverage JSON baselines : Saves time on repeat analyses. Validate findings with additional tools : Use Volatility’s malfind or yarascan plugins for deeper malware analysis. ------------------------------------------------------------------------------------------------------------ Conclusion Baseline analysis is a crucial technique in memory forensics, enabling rapid identification of suspicious activity by filtering known good artifacts. Memory Baseliner simplifies this process, providing efficient comparisons between suspect and clean memory images. Memory Baseliner is a powerful addition to any forensic analyst’s toolkit. By integrating it into investigations, analysts can significantly reduce data review time and enhance their ability to detect stealthy malware infections. ---------------------------------------------Dean---------------------------------------------

Introduction Windows hibernation files are an essential artifact in digital forensic investigations, often overlooked yet highly valuable. These files are created whenever a system is placed in hibernation or enters a "power save" mode . This most commonly occurs in laptop computers when the lid is closed while the system is running . However, with modern versions of Windows, the distinction between sleep and hibernation has become increasingly blurred . As a result, checking for the presence of a hibernation file should be a standard procedure in any forensic examination. The hibernation file is named hiberfil.sys  and is typically located in the root of the system drive (e.g., C:\hiberfil.sys ). Understanding and analyzing this file can provide invaluable insights, as i t contains a snapshot of the system's RAM before it went into hibernation. ---------------------------------------------------------------------------------------------------------- Importance of Hibernation Files in Forensics One of the most significant advantages of hibernation files is that they offer forensic investigators an opportunity to retrieve a memory image of a system , even if it has been shut down before an investigation begins . This provides two key benefits: Historical Memory Analysis : If the system was hibernated days, weeks, or even months ago, the hibernation file may contain valuable forensic artifacts from that time. Comparative Memory Analysis : If the system is currently running, the investigator now has two memory images to analyze—the current RAM dump and the historical hibernation file. Understanding the Hibernation File Format Windows hibernation files use compression , and their format varies across different versions of Windows. Due to these changes, specialized tools are required to extract and analyze the memory contents from hiberfil.sys. Tools for Extracting and Analyzing Hibernation Files Several tools exist to process hibernation files and convert them into usable memory images: 1. Volatility Framework Volatility is a well-known open-source memory forensics framework with built-in support for Windows hibernation files. The imagecopy  plugin in Volatility 2  can convert hibernation files into raw memory dumps for further analysis. Command to Convert a Hibernation File: vol.py -f /memory/hiberfil.sys imagecopy -O hiberfil.raw Or python3 vol.py -f /memory/hiberfil.sys layerwriter Volatility 3 , the imagecopy plugin is being replaced by the layerwriter  plugin. 2. Hibr2Bin by Matthew Suiche Matthew Suiche developed Hibr2Bin , a tool designed to convert hibernation files into raw memory images . The tool has been widely used in digital forensics but has not been updated recently, leading to compatibility issues with Windows 10 and Windows 11 hibernation files. 3. Hibernation Recon (Arsenal Recon) One of the most advanced tools for analyzing hibernation files is Hibernation Recon  by Arsenal Recon . This tool not only decompresses hibernation files but also extracts slack space  left behind by older hibernation files. This is significant because:   After running tool we will get bunch of output file               Output example: Older hibernation files may leave remnants of past system states. Data from previous hibernation sessions can still be recovered. 4. Other Forensic Tools Several forensic tools have integrated hibernation file analysis capabilities, including: BulkExtractor  (string searching and data carving) Magnet Forensics AXIOM Belkasoft Evidence Center Passware Hibernation File Behavior in Windows 8, 10, and 11 With Windows 8 and later , Microsoft introduced a new hibernation file format . Key changes include: Automatic Zeroing of Data : When a system resumes from hibernation, data is read and then zeroed  from hiberfil.sys , making recovery of older memory states more challenging. Variable System Behavior : Some systems retain older hibernation data longer than others. Differences are likely influenced by hardware components, particularly SSD vs. HDD storage . Windows Power Management and Hibernation Artifacts Microsoft has made significant changes to power management in modern Windows versions. These include new power states that affect whether a hibernation file is created: Modern Standby (Connected Standby) : Keeps the system in a low-power state rather than full hibernation. Hybrid Sleep : A combination of sleep and hibernation, which may not always generate a hiberfil.sys file. Fast Startup : Saves a portion of memory state to hiberfil.sys, but may not store full RAM contents. Investigators can use the powercfg.exe  tool to check the system’s current power settings: powercfg /a This command lists all available power states on the system and helps determine whether a hibernation file should be present. Conclusion Hibernation files are a goldmine of forensic data , especially in cases where a system has already been shut down. Understanding how to extract, convert, and analyze hiberfil.sys  can provide forensic analysts with critical insights into system activity. With newer Windows versions introducing changes to hibernation behavior, forensic professionals must stay updated with the latest tools and methodologies to ensure effective investigations. ------------------------------------------Dean-------------------------------------------------

To Understand Amcache.Hive check out below article: https://www.cyberengage.org/post/amcache-hiv-analysis-tool-registry-explorer ------------------------------------------------------------------------------------------------------------ Introduction When conducting digital forensics, understanding the execution history of a system is crucial. Windows operating systems maintain execution artifacts that provide insight into which programs and binaries were executed, making them valuable for forensic investigations. Two of the most powerful tools for analyzing execution artifacts are AmcacheParser  and appcompatprocessor.py . ------------------------------------------------------------------------------------------------------------ AmcacheParser: Understanding Execution Artifacts What is AmcacheParser? AmcacheParser is a tool developed by Eric Zimmerman  that parses the Amcache.hve registry hive, a critical artifact in Windows forensic analysis. This hive stores execution details about applications and drivers, making it a rich source of evidence for identifying malware, persistence mechanisms, and general system activity. Key Features and Data Extracted By default , AmcacheParser focuses on unassociated file entries but can be expanded to include full details of all program-related entries using the -i switch. The tool extracts various data points, including: SHA-1 hash  of the executed file Full file path File size File version number File description and publisher Last modified date Compilation timestamp Language ID Command: E:\Scripted ForensicTools\Zimmerman tools\Get-ZimmermanTools\net6> .\AmcacheParser.exe -i -f C:\Windows\appcompat\Programs\Amcache.hve --csv "E:\Output for testing\Website investigation\Amcache.hiv" Practical Usage in Incident Response AmcacheParser outputs multiple .csv files, categorized based on their source keys in the Amcache.hve registry file. Microsoft frequently updates Amcache, adding new keys and values, which AmcacheParser is designed to parse. The most critical output files include: Amcache_ProgramEntries.csv  – Contains metadata on installed applications (from InventoryApplication key). Amcache_UnassociatedFileEntries.csv  – Lists executables that do not belong to a known installed program, a crucial file for finding standalone malware, credential dumpers, or reconnaissance tools. Amcache_DriverBinaries.csv  – Contains information about installed drivers, helping investigators identify malicious kernel drivers. How AmcacheParser Helps in Threat Hunting AmcacheParser allows analysts to apply allowlisting and blocklisting  based on SHA-1 hashes. This feature is extremely useful in threat hunting across multiple systems, enabling the quick identification of malicious files by comparing them against known-bad hash lists. For example, if an organization is investigating a ransomware attack, running AmcacheParser across affected systems can reveal: Unknown executables  appearing shortly before encryption starts Execution paths  that indicate lateral movement Suspicious programs  launched from unconventional directories like C:\Users\Public\ or C:\ProgramData\ ------------------------------------------------------------------------------------------------------------ appcompatprocessor.py: Automating Execution Analysis What is appcompatprocessor.py? Developed by Matias Bevilacqua , appcompatprocessor.py is a Python-based tool designed to parse and analyze execution artifacts from AppCompatCache (ShimCache) and Amcache . Unlike standalone parsing tools, appcompatprocessor.py integrates these data sources into a SQLite database , allowing for efficient and powerful queries. Why AppCompatCache and Amcache Matter? Both artifacts provide a record of program executions but differ in their capabilities: AppCompatCache (ShimCache) : Primarily tracks file executions, even if they have since been deleted. However, it does not store execution timestamps. Amcache : Contains richer metadata, including SHA-1 hashes, timestamps, and file paths. By combining both sources, appcompatprocessor.py enables forensic analysts to get a comprehensive timeline of executed files , even if malware has attempted to clean up traces. Key Features of appcompatprocessor.py Once data is ingested into SQLite, analysts can leverage various analysis modules  to detect anomalies and malicious activity. Some of the most powerful modules include: 1. Search Modules search: Performs regular expression searches within the database. Prebuilt regex patterns can detect suspicious patterns (e.g., execution from network shares, encoded scripts, or known hacking tools). fsearch: Searches specific fields like FileName, FilePath, LastModified, or ExecutionFlag . 2. Anomaly Detection Modules filehitcount: Counts occurrences of each executable, highlighting unusual or rarely executed binaries. tcorr: Temporal correlation of executions, helping identify which processes frequently run together (e.g., rundll32.exe executing shortly after a suspicious binary). reconscan: Detects reconnaissance tools running in close sequence, assigning a likelihood score to identify probing activity. leven: Identifies slight variations in file names that might indicate masquerading techniques  (e.g., lssass.exe instead of lsass.exe). stack: Performs least frequency of occurrence analysis , helping isolate rare but potentially malicious binaries. 3. Randomized File Name Detection rndsearch: Identifies randomly named executables that could indicate malware execution. ----------------------------------------------------------------------------------------------------------- Case Study: Investigating a Potential Malware Execution A security operations center (SOC) detects suspicious behavior on a Windows endpoint. An unusual svchost.exe process is found running from C:\ProgramData\, which is an uncommon location for a system process. Investigation Steps Using These Tools Run AmcacheParser to extract execution history: AmcacheParser.exe -f C:\Windows\appcompat\Programs\Amcache.hve -i -o output_folder The results in Amcache_UnassociatedFileEntries.csv show svchost.exe executing from an unusual location. SHA-1 hash lookup confirms the file is unknown and possibly malicious. Use appcompatprocessor.py to correlate ShimCache and Amcache data : python3 appcompatprocessor.py -o analysis.db -a amcache -s SYSTEM -A Amcache.hve Running stack on FilePath highlights C:\ProgramData\svchost.exe as a rare occurrence. tcorr shows it was executed right before cmd.exe, indicating potential scripting activity. reconscan detects use of ipconfig, whoami, and nltest, suggesting reconnaissance activity. Pivot and Expand the Investigation Running fsearch for C:\ProgramData in the database finds another suspicious file, svc.bat, confirming a script-based attack. search module detects sdelete.exe, a known anti-forensic tool, suggesting the attacker attempted to delete traces. ------------------------------------------------------------------------------------------------------------- Conclusion By using AmcacheParser and appcompatprocessor.py together, the SOC team quickly identified: A rogue executable masquerading as a system process Correlation between execution times and malicious commands Attempts to delete forensic evidence This investigation underscores why these tools are invaluable for security analysts and incident responders. ------------------------------------------------------------------------------------------------------------- Final Thoughts Understanding AmcacheParser  and appcompatprocessor.py  is essential for anyone in digital forensics, SOC teams, and incident response. These tools provide deep visibility into program executions, helping analysts detect malware, track adversaries, and correlate execution artifacts. Master these tools, and you'll have a significant edge in forensic investigations and threat hunting. 🚀 --------------------------------------------Dean------------------------------------------

Introduction to AppCompatCache AppCompatCache, also known as ShimCache, is a valuable forensic artifact in Windows systems that helps investigators track application execution. Even if an attacker removes their tools from a system, AppCompatCache can still retain traces of their presence, making it a crucial piece of forensic evidence. In this article, we will explore how to extract and analyze AppCompatCache data using two widely used forensic tools: Eric Zimmerman's AppCompatCacheParser  and Mandiant’s ShimCacheParser.py . ----------------------------------------------------------------------------------------------------------- Extracting AppCompatCache Data 1. Using Eric Zimmerman's AppCompatCacheParser Eric Zimmerman's AppCompatCacheParser  is one of the most widely used tools for extracting and analyzing ShimCache data. It supports both live systems and offline registry hives, ensuring that all historical data is captured. Installation & Execution Download AppCompatCacheParser from Eric Zimmerman’s GitHub repository. Open Command Prompt  and navigate to the folder containing AppCompatCacheParser. Execute the following command: (I have collected artifact using Kape than mounted the drive and than run appcompactcacheparser) .\AppCompatCacheParser.exe -f G:\G\Windows\System32\config\SYSTEM --csv "E:\Output for testing\Website investigation" --csvf appcompact.csv Key Features: ✔ Parses all control sets  in the SYSTEM hive to ensure no historical data is missed. ✔ Works on live systems  and offline registry hives. ✔ Provides output in CSV format  for easy analysis. Output: ----------------------------------------------------------------------------------------------------------- 2. Using Mandiant’s ShimCacheParser.py ShimCacheParser.py is a lightweight Python-based tool  developed by Mandiant that extracts ShimCache data from exported .reg files . This makes it particularly useful for large-scale remote investigations. Installation & Execution Ensure Python is installed on your system. Download ShimCacheParser.py from Mandiant’s official repository. Export the AppCompatCache registry data using reg.exe : reg export HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache AppCompatCache.reg Run the ShimCacheParser: python ShimCacheParser.py Key Features: ✔ Extracts ShimCache data from exported .reg files , making it ideal for remote collection. ✔ Provides forensic insight even if the SYSTEM hive is unavailable. ✔ Supports automation in large-scale investigations ----------------------------------------------------------------------------------------------------------- 🔍 Analysis Tips: If an attacker deleted a file, its entry might still be visible in AppCompatCache . If the InsertFlag  is set to 0 but Prefetch evidence  exists, the executable likely ran. Comparing AppCompatCache data with Prefetch and Event Logs  can confirm execution. ----------------------------------------------------------------------------------------------------------- Conclusion AppCompatCache remains a powerful forensic artifact that helps investigators track file presence and potential execution. While it has its limitations, pairing it with other forensic evidence—such as Prefetch files , Event Logs , and $MFT analysis —enhances accuracy in digital investigations. By using tools like AppCompatCacheParser  and ShimCacheParser.py , forensic analysts can efficiently extract and analyze this critical data to uncover malicious activity. 🚀 Stay updated with forensic research  to refine AppCompatCache analysis techniques! -----------------------------------Dean---------------------------------------------------------

Introduction to Amcache.hve With the introduction of Windows 8 and later versions, Microsoft replaced the older RecentFileCache.bcf  artifact with Amcache.hve . This registry hive provides an extensive amount of forensic data on executables, installed applications, and loaded drivers. Unlike its predecessor, Amcache.hve contains much richer metadata, making it invaluable for tracking program execution, file presence, and driver installations . One fascinating aspect of Amcache is that its format is not tied to Windows versions  but rather to the DLL version . This means that even two Windows 10 systems with different patch levels may have different structures within their Amcache files. Forensic researchers must be aware of this variation while conducting investigations. ------------------------------------------------------------------------------------------------------------- Why Amcache Matters in Digital Forensics Amcache serves as an important forensic artifact due to the extensive details it tracks, including: Full file path  of executables and drivers. File size and publisher metadata. Multiple timestamps  that provide insights into when a file appeared on the system. SHA1 hash  of tracked executables and drivers (for files under ~31MB). Evidence of execution (though indirect). Key Limitation: Execution is Not Always Confirmed Unlike Prefetch or ShimCache, Amcache does not explicitly confirm execution . Instead, it records: Executed GUI applications that required shimming  (modifications for compatibility). Executables and drivers copied during program execution. Executables in directories scanned by Microsoft Compatibility Appraiser. Only the first category directly relates to execution, making Amcache more useful for tracking file presence rather than execution timestamps ------------------------------------------------------------------------------------------------------------- Exploring the Structure of Amcache.hve Amcache contains multiple registry keys, each tracking different file categories. Here are the most important ones: 1. InventoryApplicationFile Key This key is crucial as it logs details about individual executable files  found on the system . Each application is assigned a unique subkey, which holds various metadata fields such as: FileID:  The SHA1 hash of the file (minus the first four zeroes). LowerCaseLongPath:  The full path of the executable. Size:  The file size in bytes. LinkDate:  The compilation timestamp from the PE header. 2. InventoryApplication Key This key t racks installed applications  and is structured differently from InventoryApplicationFile . It links application entries using the ProgramId  value. If an executable appears in both InventoryApplicationFile  and InventoryApplication , it indicates an installed  application rather than just a copied or executed one . The installation date is stored in InventoryApplication , though with only day-level granularity. Each entry, named according to the "ProgramID," facilitates easy association with InventoryApplicationFile. 3. InventoryDriverBinary Key Amcache also records loaded drivers , which is particularly important when investigating rootkits or malicious drivers. Each driver has a dedicated subkey containing: Driver file name and path. SHA1 hash  (if applicable). Digital signature details. Modification timestamps. Drivers play a crucial role in system security and malware persistence. Suspicious drivers with missing metadata, strange names, or unusual file paths should be investigated further. ------------------------------------------------------------------------------------------------------------- Forensic Analysis and Tools We will talk about more in depth about two tool in next article. But i will give u name of tools lol. RegRipper  (for extracting Amcache data from a forensic image). AmcacheParser  (by Eric Zimmerman, specifically designed for Amcache analysis). Check out article link below: ------------------------------------------------------------------------------------------------------------ Investigating Amcache for Threat Hunting When analyzing Amcache for forensic purposes, keep these key points in mind: SHA1 hashes  can help identify known malware or trusted applications. Compare hashes with VirusTotal or threat intelligence databases. File paths  can reveal whether an executable was launched from an unusual location (e.g., C:\Users\Public\ or C:\Windows\Temp\). Compilation timestamps  (LinkDate) can indicate when a binary was created, which is useful for correlating it with known threat actor campaigns. Presence in InventoryApplicationFile vs. InventoryApplication  helps determine whether a file was merely present on the system or fully installed. ------------------------------------------------------------------------------------------------------------- Example Case Study: Identifying a Suspicious Driver Suppose we find an entry in InventoryDriverBinary  that shows: A driver located in C:\Users\Public\ (a suspicious location). No metadata recorded (missing digital signature, no publisher info). A compilation date that aligns with recent malicious activity. This would be a red flag. Next steps: Extract the driver file and analyze it with PE tools  (e.g., PEStudio, ExifTool). Submit its SHA1 hash  to VirusTotal for a threat check. Check the Windows event logs  for any driver-related warnings or errors. If further investigation reveals that the driver is part of a known rootkit , this would confirm its malicious intent, leading to further analysis and potential remediation steps. ------------------------------------------------------------------------------------------------------------- Important Considerations (As per Testing) Presence vs. Execution: AmCache indicates the presence of a file but does not confirm its execution. This is crucial to understand when using AmCache data in forensic analysis. ------------------------------------------------------------------------------------------------------------- Conclusion Amcache.hve is an invaluable forensic artifact that provides deep insights into system activity. While it does not directly confirm execution , it serves as an excellent source for tracking file presence, gathering metadata, and identifying suspicious applications or drivers. To maximize its effectiveness in investigations, analysts should: Use hashes for malware identification. Cross-reference Amcache data with Prefetch and event logs  to confirm execution. Investigate unexpected driver entries  to detect rootkits and persistence mechanisms. By understanding and leveraging Amcache properly, forensic analysts can extract significant intelligence from Windows systems, making it a must-have tool in any incident response or malware investigation workflow. ----------------------------------------------------Dean--------------------------------------------

Updated on 13 Feb,2025 Introduction to AppCompatCache In the realm of digital forensics, one of the most valuable artifacts for tracking program execution is the Application Compatibility Cache (AppCompatCache) , commonly known as ShimCache . This Windows feature was originally designed to handle application compatibility issues, ensuring that older programs can still function correctly on newer versions of Windows. However, its forensic significance lies in the fact that Windows records executable files in this cache whether or not they require compatibility adjustments —and sometimes even before execution. This ability makes AppCompatCache a powerful tool for forensic investigators, especially when examining systems where an attacker has attempted to cover their tracks. If malware or suspicious executables have been removed from a system, AppCompatCache might still retain evidence of their presence ------------------------------------------------------------------------------------------------------- What is AppCompatCache (ShimCache)? When a program runs, Windows may determine that it requires a compatibility fix  or shim  to function correctly. These fixes are applied through an internal database containing hundreds of predefined “shims.” This is where the term ShimCache  originates. Even if an application does not require shimming, Windows still records its presence in the registry , which is what makes it so useful for forensic investigations. How Windows Uses AppCompatCache: Detects if an application requires compatibility adjustments. Records details of the executable in a registry entry regardless of whether shimming is needed . Updates this registry entry only when the system is shutting down or rebooting (for Windows 7 and later). Because AppCompatCache records application activity even if the program does not execute, forensic analysts can use it to find traces of malware, penetration testing tools, or any executables dropped onto a system. ------------------------------------------------------------------------------------------------------- Location of AppCompatCache in the Registry The AppCompatCache data is stored in the SYSTEM hive  of the Windows Registry. The path differs slightly depending on the operating system version: Windows 7 and Later (Including Windows 11, Server 2008+): HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SessionManager\AppCompatCache\AppCompatCache Stores 1,024  entries. InsertFlag  exists but does not definitively indicate execution. Windows XP and Windows Server 2003: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SessionManager\AppCompatibility\AppCompatCache Windows XP:  Limited to 96  entries. Windows Server 2003:  Can hold up to 512  entries. Stores additional data, such as the l ast execution time (not available in later versions). ------------------------------------------------------------------------------------------------------- Key Characteristics of AppCompatCache 1. AppCompatCache Entries Are Only Written on Shutdown/Reboot Unlike other execution-based artifacts such as Prefetch , the AppCompatCache registry key is updated only when the system shuts down or reboots   (starting with Windows 7). If the system is still running, recent entries exist only in memory and will not be present in an offline forensic analysis. 2. The InsertFlag Field is Unreliable Windows Vista introduced the InsertFlag  field, which was initially thought to indicate whether an application had executed. However, research has shown that the InsertFlag is not a definitive marker of execution . On modern Windows systems, it is common to find executables with Prefetch evidence of execution , yet their InsertFlag remains set to false in the AppCompatCache. 3. Entries May Be Created Even Without Execution One of the most interesting forensic features of AppCompatCache is that executable files may be logged in the registry before execution. This can happen if an executable is simply downloaded, extracted, or viewed  in Windows Explorer. As a result, it can provide valuable insights even when no actual execution occurs. 4. Multiple AppCompatCache Databases May Exist Windows maintains multiple control sets  within the SYSTEM hive, each potentially containing different AppCompatCache data. The active control set is located at: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet For offline forensic analysis, you need to determine the current control set by checking the value in: HKEY_LOCAL_MACHINE\SYSTEM\Select\Current Analyzing historical control sets may provide additional forensic evidence. ------------------------------------------------------------------------------------------------------- Forensic Analysis and Tools We will talk about more in depth about two tool in next article. But i will give u name of tools lol. 1. Eric Zimmerman’s AppCompatCacheParser 2. Mandiant’s ShimCacheParser.py Check out article link below: https://www.cyberengage.org/post/shimcache-amcache-analysis-tool-appcompactcacheparser-exe-amcacheparser-exe ------------------------------------------------------------------------------------------------------- Practical Forensic Use Cases 1. Tracking Malware Execution If an attacker launches a malicious payload and then deletes it, traditional artifacts like Prefetch or Event Logs might also be removed. However, AppCompatCache may still retain evidence of its existence . 2. Detecting Deleted or Renamed Files If a tool like psexec is renamed after being downloaded, Windows will record multiple  entries in AppCompatCache—one for each filename. This makes it an effective way to detect file renaming and modification  tactics. 3. Identifying Time Manipulation If the last modified time recorded in AppCompatCache differs from the executable's actual timestamp , it suggests that the file’s metadata was tampered with—possibly as an anti-forensic measure. 4. Finding Evidence of Pre-Execution If an attacker downloads a malicious payload but never executes it, traditional execution-based artifacts like Prefetch won’t show any traces. However, AppCompatCache might still contain an entry if the file was simply viewed in Windows Explorer. ------------------------------------------------------------------------------------------------------- If you ask me while Testing and limitation few things i noticed: Example Scenario Consider a folder named demo containing 1.exe to 100.exe: Viewing Files : If you open the demo folder in Explorer and see only the first 24 executables without scrolling, and then run 100.exe from CMD: After rebooting and parsing Shimcache with Eric Zimmerman’s AppCompatCacheParser, the output will show 100.exe as the first entry, followed by the 24 executables you viewed in Explorer . Scrolling in Explorer : If you scroll down to 28.exe in the demo folder: After rebooting and parsing Shimcache, the entries from 25.exe to 28.exe  will appear at the top. Important Considerations Explorer vs. CMD : Only files viewed in Explorer are added to Shimcache. Viewing a folder in CMD does not create entries, but executing a file from CMD does. ----------------------------------------------------------------------------------------------------------- From my point of view Shimcache is no longer reliable as evidence in Window 10 or 11. ----------------------------------------------------------------------------------------------------------- Conclusion AppCompatCache is an invaluable forensic artifact that provides insight into application presence and potential execution , even when traditional artifacts are unavailable. While it has limitations—such as unreliable execution indicators and the need for a system reboot to commit data—it remains a critical resource  for tracking attacker activity. -------------------------------------------------Dean ----------------------------------------------------- Stay ahead of attackers by mastering this powerful forensic artifact!