Windows Artifact Series || ShimCache
ShimCache, also known as AppCompatCache(Application Compatibility Cache)
Let's Check Forensic value of ShimCache Artifact
1. ShimCache data is stored under the SYSTEM registry hive.
HKLM\SYSTEM\CurrentControlSet\Control\SessionManager\AppCompatCache\AppCompatCache
2. On Windows 7 and above the ShimCache maintain up-to 1024 entries where as for Windows XP entries were maintained up-to 96.
3.ShimCache is a important artifact as it tracks and stores entries of binaries that was executed/browsed using windows explorer. Through ShimCache we can get information about binaries since the system was rebooted.
4. ShimCache will also record entries of binaries that were executed by command prompt (CMD)
Conclusion :
ShimCache is a valuable source of artifact which records traces of executables that are present on the system. We can relay on ShimCache for existence of the binaries although we can not comment on the execution part.
ShimCache will store entries of binaries that is executed or browsed via Windows Explorer and it will also capture entries of binaries that are executed via command prompt (CMD).
Watch video Windows Artifact Series || ShimCache online without registration, duration hours minute second in high quality. This video was added by user IRB0T 09 September 2022, don't forget to share it with your friends and acquaintances, it has been viewed on our site 249 once and liked it 0 people.