Windows Artifact Series || ShimCache
ShimCache, also known as AppCompatCache(Application Compatibility Cache)
Let's Check Forensic value of ShimCache Artifact
1. ShimCache data is stored under the SYSTEM registry hive.
HKLM\SYSTEM\CurrentControlSet\Control\SessionManager\AppCompatCache\AppCompatCache
2. On Windows 7 and above the ShimCache maintain up-to 1024 entries where as for Windows XP entries were maintained up-to 96.
3.ShimCache is a important artifact as it tracks and stores entries of binaries that was executed/browsed using windows explorer. Through ShimCache we can get information about binaries since the system was rebooted.
4. ShimCache will also record entries of binaries that were executed by command prompt (CMD)
Conclusion :
ShimCache is a valuable source of artifact which records traces of executables that are present on the system. We can relay on ShimCache for existence of the binaries although we can not comment on the execution part.
ShimCache will store entries of binaries that is executed or browsed via Windows Explorer and it will also capture entries of binaries that are executed via command prompt (CMD).
Смотрите видео Windows Artifact Series || ShimCache онлайн без регистрации, длительностью часов минут секунд в хорошем качестве. Это видео добавил пользователь IRB0T 09 Сентябрь 2022, не забудьте поделиться им ссылкой с друзьями и знакомыми, на нашем сайте его посмотрели 249 раз и оно понравилось 0 людям.