Let's Talk About Shimcache - The Most Misunderstood Artifact

In this episode, we'll take an in-depth look at Windows Shimcache (aka AppCompatCache, or "Application Compatibility Cache"). In my experience, this is the most misunderstood Windows forensic artifact. Let's clear up the confusion by reviewing the artiFACTS. Then, we'll jump into a demo and see all of this in action over the course of several reboots.

Update:
In Windows 10, although the "Execution Flag" or "InsertFlag" was removed (as mentioned in the video), the last 4 bytes of the data recorded by Shimcache, if set to a value of 1, can indicate execution for non-native Windows binaries. As a result, Zimmerman's AppCompatCacheParser was updated after this video was recorded. For Windows 10/11 systems, you will now likely see a "Yes" or "No" instead of the previous "N/A" values.

This artifact should not be relied upon as definitive proof of execution. For more detailed information and research, please refer to nullsec.us's deep dive into Windows 10/11 AppCompatCache, available here: https://nullsec.us/windows-10-11-appc...

** If you enjoy this video, please consider supporting 13Cubed on Patreon at patreon.com/13cubed. **

📖 Chapters

00:00 - Intro
08:01 - Demo
09:05 - Demo (Reboot #1)
11:58 - Demo (Reboot #2)
14:27 - Demo (Reboot #3)
16:35 - Demo (Reboot #4)
18:31 - Demo (Reboot #5) and Conclusion

🛠 Resources

Eric Zimmerman Tools:
https://ericzimmerman.github.io/

#Forensics #DigitalForensics #DFIR #ComputerForensics #WindowsForensics