Analyzing Shimcache Forensics - Python Forensics #1
- Idan Buller
- Mar 13, 2022
- 3 min read
Updated: Mar 14, 2022
In this article, I am going to share a few important concepts about ShimCache and its value while investigating a Windows system offline. Also, we are going to extract this valuable information with a well-known tool made by Eric Zimmermann, and use a python-based addon I created especially for this workshop.
What are Shimcahe Artifacts?
The Windows Shimcache was created by Microsoft beginning in Windows XP to track compatibility issues with executed programs. The cache stores various file metadata depending on the operating system, such as:
File Full Path
File Size
Shimcache Last Updated time
Process Execution Flag
$Standard_Information (SI) Last Modified time
Similar to a log file, the Shimcache also works with the (First In First Out) method, meaning that the oldest data is replaced by new entries. The amount of data retained varies by the operating system and only the last 1024 entries are being saved.
Shicmcache stores the Executable file name, file path and timestamp (refers to last modification time of the file). The caching happens only when the computer is rebooted or shut down.
Shimcache is also useful for the determination of a file's existence on an OS. With the help of Shimcache, we can show that a file once existed on that system, or was browsed via an external drive or path.
Extracting Shimcache information into a CSV file
In order to extract the information we need, we can use Eric Zimmerman's executable named "AppCompatCacheParser.exe" (LINK) and execute the command -
AppCompatCacheParser.exe --csv \Path-To-Save --csvf FILE-NAME.csvThen, the FILE-NAME.csv file will appear at the \PATH-TO-SAVE directory -
Now, we can use Data Visualization tools such as TimeLineExplorer etc, but this time, we are going to use a tool written by us, in Python.
At first, we will import all the needed libraries, of course, we will include Data Analysis ones such as Matplotlib and CSV -
Then, I chose to create 3 different modules -
Drivers - the most common drivers appearing in the CSV file.
Directories - the most common directories appearing in the CSV file.
Extensions - the most common file extensions appearing in the CSV file.
These modules will help us to initiate a fine view while analyzing the Shincache entries in the CSV file. We will have big-picture information about the usage of the system before compromising.
Most Common Drivers
In this module, I am extracting the Path from the CSV file as a string and using string slicing in order to get the first 3 letters, which of course will be the Drivers used and cached -
The output will be a fine and analytic plot with the information about the most common drivers used and cached -
As we can see, the C drive was the most common one in the last 1024 entries. D + F had only a few hits.
Most Common Directories
In this module, I am extracting the Path from the CSV file as a string and using string slicing in order to get the first 16 letters, which of course will be the Directories used and cached -
The output will be a fine and analytic plot with the information about the most common directories used and cached -
As we can see, the C:\Program Files directory was the most common one in the last 1024 entries. Also, C:\Windowd\Temp and the Desktop had a few hits.
Most Common Extensions
In this module, I am extracting the Path from the CSV file as a string and using string slicing in order to get the last 3 letters, which of course will be the file extensions that used and cached -
The output will be a fine and analytic plot with the information about the most common file extensions that used and cached -
As we can see, executable files were the most common ones in the last 1024 entries. Also .temp and many more had a few hits.
The Code
The full project can be found in my personal Github page https://github.com/idanbuller (LINK).
Comments