Windows forensics 2 : windows application compatibility

Description :

Let’s continue our series of posts on Windows forensics, today we’re going to talk about additional artifacts that we can use to determine evidence of application execution.

• Amcache.hve which is a registry hive, it stores more information and metadata about executed programs including sha-1 hash of the binary that was executed.

c:\Windows\AppCompat\Programs\

• You can grab amcache.hve using FTK Imager

Download FTK Imager

• We can parse this artifact using a tool named AmcacheParser

Download AmcachePaser

AmcacheParser.exe --csv .\ -f .\Amcache.hve

• Another artifact named AppCompatCache (aka Shimcache) that is written to registry upon system shutdown

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache

• We can view this artifact using Registry Explorer

Download Registry Explorer

• Since the informations are not really readable on the registry explorer, we can use AppCompatCacheParser to have a better look

Download AppCompatCacheParser

AppCompatCacheParser.exe --csv .\ -t  -f  .\SYSTEM

• Check the previous post