Windows Artifact Series || Amcache, ShimCache, Prefetch, lnkfiles, jumplist, shellbags
ShimCache
ShimCache is a valuable source of artifact which records traces of executables that are present on the system. We can relay on ShimCache for existence of the binaries although we can not comment on the execution part.
ShimCache will store entries of binaries that is executed or browsed via Windows Explorer and it will also capture entries of binaries that are executed via command prompt (CMD).
ShimCache data is stored under the SYSTEM registry hive.
HKLM\SYSTEM\CurrentControlSet\Control\SessionManager\AppCompatCache\AppCompatCacheAmcache
Amcache stores record of applications that have been run on a windows system in other words we can say all the software that were installed on the system can be seen in Amcache records. Details like File path for the executable, the date and time it was first run, SHA-1 Hash etc. can be found in Amcache records.
Amcache can be found on following path
C:\Windows\AppCompat\Programs\Amcache.hveNote: Amcache records a SHA-1 Hash, But has it’s own limitations.
Prefetch
When any executable program is run from a particular location for the very first time at that time prefetch will be created. Using prefetch record investigator can determine what and when executable was run on the system.
Prefetch help investigator to prove custodian/suspect has run CCleaner, DBAN or any other program that can be used for anti-forensics activities. Investigator/Forensic Analyst can also found traces of prefetch entries for program that now may not be present/deleted on the system. Prefetch also helps in malware investigations, to determine time of malicious program run.
Prefetch files can be found on following path:
C:\Windows\PrefetchPath to check Whether prefetching is enabled or not
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParametersValues that can be set for “EnablePrefetcher”
0 – Disable Prefetcher
1 – Application launch Prefetching enabled
2 – Boot Prefetching enabled
3 – Application launch and Boot Prefetching enabledDefault value is set to 3
Tools
ShimCache : https://github.com/EricZimmerman/AppCompatCacheParser
Amcache : https://github.com/EricZimmerman/AmcacheParser
Prefetch : https://github.com/EricZimmerman/PECmdConclusion
Utilizing Amcache, ShimCache and prefetch files investigator can determine timeline of program execution, which will help in further investigation.
lnkfiles
Linkfile: It’s shortcut file that can be seen as pointer to open application, folders or files. It contains information like accessed file, file name, size, original path, timestamps, volume, machine information etc. When we want to see traces for recently accessed or deleted files on a Windows machine LNK files are useful artifact.
LNK files are user profile specific, LNK files are recorded per user on the system.
C:\Users\<user>\AppData\Roaming\Microsoft\Windows\Recent\jumplist
Jump Lists are a Windows Taskbar feature that gives the user quick access to recently accessed application files and actions.
Variants of Jump Lists:
automatic-Destinations : is created when the user opens files/folder, or access some utility or tools
%USERNAME%\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinationsCustom-Destinations : is created when the user pins an application via taskbar
%USERNAME%\AppData\Microsoft\Windows\Recent\CustomDestinationsshellbags
shellbags store information about user preferences. Utilizing the shellbags we can get indicators of which folders were accessed/interacted (via Explorer) on a system. It will give traces of previously existing folders after deletion/overwrite.
Location of shellbags
NTUSER.DAT
HKCU\Software\Microsoft\Windows\ShellUSRCLASS.DAT
HKCU\Software\Classes\Local\Settings\Software\Microsoft\Windows\Shell
References:
