Tedi HeriyantoNov 3, 2024

ShimCache vs AmCache: Key Windows Forensic Artifacts: https://www.magnetforensics.com/blog/shimcache-vs-amcache-key-windows-forensic-artifacts/

#digitalforensics #WindowsForensics #shimcache #amcache

ShimCache vs AmCache: Key Windows Forensic Artifacts - Magnet Forensics

Discover the forensic value of ShimCache & AmCache on Windows systems to track program execution, build timelines, and uncover cyber threats.

Magnet Forensics
13reak Apr 17, 2023

#dfir #question

Recently had an analysis where neither #amcache nor #shimcache showed an executable. However, the executable definitely ran.

Anyone knows when this happens? (might be connected: I'm not sure if the user was logged in interactively)

Z0vskyJan 21, 2019

RT @[email protected]

#DFIR folks, if you want to know (almost) everything about the #AmCache, I've just published a year worth of research, you can find it here: https://www.ssi.gouv.fr/en/publication/amcache-analysis/
@[email protected]
Feedbacks are very welcomed!

🐦🔗: https://twitter.com/moustik01/status/1087388584506736640

AmCache Analysis

The AmCache is an artifact which stores metadata related to PE execution and program installation on Windows 7 and Server 2008 R2 and above.

Show threadStéphane BortzmeyerJan 21, 2019
#AmCache enregistre et stocke des informations sur ce qui a été exécuté sur une machine MS-Windows. Utile pour l'investigation. #Coriin
Show threadStéphane BortzmeyerJan 21, 2019

Maintenant, #AmCache, par l'ANSSI.« Je me prénomme Blanche et ma présentation est TLP Blanche » « Élise Lucet n'était pas libre alors je viens vous parler d'investigation » #Coriin

L'AmCache est un truc Microsoft mais peu documenté.