What is the “ShimCache” Windows forensic artifact?

ShimCache, also known as the Application Compatibility Cache (AppCompatCache), is a mechanism within the Windows operating system designed to identify application compatibility issues. It is stored in the SYSTEM registry hive, located at SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache. The cache tracks metadata for executable files as they are browsed in Explorer or executed, storing information such as the full file path, last modified timestamp, and, in some OS versions, file size and last execution time.

ShimCache is a powerful artifact in a DFIR investigation because it provides strong evidence of program execution or at least file system interaction. The entries in the cache can reveal the existence of an executable file, even if it has since been deleted or wiped from disk using anti-forensic tools. This is particularly useful for identifying the presence of malware droppers, portable hacking tools, or any program that an attacker tried to clean up. By correlating the file paths and timestamps from ShimCache with other artifacts like the MFT and Event Logs, an investigator can construct a more complete and accurate timeline of an intrusion and determine which malicious tools were introduced to the system.

Collecting, Decoding, and Viewing “ShimCache” with TensorGuard

1. Create a TensorGuard account and sign in to the TensorGuard console at https://app.tensorguard.com.
2. Select “Case Manager”, then the plus button to create a case. This will contain your enrolled devices, their reports, and any manually submitted collections.
3. Linked inside the case menu, download the TensorGuard Forensic Collector and run it on your target system.
4. In the console, click the plus button for “New Enrollment”, copy the enrollment key, and paste it into the TensorGuard Forensic Collector on your target device.
5. Now that you have a device enrolled, select the device(s), and click “Send Signal”. Answer the questions regarding what you want to look for in the analysis, any alerting on positive findings, and if the collection and analysis should be recurring.
6. Once the report is generated, you’ll have ShimCache delivered in the browser, alongside an executive summary and timeline of findings.