Amcache and Shimcache Forensics

Amcache and Shimcache can be a powerful source of evidence to help expedite forensic investigations. These evidence can provide a timeline of which program was executed and when it was first run and last modified.

Forensic investigators can use these Amcache and Shimcache artifacts to find different types of information including but not limited to:

  • The Shimcache tracks metadata such as the full file path, last modified date, and file size
  • Amcache.hve records the recent processes that were run
  • The events in Shimcache.hve are listed in chronological order with the most recent event first
  • Amcache.hve records the programs SHA1 so it can be researched with databases like VirusTotal for easy identifiacation
  • The Shimcache only contains the information prior to the system’s last startup, as current entries are stored only in memory

In this PDF, you will learn when and how to leverage Amcache and Shimcache artifacts in digital forensic cases.