Windows Registry: Application Compatibility Cache

By Chad Tilbury on April 19, 2012 in Computer Forensics, Windows Registry — Leave a comment

Leveraging the Application Compatibility Cache in ForensicInvestigations (Whitepaper) | http://t.co/O2PFBjm9 #DFIR

April 17, 2012 4:18 pm via webReply RetweetFavorite

Chad Tilbury

UPDATE: A new Registry Ripper plugin, appcompatcache.pl, was written by Harlan Carvey based on this research.

UPDATE 2: The Volatility memory analysis framework now has a plugin, shimcache.py, for finding and parsing the Application Compatibility Cache from a memory image.

No Comments

Be the first to start the conversation.

FOR408: Windows Forensics

10/08/13 - 10/13/13 FOR408: Windows Forensics in Prague, CZ at SANS Forensics Europe

FOR508: Advanced Forensics & Incident Response

07/11/13 - 07/16/13 FOR508: Advanced Forensics & Incident Response in Austin, TX at SANS DFIR Summit
09/16/13 - 09/21/13 FOR508: Advanced Forensics & Incident Response in Las Vegas, NV at SANS Network Security 2013
11/18/13 - 11/23/13 FOR508: Advanced Forensics & Incident Response in Seoul at SANS Korea 2013