Windows Registry: Application Compatibility Cache

By Chad Tilbury on April 19, 2012 in Computer Forensics, Windows Registry — Leave a comment
Leveraging the Application Compatibility Cache in ForensicInvestigations (Whitepaper) | http://t.co/O2PFBjm9 #DFIR
@chadtilbury
Chad Tilbury

 

UPDATE: A new Registry Ripper plugin, appcompatcache.pl, was written by Harlan Carvey based on this research.

UPDATE 2: The Volatility memory analysis framework now has a plugin, shimcache.py, for finding and parsing the Application Compatibility Cache from a memory image.

No Comments

Be the first to start the conversation.

Leave a Reply