Shimcache with AppCompatCacheParser Amcache.

hve with AmcacheParser

Type of artifact: Evidence of execution
Type of artifact: Evidence of execution
Basic usage
Basic usage AmcacheParser.exe -f <path to>\Amcache.hve –csv
AppCompatCacheParser.exe -f <path to>\SYSTEM c:\temp
--csv c:\temp
Output file is a tab separated file that can be imported
Output file is a tab separated file that can be imported
into Timeline Explorer or Excel.
into Timeline Explorer or Excel. Eric Zimmerman tools
Key data
Key data Cheat Sheet v1.0
FullPath: The full path to the executed file
Full path for executable and execution flag SHA-1: The SHA-1 hash of the file
FileIDLastWriteTimestamp: First executed timestamp DFIR.SANS.ORG
Advanced usage MFTEntryNumber: NTFS entry number from FILE
AppCompatCacheParser.exe --csv c:\temp record Incident Responders are on the front lines
MFTSequenceNumber: NTFS sequence number from
Omitting -f switch pulls AppCompatCache data from of intrusion investigations. This guide aims
FILE record
the Registry hive loaded into memory. to support DFIR analysts in their quest to
uncover the truth.
Advanced usage
The -d switch can be used to inspect all available Use the -b and -w switches to blacklist or whitelist
details for an entry SHA-1 hashes to further reduce the amount of data to
How To Use This Sheet
review

Common functionality Use -i to generate a list of associated program/file This cheat sheet covers the basics of using several
entries command line programs by Eric Zimmerman.
Most tools have common options for exporting data,
displaying higher precision timestamps, using custom This sheet is split into these sections:
Download location
date formats, etc. • Lnk files with LECmd
Individual tools are available at • Prefetch files with PECmd
When --mp is used, higher precision timestamps are
https://ericzimmerman.github.io/. • Jumplists with JLECmd
displayed and will also be reflected in any exported • String searching with bstrings
data. • Shimcache with AppCompatCacheParser
Chocolatey packages for each are also available.
• Amcache.hve with AmcacheParser
Data can be exported to several formats such as csv,
To get all tools at once, use chocolatey to install the
json, HTML, etc. at the same time.
EricZimmermanTools package
PECmd.exe -d <directory> --csv c:\temp --html
c:\temp\html
IT’S TIME TO GO HUNTING!
 Lnk files with LECmd Jump lists with JLECmd String searching with bstrings

Type of artifact: Document creation and opening Type of artifact: Document creation and opening Type of artifact: Any

Basic usage Basic usage Basic usage

LECmd.exe -f <file> JLECmd.exe -f <file> bstrings -f <file>
LECmd.exe -d <directory> JLECmd.exe -d <directory>
To search for specific strings, use --ls
Key data Key data
Target timestamps, Volume information, Absolute file Same as LECmd key data plus Application ID and bstrings -f <file> --ls “forensics”
path, Target ID information DestList entry information (for automaticDestinations
jump lists) Use the -x and -m switches to set maximum and
Advanced usage minimum string lengths
Advanced usage
Use the --all switch to process all files in a directory The --ld and --fd switch can be used to display more Use --off to show the offset for each search hit
vs. only those ending in ‘.lnk’. information about each embedded lnk file.
Advanced usage
Use the --appIDs switch to supply a list of application In addition to Unicode strings, bstrings looks for
IDs that will be added to the internal list of over 375 strings encoded using Western (1252) code page. Use
Prefetch files with PECmd appIDs. the --cp switch to search in any other code page
supported by .net. A full listing of available code
Type of artifact: Evidence of execution In some cases, an automaticDestinations jump list can pages is available at https://goo.gl/ig6DxW
contain additional lnk files tracked in its Directory that
Basic usage are not accounted for in DestList entries. When this bstrings also supports regular expression searches via
PECmd.exe -f <file> happens, a warning will be given and the --withDir the --lr switch. bstrings also contains over a dozen
PECmd.exe -d <directory> switch can be used to process all available lnk files built in regular expression patterns for things like
regardless of them being present in the DestList. credit card numbers, social security numbers, IP
Default output is to standard out. Data can be exported addresses, email addresses, and more. To see a list of
to several formats such as csv, json, HTML, etc. JLECmd also allows for exporting out all available lnk all built-in regular expressions, use the -p switch.
files from a jump list to a directory via the --dumpTo When using a built-in expression, use the value in the
PECmd.exe -d <directory> --csv c:\temp switch. Once lnk files have been dumped from a jump Name column. For example, to look for email
list, they can be investigated using any parser that addresses, use this command:
Key data understands lnk files (LECmd for example).
Execution timestamps, total number of executions, and bstrings -f <some file> --lr email
files/directories referenced
bstrings also allows searching for several strings or
Advanced usage regular expressions at once using the --fr and --fs
To display higher precision timestamps, use the --mp switches
switch. When --mp is used, the higher precision
timestamps will be reflected in any exported data as
well.