Application compatibility forensics

Another vid by 13cubed on three additional artefacts that provide evidence of program (application) execution: Windows Application Compatibility Cache (Shimcache), RecentFileCache.bcf, and Amcache.hve. AppCompatCacheParser can be used to parse Shimcache and AmcacheParser to parse Amcache.hve on a Windows 10 VM. Volatility with the “shimcachemem” plugin can be used to pull Shimcache directly from a memory image, and provide a resource to obtain additional information about RecentFileCache.bcf.