Funded by the CC-DRIVER project, the WithSecure™ Incident Response team has introduced a new subcommand for the open-source forensic tool Chainsaw, aptly named “analyse”. This addition incorporates three novel techniques that significantly improve the analysis and timestamp inference of Shimcache entries.
Understanding Shimcache
Shimcache, an integral component of the Windows Application Experience and Compatibility feature, is a vital artefact in digital forensics. It records data about executables introduced to a system, offering valuable insights into execution activity and potential malicious actions. A new entry gets inserted to the Shimcache when a new program gets executed for the first time. However, Shimcache does not inherently include insertion timestamps for its entries (only file-modified timestamps), meaning it does not provide information on the initial times of execution. This can prove to be challenging when creating execution timelines.
The Shimcache is structured as a top-down list of entries with the newest entries being located at the top. The below figure is an illustration of the Shimcache structure. Notice how the insertion timeframes of entries can be inferred using known insertion timestamps and the chronological order of the entries. The timestamps in the figure have been inferred using the new “analyse” subcommand of Chainsaw.
The "Analyse" subcommand in Chainsaw v2.6
The newly introduced "analyse" subcommand in Chainsaw v2.6 addresses the challenge of missing insertion timestamps by enabling incident responders to attribute timestamps from different sources to the entries within the Shimcache. The timestamps are attributed automatically from within the Shimcache itself or from the related artifact Amcache. This represents a significant advancement in automated analysis that was previously unavailable.
Understanding the role of Amcache in enhanced Shimcache analysis
The Amcache, like the Shimcache, is a component of the Windows Application Experience and Compatibility feature. The Amcache records data about installed applications and provides useful initial execution timestamps that can be used to enrich the timing information of Shimcache entries. In the context of this blog, the Amcache plays a crucial role in the new analysis techniques implemented in Chainsaw v2.6, providing additional timestamp data that helps to create a more comprehensive execution timeline from the Shimcache.
Real-world application
The effectiveness of the new analysis techniques was first discovered during a significant security breach linked to the notorious CozyBear/APT29 threat group. The IR team at WithSecure™ was able to consistently observe the threat actor's tactics, techniques, and procedures (TTPs) within the Shimcache. Despite Shimcache's lack of timestamps, the team managed to derive timeframes indicating when the threat actor's activities took place by manually combining timestamp data from the Amcache with the Shimcache entries. This innovative approach led to the identification of the initial date of compromise and the identification of patient zero.
This real-world application and the challenges encountered during the investigation sparked the research into these analysis techniques. With the support of CC-Driver, this research was conducted and successfully led to the implementation of these techniques into Chainsaw. This development not only enhances the tool's capabilities but also contributes significantly to the field of digital forensics.
The techniques
The "analyse" subcommand uses three techniques to identify Shimcache insertion timestamps:
Technique 1 (T1) – Regex rules: Timestamps are derived from the Shimcache entries themselves based on a researched list of patterns of executable files. Some executable entries exhibit a timestamp that is equivalent to the insertion to the Shimcache and thus the initial execution time.
Technique 2 (T2) – Shimcache Amcache near timestamp pair detection: If the Shimcache file last modified timestamp and the Amcache timestamp for an entry are near each other (less than 60 seconds), it is highly likely that the executable entry was inserted to the Shimcache and executed at one of those timestamps. This is an additional technique that was discovered during the research but has not been used in real investigations yet.
Technique 3 (T3) – Shimcache Amcache timestamp range matching: The entries in the Shimcache without an insertion timestamp after applying T1 and T2 get enriched with Amcache timestamps. If an entry has a matching Amcache timestamp that falls within the derived time frame for that entry, the Amcache timestamp gets interpreted as the insertion timestamp.
Caveats and edge cases
While these techniques are powerful, they are based on inferred times and will never be completely accurate. This may cause the timeline timestamps to be out of order. An analyst should be aware of these limitations when performing investigations using these techniques and where possible should support their conclusions from other evidence sources.
More Information
For a more detailed exploration of this topic, we recommend reading the full blog post on the WithSecure™ Labs website.