What You'll Learn
- Analyze Windows Prefetch files to determine program execution history
- Extract Amcache entries to identify installed and executed applications
- Examine ShimCache (AppCompatCache) to reconstruct execution timelines
- Correlate artifacts across all three sources to build a comprehensive execution history
- Identify planted malicious tools through artifact analysis
Lab Overview
| Detail | Value |
|---|---|
| Lab Profile | lab-velociraptor |
| Containers | Velociraptor Server, Velociraptor Client (Windows endpoint) |
| Estimated Time | 55–65 minutes |
| Difficulty | Intermediate |
| Browser Access | Velociraptor Web UI |
| Pre-Loaded Data | Planted execution artifacts (Prefetch, Amcache, ShimCache) for malicious tools |
| Deliverable | Artifact analysis report with execution timeline |
Why Disk Artifacts Matter. Attackers delete their tools. They clear logs. They wipe command history. But Windows keeps meticulous records of program execution in multiple locations that most attackers don't know about — or can't easily clean. Prefetch, Amcache, and ShimCache are the forensic investigator's best friends.
The Scenario
Following the evidence collection in Lab 9.1, the endpoint (WIN-ENDPOINT-01) has been isolated. Your task is now to analyze the disk artifacts that record program execution history. The attacker used several tools during the compromise — some were deleted, but the execution artifacts remain.
Your goal: determine what programs ran, when they ran, and how many times — then identify the malicious tools.
Part 1: Understanding Windows Execution Artifacts
The Three Pillars of Execution Evidence
Windows maintains three independent artifact sources that record program execution:
| Artifact | Location | Records | Persistence |
|---|---|---|---|
| Prefetch | C:\Windows\Prefetch\ | Last 8 execution times, run count, files loaded | Survives reboot, limited to 1024 entries |
| Amcache | C:\Windows\appcompat\Programs\Amcache.hve | SHA1 hash, full path, first execution time, publisher | Survives reboot, persists until hive cleanup |
| ShimCache | Registry: SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache | Last modification time, file path, execution flag | Written on shutdown, survives reboot |
Cross-Reference Everything. No single artifact tells the complete story. Prefetch gives you run counts. Amcache gives you hashes. ShimCache gives you modification timestamps. Combining all three produces the most complete and defensible timeline.
Part 2: Prefetch Analysis
What Prefetch Tells You
Every time a program executes on Windows, the OS creates (or updates) a Prefetch file in C:\Windows\Prefetch\. Each file records:
- Executable name and path
- Last 8 execution timestamps (Windows 10+)
- Run count (total number of executions)
- Files and directories accessed during execution
Collecting Prefetch with Velociraptor
- Open the Velociraptor Web UI and select WIN-ENDPOINT-01
- Navigate to Collected Artifacts → New Collection
- Search for and select:
Windows.Forensics.Prefetch - Launch the collection
Analyzing the Results
When the collection completes, examine the results table. For each entry, note:
PREFETCH ANALYSIS LOG
═════════════════════
Executable | Run Count | Last Executed | Path | Suspicious?
-------------------|-----------|--------------------|--------------------------|-----------
[name].exe | [count] | [timestamp UTC] | [full path] | [Y/N + reason]
What to look for:
- Executables with names mimicking system processes (e.g.,
svch0st.exe,csrs.exe) - Tools commonly used by attackers:
mimikatz.exe,psexec.exe,procdump.exe,nc.exe,whoami.exe - Programs executed from unusual paths:
C:\Temp\,C:\Users\Public\,Downloads\ - High run counts on suspicious executables (indicates repeated use)
- Execution timestamps that cluster during off-hours
Prefetch File Names Include a Hash. Prefetch files are named EXECUTABLE-XXXXXXXX.pf where the hash is based on the file path. The same executable run from two different paths creates two separate Prefetch files. This means an attacker who copies cmd.exe to C:\Temp\ creates a NEW Prefetch entry distinct from the legitimate C:\Windows\System32\cmd.exe.
Part 3: Amcache Analysis
What Amcache Tells You
The Amcache registry hive tracks application compatibility data. For forensics, it provides:
- SHA1 hash of the executable (critical for malware identification)
- Full file path where the program was located
- First execution timestamp
- File size and publisher information
Collecting Amcache with Velociraptor
- Create a new collection
- Select:
Windows.Detection.Amcache - Launch the collection
Analyzing the Results
Cross-reference Amcache entries with your Prefetch findings:
AMCACHE ANALYSIS LOG
═════════════════════
Executable | SHA1 Hash | Full Path | First Run | Publisher
------------|------------------|------------------------|--------------------|----------
[name].exe | [sha1] | [path] | [timestamp UTC] | [publisher or UNKNOWN]
Key analysis steps:
- Hash lookup: Take SHA1 hashes of suspicious executables and search VirusTotal or your threat intel platform
- Publisher check: Legitimate software has publisher information; attacker tools usually show UNKNOWN
- Path correlation: Match Amcache paths with Prefetch paths — same executable, same location?
- Timeline correlation: Compare Amcache "first run" with Prefetch "last run" to determine the activity window
Amcache Survives Deletion. Even after an attacker deletes their tools from disk, the Amcache entry persists. The SHA1 hash lets you identify the exact binary even after it's gone. This is one of the most powerful forensic artifacts on Windows.
Part 4: ShimCache Analysis
What ShimCache Tells You
The Application Compatibility Cache (ShimCache) records:
- File path of executed programs
- Last modification timestamp of the executable file
- Execution flag (whether the program actually ran, not just existed)
ShimCache is written to the registry on system shutdown, which means it captures a snapshot of execution activity for the entire session.
Collecting ShimCache with Velociraptor
- Create a new collection
- Select:
Windows.Registry.AppCompatCache - Launch the collection
Analyzing the Results
SHIMCACHE ANALYSIS LOG
══════════════════════
Position | Executable Path | Modified Time | Executed?
---------|------------------------------------------|--------------------|----------
[pos] | [full path] | [timestamp UTC] | [Yes/No]
Important ShimCache behaviors:
- Entries are ordered by most recent first (position 0 = last executed)
- The "modified time" is the file's last modification timestamp, NOT the execution time
- ShimCache can record files that were merely accessed (not executed) on some Windows versions
Part 5: Building the Execution Timeline
Correlating All Three Sources
Now combine your findings from Prefetch, Amcache, and ShimCache into a unified timeline:
UNIFIED EXECUTION TIMELINE
═══════════════════════════
Time (UTC) | Executable | Source(s) | Action
--------------------|-------------------|------------------------|-------
[earliest timestamp]| [name].exe | Amcache (first run) | Initial execution
[next timestamp] | [name].exe | Prefetch (run #1) | First prefetch record
[...] | [...] | [...] | [...]
[latest timestamp] | [name].exe | Prefetch (last run) | Most recent execution
Identifying the Malicious Tools
Based on your analysis, answer these questions:
- Which executables appear in ALL THREE artifact sources? (highest confidence of execution)
- Which executables have SHA1 hashes that match known malware? (Amcache)
- Which executables ran from non-standard paths? (all three sources)
- What is the chronological order of the attacker's tool usage?
- Are there any executables in ShimCache that are NOT in Prefetch? (may indicate anti-forensic cleanup of Prefetch)
Part 6: Documenting Your Findings
Create Your Artifact Analysis Report
DISK ARTIFACT ANALYSIS REPORT
══════════════════════════════
Case ID: IR-2026-[today's date]
Examiner: [your name]
Endpoint: WIN-ENDPOINT-01
Date: [UTC timestamp]
EXECUTIVE SUMMARY
─────────────────
[2-3 sentences: what happened, based on artifact evidence]
MALICIOUS EXECUTABLES IDENTIFIED
────────────────────────────────
1. [name].exe
- Path: [full path]
- SHA1: [hash from Amcache]
- Run Count: [from Prefetch]
- First Seen: [from Amcache]
- Last Seen: [from Prefetch]
- Classification: [attacker tool / malware / unknown]
EXECUTION TIMELINE
──────────────────
[Your unified timeline from Part 5]
ARTIFACTS ANALYZED
──────────────────
- Prefetch files: [count] entries analyzed
- Amcache entries: [count] entries analyzed
- ShimCache entries: [count] entries analyzed
Deliverable Checklist
Before completing the lab, ensure you have:
- Prefetch Analysis Log — all suspicious executables with run counts and timestamps
- Amcache Analysis Log — SHA1 hashes, paths, and first execution times
- ShimCache Analysis Log — execution flags and modification timestamps
- Unified Execution Timeline — chronological correlation of all three artifact sources
- Malicious Tool Identification — at least 2 attacker tools identified with evidence from multiple sources
- Artifact Analysis Report — formal report with executive summary and findings
Key Takeaways
- Prefetch records the last 8 execution times and total run count — even for deleted executables
- Amcache preserves SHA1 hashes that identify the exact binary after deletion
- ShimCache captures execution evidence that is written to registry on shutdown
- Cross-referencing all three sources produces the most complete and defensible execution timeline
- Attackers who clean one artifact source often forget the others — correlation catches what deletion misses
- Path analysis is a quick win: legitimate tools run from System32, attacker tools run from Temp/Public/Downloads
What's Next
In Lab 9.3 — Windows Forensic Investigation, you'll expand beyond execution artifacts to conduct a full Windows investigation: registry analysis, user activity timelines, browser artifacts, and USB history. You'll build a complete attack narrative from the evidence.
Lab Challenge: Disk Artifact Analysis
10 questions · 70% to pass
What three Windows artifact sources are considered the 'pillars of execution evidence' for forensic investigations?
How many execution timestamps does a Windows 10+ Prefetch file store for a single executable?
An attacker deleted mimikatz.exe from disk. Which artifact still contains the SHA1 hash of the deleted file?
You find a Prefetch file named 'CMD-12345678.pf' and another named 'CMD-ABCDEF01.pf'. What does this indicate?
When is ShimCache data written to the Windows registry?
You find an executable in Amcache with publisher listed as 'UNKNOWN' and a path of C:\Users\Public\update.exe. What makes this suspicious?
Why is cross-referencing all three artifact sources (Prefetch, Amcache, ShimCache) more reliable than relying on one?
An executable appears in ShimCache but NOT in Prefetch. What could explain this?
What Velociraptor artifact collects Amcache data from a Windows endpoint?
You've built a unified execution timeline and identified that the attacker ran 'procdump.exe' (Prefetch count: 3, Amcache first run: 02:15 UTC, ShimCache position: 5). What does the run count of 3 tell you?
0/10 answered