Incident Response with EZTools - Evidence of Execution

AppCompatCacheParser aka ShimParser, is bundled with EZTools. This tool can be used to parse the ShimCache.

ShimCache is a component of the Application Compatibility Database, which is used by the Windows operating system to identify application compatibility issues. The cache contains data related to this Windows feature, and it is used for quick lookups to determine if modules require shimming for compatibility. (source: www/services/freeware/shimcache-whitepaper.pdf)

From an incident response perspective, it is necessary for the responder to have the ability and skill to quickly triage to patient zero and identify the cause or action performed before the incident was detected.

During an incident, an executable may be launched, which causes our system to behave in an odd way. Getting an evidence of this execution on the system can help the responder pivot the investigation.

Windows Application Compatibility Forensics