DFIR-Notes
Windows Forensics
Windows Forensics
  • windows Memory Forensics
  • Windows Registry Forensics
  • Windows Registry Forensics with RegRipper
  • Windows Powershell Forensics
  • Incident Response Eventhoods
  • Incident Response splunk filters
  • LNK Files (Shortcut Files) Forensics
  • Jump List Forensics
  • Prefetch Files Forensics
  • Living off the Land Binaries (LOLBins)
  • COM (Component Object Model)
  • Key Email Headers for SOC Analysts and DFIR
  • Distributed Component Object Model (DCOM)
  • legitimate Windows processes
  • UserAssist Keys
  • Application Compatibility Cache (Shim Cache)
  • CIDSizeMRU
  • Start Menu Run MRUs
  • MUI Cache
  • BAM (Background Activity Moderator)
  • SRUM (System Resource Usage Monitor)
  • Master File Table (MFT), NTFS, $LogFile, and $UsnJrnl: Forensics
  • 🔹 Windows System Processes
Powered by GitBook
On this page
  • Overview:
  • Benefits for DFIR:
  • How It Works:
  • Tools:

MUI Cache

The MUI (Multilingual User Interface) Cache is used by Windows to store metadata about programs, specifically the names of executables and their associated paths, to display them in the user interface

Overview:

  • Purpose: Stores display names of applications for the Windows user interface.

  • Registry Location:

    • HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache

  • Data Stored:

    • Application paths and user-friendly names.

Benefits for DFIR:

  • User Intent: Helps identify applications a user interacted with.

  • Verification of Execution: Provides indirect evidence of application usage

  • Executable Names and Paths: Stores the names and paths of recently accessed executable files, helping to track program usage.

  • Localization: Provides localized names for programs, useful in environments with multiple languages.

  • Timestamp Information: Can sometimes offer insights into when a program was last accessed.

How It Works:

  • Updates when new applications are executed and their display names are registered.

Tools:

  • Registry Explorer: Enables analysis of the MUI cache for patterns.

  • Regripper: Automates MUI cache extraction and parsing

for example :

PreviousStart Menu Run MRUsNextBAM (Background Activity Moderator)

Last updated 5 months ago