Iconcache
Overview
Section titled “Overview”Evidence: Iconcache
Description: Collect Iconcache
Category: System
Platform: windows
Short Name: ic
Is Parsed: No
Sent to Investigation Hub: Yes
Collect File(s): Yes
Background
Section titled “Background”Windows caches icons extracted from executables, DLLs, and other files to improve Explorer performance. These icon caches are stored in database files and can preserve icons from deleted files or files that were present on removable drives.
Icon caches can provide evidence of files that existed on the system, including malware that may have used custom icons.
Data Collected
Section titled “Data Collected”This collector gathers structured data about iconcache.
Iconcache Data
Section titled “Iconcache Data”| Field | Description | Example |
|---|---|---|
Name | Artifact name | Iconcache |
Type | File | File |
SourcePath | Original file path | C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db |
Path | Relative path in evidence | Other/iconcache_96.db |
Collection Method
Section titled “Collection Method”This collector collects icon cache files from:
Users\*\AppData\Local\Microsoft\Windows\Explorer\iconcache_*.dbUsers\*\AppData\Local\iconcache_*.dbDocuments and Settings\Administrator\Local Settings\Application Data\IconCach*.db(legacy)
Forensic Value
Section titled “Forensic Value”Icon caches can preserve visual evidence from deleted executables. Investigators use this data to recover icons from deleted programs, identify applications that were present, detect custom malware icons, and correlate with execution artifacts.