Iconcache

Overview

Evidence: Iconcache Description: Collect Iconcache Category: System Platform: windows Short Name: ic Is Parsed: No Sent to Investigation Hub: Yes Collect File(s): Yes

Background

Windows caches icons extracted from executables, DLLs, and other files to improve Explorer performance. These icon caches are stored in database files and can preserve icons from deleted files or files that were present on removable drives.

Icon caches can provide evidence of files that existed on the system, including malware that may have used custom icons.

Data Collected

This collector gathers structured data about iconcache.

Iconcache Data

Field

Description

Example

Name

Artifact name

Iconcache

Type

File

SourcePath

Original file path

C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db

Path

Relative path in evidence

Other/iconcache_96.db

Collection Method

This collector collects icon cache files from:

Users\*\AppData\Local\Microsoft\Windows\Explorer\iconcache_*.db
Users\*\AppData\Local\iconcache_*.db
Documents and Settings\Administrator\Local Settings\Application Data\IconCach*.db (legacy)

Forensic Value

Icon caches can preserve visual evidence from deleted executables. Investigators use this data to recover icons from deleted programs, identify applications that were present, detect custom malware icons, and correlate with execution artifacts.

PreviousHosts File NextIE 10 11 Edge Browsing History

Last updated 3 days ago

Was this helpful?