Iconcache

Overview

Evidence: Iconcache Description: Collect Iconcache Category: Other Evidence Platform: Windows Short Name: ic Is Parsed: No - Raw database files Sent to Investigation Hub: Yes Collect File(s): No

Background

Windows caches icons extracted from executables, DLLs, and other files to improve Explorer performance. These icon caches are stored in database files and can preserve icons from deleted files or files that were present on removable drives.

Icon caches can provide evidence of files that existed on the system, including malware that may have used custom icons.

Data Collected

Field

Description

Example

Name

Artifact name

Iconcache

Type

File

SourcePath

Original file path

C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db

Path

Relative path in evidence

Other/iconcache_96.db

Collection Method

This collector collects icon cache files from:

Users\*\AppData\Local\Microsoft\Windows\Explorer\iconcache_*.db
Users\*\AppData\Local\iconcache_*.db
Documents and Settings\Administrator\Local Settings\Application Data\IconCach*.db (legacy)

Usage

Icon caches can preserve visual evidence from deleted executables. Investigators use this data to recover icons from deleted programs, identify applications that were present, detect custom malware icons, and correlate with execution artifacts.

Known Limitations

Database format requires specialized parsers
Only icons, not full executables
May not contain all program icons
Icons recycled over time

Notes

Icon cache files can be parsed with specialized tools. The presence of unusual or suspicious icons may indicate malware that was previously present on the system.

PreviousIPv4 Routes NextInstalled Applications

Last updated 51 minutes ago

Was this helpful?