The Windows Amcache Hive
This week I talk about Amcache Forensics, a Windows artifact that collects details about programs that have been run on a given system. This evidence can support malware/ intrusion investigations, file use and knowledge exams and data spoliations inquiries.
The Amcache.hve is a Windows Registry Hive that contains data about applications that have been run on a Windows system. The artifact also contains the file path for the executable, the date and time it was first run, the programs’ SHA1 hash value and some product and version information.
Artifact Location: C:\Windows\AppCompat\Programs\Amcache.hve
Note: During my testing I could not easily extract the Amcache.hve file from a live system as the operating system locks the file. No issues with dead box extraction.
Amcacheparser: Windows command line tool (free), https://ericzimmerman.github.io
RegRipper: Amcache plugin (free), https://github.com/keydet89
Amcache.py: Python tool (free), https://github.com/williballenthin/python-registry/tree/master/samples
EnCase: Enscript, links for v6 and v7 enscripts may be found in this article, http://www.swiftforensics.com/2013/12/amcachehve-in-windows-8-goldmine-for.html
Amcache Parser: Reducing the Noise, Finding the Signal, https://binaryforay.blogspot.com/2015/07/amcacheparser-reducing-noise-finding.html
Amcache.hve in Windows 8 – Goldmine for malware hunters, http://www.swiftforensics.com/2013/12/amcachehve-in-windows-8-goldmine-for.html
Amcache.hve – Part 2, http://www.swiftforensics.com/2013/12/amcachehve-part-2.html
* Views are based on my own experience, resources are cited where applicable.