The Windows Amcache Hive

This week I talk about Amcache Forensics, a Windows artifact that collects details about programs that have been run on a given system. This evidence can support malware/ intrusion investigations, file use and knowledge exams and data spoliations inquiries.

Show Notes

Amcache.hve

The Amcache.hve is a Windows Registry Hive that contains data about applications that have been run on a Windows system. The artifact also contains the file path for the executable, the date and time it was first run, the programs’ SHA1 hash value and some product and version information.

Artifact Location: C:\Windows\AppCompat\Programs\Amcache.hve

Note: During my testing I could not easily extract the Amcache.hve file from a live system as the operating system locks the file. No issues with dead box extraction.

 

Tools

Amcacheparser: Windows command line tool (free), https://ericzimmerman.github.io

RegRipper: Amcache plugin (free), https://github.com/keydet89

Amcache.py: Python tool (free), https://github.com/williballenthin/python-registry/tree/master/samples

EnCase: Enscript, links for v6 and v7 enscripts may be found in this article, http://www.swiftforensics.com/2013/12/amcachehve-in-windows-8-goldmine-for.html

 

References

Amcache Parser: Reducing the Noise, Finding the Signal, https://binaryforay.blogspot.com/2015/07/amcacheparser-reducing-noise-finding.html

Amcache.hve in Windows 8 – Goldmine for malware hunters, http://www.swiftforensics.com/2013/12/amcachehve-in-windows-8-goldmine-for.html

Amcache.hve – Part 2, http://www.swiftforensics.com/2013/12/amcachehve-part-2.html

* Views are based on my own experience, resources are cited where applicable.

SDF Training

Learn More

Learn to Resolve Attached USB Devices on Windows Systems

The open-source approach!
Learn More