Amcache
Location and Format
The Amcache.hve is a new registry hive that is located at “C:\Windows\AppCompat\Programs\Amcache.hve”
Purpose
The goal of the Amcache.hve is to track the status of installed applications, programs executed, and drivers that are loaded. This is one of the few forensic artifacts that tracks the SHA1 hash of the executable driver. This feature is a great benefit to Forensicators, most artifcats require us to rely on file name alone.
Forensic Uses
One of the main benefits of this artifact is the SHA1 hash that was previously mentioned. However, another overlooked feature is its format as a registry hive. Along with the file hash, we are also given:
- Full path, file size, and file modification time
- Publisher metadata information
- Executable compilation time
It is important to note that an executable’s presence in the amcache.hve does not indicate execution. Instead it should be viewed as an indication that the executable was present on the system but not necessarily executed.
Analysis Tools
- amcacheparser.exe (https://github.com/EricZimmerman/AmcacheParser)
- appcompatprocessor.py (https://github.com/mbevilacqua/appcompatprocessor)
Example Analysis
Amcache is an evidence of execution artifact that is unique as far as these types of artifacts go. One of its most useful attributes is its tracking of file hashes. Below we are using the amcacheparser tool that is provided by the forensics hero Eric Zimmerman.
- amcacheparser.exe -f H:\[root]\Windows\appcompat\Programs\AppCompat.hve --csv C:\Users\User\Desktop\case\Processed_Evidence --csvf amcache.csv
-f = indicates the file that needs to be parsed, in this case a registry hive –csv = directory where you would like the output to be written –csvf = file name that you would like to be used
Now this artifact is a BIG artifact and since it is a registry hive file, it is essentially a database. This tool parses out all of the tables in this “database” and gives us a csv file for each table. For the machine in which I am analyzing I was given six output files. -amcache_DeviceContainers.csv contains information on devices connected to the system -amcache_DevicePnps.csv contains information on plug and play devices connected to the system -amcache_DriveBinaries.csv contains information about driver binaries on the system, such as when they were signed, and services associated with them -amcache_DriverPackages.csv contains information on driver packages on the system -amcache_Shortcuts.csv contains information on programs and file shortcuts used on the system -amcache_UnassociatedFileEntries.csv
Keep in mind that there are many more tables this artifact can supply and to see what they include I recommend visiting “https://forensafe.com/blogs/AmCache.html”.