AmCache

Used to prove file existence and SHA1 hash

Deep dive into amcache:

https://www.ssi.gouv.fr/uploads/2019/01/anssi-coriin_2019-analysis_amcache.pdf

LogoAmCache
LogoRevealing the RecentFileCache.bcf File

Operating System Availability

Major Version
Support
Major Version
Support

Windows 11

Server 2019

Windows 10

Server 2016

Windows 8

Server 2012

Windows 7

⚠️

Server 2008

⚠️

Windows Vista

Server 2003

Windows XP

Windows 7 requires update KB2952664 for the Amcache hive to be present. Amcache is available on Windows Server starting from Windows Server 2008 R2.

File Location:

  • C:\Windows\appcompat\Programs\Amcache.hve

Parsing Data

#Spits out bunch of csvs to analyze.
AmcacheParser.exe -f F:\Tools\investigate\logs\amcache.hve --csv F:\Tools\investigate\logs

Considerations

LogoAmcache.hveWindows Forensic Handbook

  • Cannot be used to prove execution.

  • Automation may enter files into Amcache.

  • Used for file metadata and file presence evidence.

  • 31,457,280 Bytes

  • SHA1 Hashes first 30MB of file.

  • Remove first 4 zeros in hash to interpret legitimate hash.

Inventory Application:

Fully installed programs, not standalone/portable executables.

Inventory Application File:

Loose application files/standalone. Includes SHA1 hash.

  • FileID = SHA1 Hash

  • Link Data = Compiled date

Inventory Driver Binary:

Tracks installed drivers.

https://cyber.gouv.fr/sites/default/files/2019/01/anssi-coriin_2019-amcache_investigation.pdf

LogoAmcacheInfoSec Notes

Anti Forensics

PreviousRecentAppsNextPCA

Last updated