AmCache

Used to prove file existence and SHA1 hash

Deep dive into amcache:

https://www.ssi.gouv.fr/uploads/2019/01/anssi-coriin_2019-analysis_amcache.pdf

AmCache

Revealing the RecentFileCache.bcf File

Operating System Availability

Major Version	Support	Major Version	Support
Windows 11	✅	Server 2019	✅
Windows 10	✅	Server 2016	✅
Windows 8	✅	Server 2012	✅
Windows 7	⚠️	Server 2008	⚠️
Windows Vista	❌	Server 2003	❌
Windows XP	❌

Major Version

Support

Major Version

Support

Windows 11

✅

Server 2019

✅

Windows 10

✅

Server 2016

✅

Windows 8

✅

Server 2012

✅

Windows 7

⚠️

Server 2008

⚠️

Windows Vista

❌

Server 2003

❌

Windows XP

❌

Windows 7 requires update KB2952664 for the Amcache hive to be present. Amcache is available on Windows Server starting from Windows Server 2008 R2.

File Location:

C:\Windows\appcompat\Programs\Amcache.hve

Parsing Data

#Spits out bunch of csvs to analyze.
AmcacheParser.exe -f F:\Tools\investigate\logs\amcache.hve --csv F:\Tools\investigate\logs

Considerations

Amcache.hveWindows Forensic Handbook

Cannot be used to prove execution.
Automation may enter files into Amcache.
Used for file metadata and file presence evidence.
31,457,280 Bytes
SHA1 Hashes first 30MB of file.
Remove first 4 zeros in hash to interpret legitimate hash.

Inventory Application:

Fully installed programs, not standalone/portable executables.

Inventory Application File:

Loose application files/standalone. Includes SHA1 hash.

FileID = SHA1 Hash
Link Data = Compiled date

Inventory Driver Binary:

Tracks installed drivers.

https://cyber.gouv.fr/sites/default/files/2019/01/anssi-coriin_2019-amcache_investigation.pdf

AmcacheInfoSec Notes

Anti Forensics

PreviousRecentApps NextPCA

Last updated 4 months ago