AmCache

Used to prove file existence and SHA1 hash

Deep dive into amcache:

https://www.ssi.gouv.fr/uploads/2019/01/anssi-coriin_2019-analysis_amcache.pdf

AmCacheforensafe.com

Revealing the RecentFileCache.bcf Filejourneyintoir.blogspot.com

Operating System Availability

Major Version	Support	Major Version	Support
Windows 11	✅	Server 2019	✅
Windows 10	✅	Server 2016	✅
Windows 8	✅	Server 2012	✅
Windows 7	⚠️	Server 2008	⚠️
Windows Vista	❌	Server 2003	❌
Windows XP	❌

Windows 7 requires update KB2952664 for the Amcache hive to be present. Amcache is available on Windows Server starting from Windows Server 2008 R2.

File Location:

• C:\Windows\appcompat\Programs\Amcache.hve

Parsing Data

#Spits out bunch of csvs to analyze.
AmcacheParser.exe -f F:\Tools\investigate\logs\amcache.hve --csv F:\Tools\investigate\logs

Considerations

Amcache.hve | Windows Forensic Handbookpsmths.gitbook.io

• Cannot be used to prove execution.

• Automation may enter files into Amcache.

• Used for file metadata and file presence evidence.

• 31,457,280 Bytes

• SHA1 Hashes first 30MB of file.

• Remove first 4 zeros in hash to interpret legitimate hash.

Inventory Application:

Fully installed programs, not standalone/portable executables.

Inventory Application File:

Loose application files/standalone. Includes SHA1 hash.

• FileID = SHA1 Hash

• Link Data = Compiled date

Inventory Driver Binary:

Tracks installed drivers.

https://cyber.gouv.fr/sites/default/files/2019/01/anssi-coriin_2019-amcache_investigation.pdf

Amcache | InfoSec Notesnotes.qazeer.io

Anti Forensics