AmCache
Amcache is a replacement of the RecentFileCache (that was linked to DLL version 6.1.7600)
forensic interest:
A good place to start is looking at the
InventoryApplicationFilekey, which contains:Data available (depending on the
Amcachelibraries version):executable full path -
LongCaseLongPathprogram size -
SizeSHA1of the first 31.4mb of the executable in theFileIdvalueVersion number
description and publisher
binary type (x86 versus x64),
the compilation date of the program (PE Headers) in the
LinkDatevalue
Linked to
ProgramIdnames within theInventoryApplicationkeyEntries confirm presence on device not execution
InventoryDeviceContainerandInventoryDevicePnP:Data available:
device type (usb; Bluetooth, media, etc.),
device friendly name,
self reported description,
manufacturer,
associated driver, etc.
Data about installed drivers.
Data is logged in AmCacheupon the following:
executed (and shimmed) GUI apps
file/exe's that were copied as part of app execution
exes present in directory scanned by Microsoft Compat appraised Scheduled task
ProgramDataUpdater (a task associated with the Application Experience Service) uses the registry file Amcache.hve to store data during process creation. The Amcache is a standalone registry hive, with multiple root keys that contain various types of data.
Parse:
Outputs into:
fileEntries and unassociated_fileEntries - this is
InventoryApplicationFilesplit into two unassociated = apps that aren't directly linked to installed apps - forensics interestShortcuts,
DriverPackages/DriverBinaries (look for drivers not in
C:\Windows\System32),DevicePnPs,DeviceContainers
Last updated