AmCache

Amcache is a replacement of the RecentFileCache (that was linked to DLL version 6.1.7600)

forensic interest:

  • A good place to start is looking at the InventoryApplicationFile key, which contains:

    • Data available (depending on the Amcache libraries version):

      • executable full path - LongCaseLongPath

      • program size - Size

      • SHA1 of the first 31.4mb of the executable in the FileId value

      • Version number

      • description and publisher

      • binary type (x86 versus x64),

      • the compilation date of the program (PE Headers) in the LinkDate value

    • Linked to ProgramId names within the InventoryApplication key

    • Entries confirm presence on device not execution

  • InventoryDeviceContainer and InventoryDevicePnP:

    • Data available:

      • device type (usb; Bluetooth, media, etc.),

      • device friendly name,

      • self reported description,

      • manufacturer,

      • associated driver, etc.

    • Data about installed drivers.

Data is logged in AmCacheupon the following:

  1. executed (and shimmed) GUI apps

  2. file/exe's that were copied as part of app execution

  3. exes present in directory scanned by Microsoft Compat appraised Scheduled task

C:\\Windows\\AppCompay\\Programs\\Amcache.hve

ProgramDataUpdater (a task associated with the Application Experience Service) uses the registry file Amcache.hve to store data during process creation. The Amcache is a standalone registry hive, with multiple root keys that contain various types of data.

Parse:

AmcaheParser by Eric Zimmerman

Outputs into:

  • fileEntries and unassociated_fileEntries - this is InventoryApplicationFile split into two unassociated = apps that aren't directly linked to installed apps - forensics interest

  • Shortcuts,

  • DriverPackages/DriverBinaries (look for drivers not in C:\Windows\System32),

  • DevicePnPs,DeviceContainers

// Some code

PowerForensics:

# Deploy the PowerShell PowerForensics module
.\PowerForensics.psd1
Import-Module .\PowerForensics.psd1

# Default to C:\Windows\AppCompat\Programs\Amcache.hve
Get-ForensicAmcache | Out-File <OUTPUT_FILE>

# From hive / mounted disk image
Get-ForensicAmcache -HivePath "<C:\Windows\AppCompat\Programs\Amcache.hve | EXPORTED_HIVE_PATH>" | Out-File <OUTPUT_FILE>

AmcacheParser.exe -f "<C:\Windows\AppCompat\Programs\Amcache.hve | EXPORTED_HIVE_PATH>" -i on --csv <OUTPUTDIR_PATH>
PreviousRegistryNextZone.Identifiers ADS

Last updated