AmCache

Amcache is a replacement of the RecentFileCache (that was linked to DLL version 6.1.7600)

forensic interest:

  • A good place to start is looking at the InventoryApplicationFile key, which contains:

    • Data available (depending on the Amcache libraries version):

      • executable full path - LongCaseLongPath

      • program size - Size

      • SHA1 of the first 31.4mb of the executable in the FileId value

      • Version number

      • description and publisher

      • binary type (x86 versus x64),

      • the compilation date of the program (PE Headers) in the LinkDate value

    • Linked to ProgramId names within the InventoryApplication key

    • Entries confirm presence on device not execution

  • InventoryDeviceContainer and InventoryDevicePnP:

    • Data available:

      • device type (usb; Bluetooth, media, etc.),

      • device friendly name,

      • self reported description,

      • manufacturer,

      • associated driver, etc.

    • Data about installed drivers.

Data is logged in AmCacheupon the following:

  1. executed (and shimmed) GUI apps

  2. file/exe's that were copied as part of app execution

  3. exes present in directory scanned by Microsoft Compat appraised Scheduled task

ProgramDataUpdater (a task associated with the Application Experience Service) uses the registry file Amcache.hve to store data during process creation. The Amcache is a standalone registry hive, with multiple root keys that contain various types of data.

Parse:

AmcaheParser by Eric Zimmerman

Outputs into:

  • fileEntries and unassociated_fileEntries - this is InventoryApplicationFile split into two unassociated = apps that aren't directly linked to installed apps - forensics interest

  • Shortcuts,

  • DriverPackages/DriverBinaries (look for drivers not in C:\Windows\System32),

  • DevicePnPs,DeviceContainers

PowerForensics:

PreviousRegistryNextZone.Identifiers ADS

Last updated