Amcache

Amcache in Windows Forensics

The Amcache hive is a pivotal forensic artifact for tracking executed applications and collecting detailed metadata about them. Unlike other artifacts, Amcache provides specific evidence of program execution, including external sources like USB drives and network shares.

Key Features of Amcache

  1. Reliable Evidence of Execution

    • Confirms actual execution of applications.

    • Logs metadata even for deleted or removed executables.

  2. Detailed Metadata

    • File Path: Shows the location of the executed file.

    • Size and Description: Provides file attributes.

    • Publisher Name: Indicates the software's vendor.

    • SHA-1 Hash: Facilitates quick reputation checks on threat intelligence platforms.

  3. Broad Coverage of Executables

    • Tracks local applications, USB-based files, and network-shared executables.

  4. Comparison: Amcache vs. Shimcache

    • Amcache: Offers conclusive evidence of execution with detailed metadata.

    • Shimcache: Records files visible in File Explorer but lacks definitive proof of execution.

Location of Amcache Hive

The Amcache hive file is located at:

C:\Windows\AppCompat\Programs\Amcache.hve

Analyzing Amcache Data

Tool: AmcacheParser

Developed by Eric Zimmerman, AmcacheParser is a CLI-based tool for extracting and analyzing Amcache data.

Command Example:

AmcacheParser.exe -f "C:\Windows\AppCompat\Programs\Amcache.hve" --csv "C:\Output\" --csvf amcache_output.csv

Key Features:

  • Outputs results in CSV format for easy analysis.

  • Supports whitelisting (-w) and blacklisting (-b) to filter known good or malicious hashes.

Enhanced Analysis with Timeline Explorer

After parsing the Amcache data:

  1. Load CSV Output:

    • Open the generated CSV file in Timeline Explorer (another Zimmerman tool).

    • Provides a sortable, timeline-based interface.

  2. Filter Key Columns:

    • Execution Timestamps: Pinpoint when specific executables were run.

    • SHA-1 Hashes: Quickly check file reputation using platforms like VirusTotal.

    • File Paths and Metadata: Investigate suspicious file locations or unknown publishers.

Practical Use Case: Incident Response

Scenario: A company detects suspicious activity during a network breach. Analysts leverage Amcache to uncover the attacker's movements.

  1. Investigation:

    • Amcache shows the execution of an unknown file (malicious.exe) located on a USB drive.

    • Metadata reveals no publisher information, and the SHA-1 hash doesn't match any known safe applications.

  2. Actionable Intelligence:

    • Analysts submit the SHA-1 hash to VirusTotal, confirming the file as a new malware variant.

    • The timestamp correlates with the breach window, helping to reconstruct the attack timeline.

  3. Remediation:

    • Immediate isolation of affected systems.

    • Use findings to improve endpoint detection rules and update IOC lists.

Conclusion

The Amcache hive is an essential artifact in Windows forensics, providing concrete evidence of executed programs, along with detailed metadata. Tools like AmcacheParser and Timeline Explorer streamline the extraction and analysis of this data, enabling efficient incident response and threat hunting.

PreviousShimcacheNextRecent Files

Last updated