InfoSec Notes
  • InfoSec Notes
  • General
    • External recon
    • Ports scan
    • Bind / reverse shells
    • File transfer / exfiltration
    • Pivoting
    • Passwords cracking
  • Active Directory
    • Recon - Domain Recon
    • Recon - AD scanners
    • Exploitation - NTLM capture and relay
    • Exploitation - Password spraying
    • Exploitation - Domain Controllers CVE
    • Exploitation - Kerberos AS_REP roasting
    • Exploitation - Credentials theft shuffling
    • Exploitation - GPP and shares searching
    • Exploitation - Kerberos Kerberoasting
    • Exploitation - ACL exploiting
    • Exploitation - GPO users rights
    • Exploitation - Active Directory Certificate Services
    • Exploitation - Kerberos tickets usage
    • Exploitation - Kerberos silver tickets
    • Exploitation - Kerberos delegations
    • Exploitation - gMS accounts (gMSAs)
    • Exploitation - Azure AD Connect
    • Exploitation - Operators to Domain Admins
    • Post Exploitation - ntds.dit dumping
    • Post Exploitation - Kerberos golden tickets
    • Post Exploitation - Trusts hopping
    • Post Exploitation - Persistence
  • L7
    • Methodology
    • 21 - FTP
    • 22 - SSH
    • 25 - SMTP
    • 53 - DNS
    • 111 / 2049 - NFS
    • 113 - Ident
    • 135 - MSRPC
    • 137-139 - NetBIOS
    • 161 - SNMP
    • 389 / 3268 - LDAP
    • 445 - SMB
    • 512 / 513 - REXEC / RLOGIN
    • 554 - RTSP
    • 1099 - JavaRMI
    • 1433 - MSSQL
    • 1521 - ORACLE_DB
    • 3128 - Proxy
    • 3306 - MySQL
    • 3389 - RDP
    • 5985 / 5986 - WSMan
    • 8000 - JDWP
    • 9100 - Printers
    • 11211 - memcached
    • 27017 / 27018 - MongoDB
  • Windows
    • Shellcode and PE loader
    • Bypass PowerShell ConstrainedLanguageMode
    • Bypass AppLocker
    • Local privilege escalation
    • Post exploitation
      • Credentials dumping
      • Defense evasion
      • Local persistence
    • Lateral movements
      • Local credentials re-use
      • Over SMB
      • Over WinRM
      • Over WMI
      • Over DCOM
      • CrackMapExec
  • Linux
    • Local privilege escalation
    • Post exploitation
  • DFIR
    • Common
      • Image acquisition and mounting
      • Memory forensics
      • Web logs analysis
      • Browsers forensics
      • Email forensics
      • Docker forensics
    • Windows
      • Artefacts overview
        • Amcache
        • EVTX
        • Jumplist
        • LNKFile
        • MFT
        • Outlook_files
        • Prefetch
        • RecentFilecache
        • RecycleBin
        • Shellbags
        • Shimcache
        • SRUM
        • Timestamps
        • User Access Logging (UAL)
        • UsnJrnl
        • Miscellaneous
      • TTPs analysis
        • Accounts usage
        • Local persistence
        • Lateral movement
        • PowerShell activity
        • Program execution
        • Timestomping
        • EVTX integrity
        • System uptime
        • ActiveDirectory replication metadata
        • ActiveDirectory persistence
    • Linux
      • Artefacts overview
      • TTPs analysis
        • Timestomping
    • Cloud
      • Azure
      • AWS
    • Tools
      • Velociraptor
      • KAPE
      • Dissect
      • plaso
      • Splunk usage
  • Red Team specifics
    • Phishing - Office Documents
    • OpSec Operating Systems environment
    • EDR bypass with EDRSandBlast
    • Cobalt Strike
  • Web applications
    • Recon - Server exposure
    • Recon - Hostnames discovery
    • Recon - Application mapping
    • Recon - Attack surface overview
    • CMS & softwares
      • ColdFusion
      • DotNetNuke
      • Jenkins
      • Jira
      • Ovidentia
      • WordPress
      • WebDAV
    • Exploitation - Overview
    • Exploitation - Authentication
    • Exploitation - LDAP injections
    • Exploitation - Local and remote file inclusions
    • Exploitation - File upload
    • Exploitation - SQL injections
      • SQLMAP.md
      • MSSQL.md
      • MySQL.md
      • SQLite.md
    • Exploitation - NoSQL injections
      • NoSQLMap.md
      • mongoDB.md
    • Exploitation - GraphQL
  • Binary exploitation
    • Linux - ELF64 ROP leaks
    • (Very) Basic reverse
  • Android
    • Basic static analysis
  • Miscellaneous
    • Regex 101
    • WinDbg Kernel
    • Basic coverage guided fuzzing
Powered by GitBook
On this page
  • Overview
  • Information of interest
  • Parsing
  1. DFIR
  2. Windows
  3. Artefacts overview

Amcache

PreviousArtefacts overviewNextEVTX

Last updated 1 year ago

Windows DFIR notes are no longer maintained on InfoSec-Notes. Updated versions can be found on: .

Overview

Location: %systemroot%\AppCompat\Programs\Amcache.hve

Amcache is a replacement of the RecentFileCache (that was linked to DLL version 6.1.7600).

Yield information related to programs execution.

Very complex artefact, linked to an application compatibility feature that aim to maintain support of existing software to new versions of the Windows operating system (like the Shimcache artefact). ProgramDataUpdater (a task associated with the Application Experience Service) uses the registry file Amcache.hve to store data during process creation. The Amcache is a standalone registry hive, with multiple root keys that contain various types of data.

The Amcache behavior depends on the version of the associated libraries, and not the version of the operating system. The Amcache on an up-to-date Windows 7 and Windows 10 will thus behave the same way.

For a very comprehensive analysis of the Amcache artefact, and its evolution across different release of the underlying DLL, refer to the .

Information of interest

The Amcache.hve registry hive is split in a number of root keys, with keys being added, changed, or removed depending on the Amcache DLLs versions.

The following notable root keys can be of forensic interest:

  • File then InventoryApplicationFile starting from the version 10.0.14913.1002 of the Amcache libraries (AmcacheParser outputs AssociatedFileEntries and UnassociatedFileEntries):

    • Data about program executions if they are shimmed, programs part of an installed application, or programs part of scanned directories (with out requiring execution of the associated programs).

    • Data available (depending on the Amcache libraries version): executable full path, program size, SHA1 of the first 30MB of the executable in the FileId value, binary type (x86 versus x64), the compilation date of the program in the LinkDate value.

    • Additional data for entries associated with an installed application is available in the InventoryApplication key. The ProgramId value from the InventoryApplicationFile subkey of a given program matches the subkey's name under the InventoryApplication key of the associated application. The InventoryApplication key provide metadata information about the application: name, publisher, install date, etc.

    • For non up-to-date systems still using a File key, the last write time of an entry key under the File key coincides with the execution time of an executable that is not associated to an application. For executables that are part of an application, the last write time coincides with either the application installation time or the first execution if the executable needed shimming. For entries under the newer InventoryApplicationFile key, the last write time of the keys always coincides with an execution of Microsoft Compatibility Appraiser and is thus no longer a timestamp of execution time.

    • AmcacheParser's AssociatedFileEntries output references programs associated with an application and UnassociatedFileEntries output references "loose" programs (that are not associated with an installed application).

  • InventoryDeviceContainer and InventoryDevicePnp (AmcacheParser outputs DeviceContainers and DevicePnp):

    • Data about devices plugged in on the system.

    • Data available: device type (usb; Bluetooth, media, etc.), device friendly name, self reported description, manufacturer, associated driver, etc.

  • InventoryDriverBinary (AmcacheParser output DriveBinaries):

    • Data about installed drivers.

    • Data available: driver name, full path, size, associated service name, compilation timestamp (DriverTimestamp), driver file last write timestamp, etc.

  • InventoryDriverPackage (AmcacheParser output DriverPackages):

    • Data about drivers package file (INF file) that contains information about the driver.

    • Data available: driver package file name, path, last write timestamp, etc.

  • Programs then InventoryApplication (AmcacheParser output ProgramEntries):

    • Data about installed programs, as referenced in the Uninstall and / or a Run key of the SOFTWARE hive.

    • Data available: application name, executable full path and SHA1, publisher, install date, etc.

  • InventoryApplicationShortcut (AmcacheParser output ShortCuts):

    • Data about the shortcuts (LNK files) that were present at one time (and that may still be present or may have been removed) from a subset of scanned folders (Start Menu and / or Desktop folders).

    • Data available: full path of the shortcut. The last write timestamp of the associated subkey can also be a general indicator of when the activity occurred but does not seem to match any MACB timestamps of the shortcut file.

Parsing

The PowerShell cmdlet Get-ForensicAmcache of the PowerForensics suite can be used to parse the Amcache.hve registry hive. The AmcacheParser, supporting Windows 10, utility can be used to parse exported Amcache.hve registry hive.

# Deploy the PowerShell PowerForensics module
.\PowerForensics.psd1
Import-Module .\PowerForensics.psd1

# Default to C:\Windows\AppCompat\Programs\Amcache.hve
Get-ForensicAmcache | Out-File <OUTPUT_FILE>

# From hive / mounted disk image
Get-ForensicAmcache -HivePath "<C:\Windows\AppCompat\Programs\Amcache.hve | EXPORTED_HIVE_PATH>" | Out-File <OUTPUT_FILE>

AmcacheParser.exe -f "<C:\Windows\AppCompat\Programs\Amcache.hve | EXPORTED_HIVE_PATH>" -i on --csv <OUTPUTDIR_PATH>
artefacts.help
ANSSI's ANALYSIS OF THE AMCACHE v2 white paper