What's New at DFIR Training

June 20, 2020. Regularly updated, never outdone, check out the latest additions to keep up on your DFIR training! Website updates. DFIR Subcontractor listings, Forensic Artifacts and more.

 Enter for a chance to win a Guardonix Write Blocker!

Enter your name/email address here: I WANT TO WIN!

The Amcache.hve is a registry hive file that is created by Microsoft® Windows® to store the information related to execution of programs. This paper highlights the evidential potential of Amcache.hve file and its application in the area of user activity analysis. The study uncovers numerous artifacts retained in Amcache.hve file when a user performs certain actions such as running host-based applications, installation of new applications, or running portable applications from external devices. The results of experiments demonstrate that Amcache.hve file stores intriguing artifacts related to applications such as timestamps of creation and last modification of any application; name, description, publisher name and version of applications; execution file path, SHA-1 hash of executable files etc. These artifacts are found to persist even after the applications have been deleted from the system. Further experiments were conducted to evaluate forensic usefulness of the information stored in Amcache.hve and it was found that Amcache.hve information is propitious to trace the deleted applications, malware programs and applications run from external devices. Finally, comparison of information in Amcache.hve file with information in other similar sources (IconCache.db, SRUDB.dat and Prefetch files) is shown, in order to provide more useful information to forensic investigators.

Singh, Bhupendra and Singh, Upasna (2016) "Leveraging the Windows Amcache.hve File in Forensic In vestigations," Journal of Digital Forensics, Security and Law : Vol. 11 : No. 4 , Article 7.
DOI: https://doi.org/10.15394/jdfsl.2016.1429

Image source: https://binaryforay.blogspot.com/2015/07/amcacheparser-reducing-noise-finding.html  

Resources

Amcache.hve in Windows 8 - Goldmine for malware hunters
http://www.swiftforensics.com/2013/12/amcachehve-in-windows-8-goldmine-for.html

Amcache and Shimcache in forensic analysis
https://www.andreafortuna.org/2017/10/16/amcache-and-shimcache-in-forensic-analysis/

Analysis of the AmCache
https://cyberforensicator.com/2019/01/22/analysis-of-the-amcache/

The Windows Amcache Hive
http://digitalforensicsurvivalpodcast.com/2016/07/05/dfsp-020-amcache-forensics-find-evidence-of-app-execution/

Amcache and USB Device Tracking
https://df-stream.com/2017/10/amcache-and-usb-device-tracking/

AmcacheParser: Reducing the noise, finding the signal
https://binaryforay.blogspot.com/2015/07/amcacheparser-reducing-noise-finding.html

(Am)cache still rules everything around me (part 2 of 1)
https://binaryforay.blogspot.com/2017/10/amcache-still-rules-everything-around.html