amcache.hve

Description

Tool used: AmcacheParser

https://f001.backblazeb2.com/file/EricZimmermanTools/net6/AmcacheParser.zip

The Amcache.hve file is essentially a registry hive that logs details about applications that have been executed on a system. It is typically found at C:\Windows\AppCompat\Programas\Amcache.hve.

This file is notable for storing records of recently executed processes, including the paths to the executable files and their SHA1 hashes. This information is invaluable for tracking the activity of applications on a system.

To extract and analyze the data from Amcache.hve, the AmcacheParser tool can be used. The following command is an example of how to use AmcacheParser to parse the contents of the Amcache.hve file and output the results in CSV format:

AmcacheParser.exe -f C:\Users\genericUser\Desktop\Amcache.hve --csv temp

Among the generated CSV files, the Amcache_Unassociated file entries is particularly noteworthy due to the rich information it provides about unassociated file entries.

The most interesting CVS file generated is the Amcache_Unassociated file entries.

Results

Processed files were generated in the temp folder.

Now, import these files into the Timeline Explorer.

After that, perform a recursive "find" or sort the artifacts by date or other.

Thats it! 🍣

Reference

Windows Artifacts | HackTricks | HackTricks

PreviousWindows Logs Automation NextWindows EventViewer Analysis | DFIR

Last updated 19 days ago