(EN) Amcache - Forensic Cheatsheet

## Introduction Amcache is one of my favorite artifact because it contains so many beneficial informations that helps to solve a problem. If you have to choose a single artifact among the ones introduced in forensic-cheat sheet, probably Amcache should be your answer. Since other artifacts have the purpose of optimization, they delete the oldest records when the total number of records exceed the limit. There was a similar function named `RecentFileCache.bcf` before Windows 8 until Amcache replaced such function. Amcache is focused on logging a data so every aspect of an artifacts are found. In-depth contents will be dealt in the future sections. Not as a single artifact, Amcache is used as a bridge to connect a multiple artifacts due to its characteristics mentioned above. Ultimately creating a timeline of entire case. This is why there are so many scholar papers about Amcache. Few recommendations are on the end of the article so it would be helpful to read at least one of them. ## Path Every path since Windows 8 is identical. If the given path doesn’t match your case, give me a message through our [“Community”](https://discord.gg/CDtc5kWWA8). Every errors will be fixed in time. ```bash C:\Windows\Appcompat\Programs\Amcache.hve ``` For those who are curious about the `RecentFileCache.bcf` used before Amcache, the path it mentioned below. ```bash C:\Windows\AppCompat\Programs\Amcache.hve ``` ## Structure & Data Before talking about Amcache, we have to know why it is called Amcache. Amcache is a abbreviation for Amorphous Cache. In other words, it is a cache that has a flexible type of structure. Just by looking at the origin, It will make you curious about how Amcache handles data in which structure. Additionally, I have designated one of the sub-category of Amcache as registry since Amcache is not a one of registry hive group (SAM, NTUSER.DAT, SECURITY, SYSTEM). If you are a quick-learner, by looking at the file extension `.hve` could solve the problem. `.hve` Is an extension used by files related with registry hive files or registry hive-like files. This case, Amcache belongs to the latter category. Eventually handling data will not because the structure of the file does not differ from normal registry hive files. Let’s look at Amcache.hve file to get what it has. > [!Question] **I can’t open Amcache.hve file!!** > Amcache.hve is a system authorized file. In the meanwhile the system peoridically writes logs into the file so if you just click on a file to open it or copy the file, it will display an error since the system owns the files Read/Write threads. > > So you ought to try copying the file in the hardware-level, not in the software-level using low-level programs such as WinAPI. (You might have to write your own code!) > > Thankfully there are multiple methods to conquer this issue. > - Copying the file using the “Reserved Task” to copy the file when booting the system > - Copying the file by mounting the filesystem in other OS > - Booting in Safe Mode to copy file. > - Using the scripts open to the public > > I personally recommend the last method. Other options take too much work to do. FTK Imager or Encase supports copying such files so use the freeware tools! ### Structure As mentioned previously, Amcache file follows the hive file structure. We occasionally talked about hex values by file offsets, but registry files including Amcache has its independent Key-Value structure. #### Tools A way to visualize a hive file is to use parsing/visualization tool. There are many tools on the internet, but today we will use REGA. So the prerequisites is to learn how to use REGA. ![[Untitled 233.png]] When Properly used, you will see lots of keys in the Amcache folder. Today we will pick some of folders that are important and talk about information that could be induced by analyzing it. ### DeviceCensus category : [[OS info]] DeviceCencus provides information related with hardware such as firmware versions, motherboard manufacturers. Even battery status could be found in portable devices such as laptops. The following is the list of information found in DeviceCensus - Motherboard firmware - Battery - Network Adapter - Operating System - Timezone - Processor (CPU) - Security Options (e.g. Shadow Stack, TPM .. ) ### InventoryApplication\[%TYPE%] Category : [[File Execution]] , [[Installed Programs]] Multiple types exists in this category. Different types of data comes by filling the string in \[%TYPE%]. Ultimately the conclusion is information about certain executable file so by putting the informations from each type together will make almost every informations about it. There are types such as `AppV`, `Driver`, `File`,`Frameworks`, `Shortcut`. The main purpose of analyzing Amcache is InventoryApplication and its subordinates. Because an investigator could find the executed time, installed date of an executable file. As such, information on file execution or installation is a serious issue in digital forensic analysis. By putting all types together brings you to the enumerated list below. * File path * ShortCut Path * File Reference Key * File name * File size * Initial execution time * Creation time (C-Time) * Version > [!NOTE] Windows 10 version 20H2 (19042.928 build) > After Windows 10 20H2 (19042.928) build, the way of storing an Amcache has changed dramatically. The structure of data introduced in the above is used after 20H2, and the previous way of storing such data is by dividing data into 4 categories File, Generic,Orphan and Programs. Brief summarization is explained below. > > - **File Key** : Consisted of Volume GUID and File Reference ID > Traces of file execution and the has value(sha1) is found > - **Generic** : ?? > - **Programs** : Data related with files installed > - **Orphan** : Consisted of Volume GUID and File Reference ID ## Conclusion Today, Amcache was the main task of this article which is known for traces of file execution. Besides file execution there are also several contents about operating systems and hardware informations and [[(EN) LNK file]] that are not mentioned in this article. The data of Amcache is not Amcache is not that big, it is recommended to look at all data respectively using freeware forensic tools such as REGA or AmcacheParser to gain insights. Only knowing a single method of inspecting a file execution will make you suffer when the method you know is absent. It is a MUST to know multiple ways(More than 3) of finding a trace of file execution. By studying the articles referencing [[File Execution]] will solve the issue. ## References 1. "[AmCache: The Continuing Evolution of a Key Windows Artifact](https://www.sans.org/reading-room/whitepapers/forensics/amcache-continuing-evolution-key-windows-artifact-37107)" by Harlan Carvey (2016) 2. "[[]]" by Mari DeGrazia (2017) 3. "[Amcache.hve – The New Artifact on the Block](https://www.hecfblog.com/2015/08/amcachehve-new-artifact-on-block.html)" by David Cowen (2015) 4. "[AmCache, SRUM, and SQLite: Windows 10 Forensic Trifecta](https://www.sans.org/reading-room/whitepapers/forensics/amcache-srum-sqlite-windows-10-forensic-trifecta-38392)" by Jared Atkinson and Matt Graeber (2017) 5. "[The Analysis of AmCache.hve: Beyond the Limitations of Windows RECmd](https://www.sciencedirect.com/science/article/pii/S1742287616301185)" by Igor Mikhaylov and Brian Moran (2016)