Understanding Amcache.hve: A Powerful Forensic Artifact

Introduction to Amcache.hve

With the introduction of Windows 8 and later versions, Microsoft replaced the older RecentFileCache.bcf artifact with Amcache.hve. This registry hive provides an extensive amount of forensic data on executables, installed applications, and loaded drivers. Unlike its predecessor,

One fascinating aspect of Amcache is that its format is not tied to Windows versions but rather to the DLL version.

-------------------------------------------------------------------------------------------------------------

Why Amcache Matters in Digital Forensics

Amcache serves as an important forensic artifact due to the extensive details it tracks, including:

• Full file path of executables and drivers.

• File size and publisher metadata.

• Multiple timestamps that provide insights into when a file appeared on the system.

• SHA1 hash of tracked executables and drivers (for files under ~31MB).

• Evidence of execution (though indirect).

Key Limitation: Execution is Not Always Confirmed

Unlike Prefetch or ShimCache, Amcache does not explicitly confirm execution. Instead, it records:

1. Executed GUI applications that required shimming (modifications for compatibility).

2. Executables and drivers copied during program execution.

3. Executables in directories scanned by Microsoft Compatibility Appraiser.

   
   

Only the first category directly relates to execution, making Amcache more useful for tracking file presence rather than execution timestamps

-------------------------------------------------------------------------------------------------------------

Exploring the Structure of Amcache.hve

Amcache contains multiple registry keys, each tracking different file categories. Here are the most important ones:

1. InventoryApplicationFile Key

This key is crucial as it logs details about individual executable files found on the system. Each application is assigned a unique subkey, which holds various metadata fields such as:

• FileID: The SHA1 hash of the file (minus the first four zeroes).

• LowerCaseLongPath: The full path of the executable.

• Size: The file size in bytes.

• LinkDate: The compilation timestamp from the PE header.

2. InventoryApplication Key

This key tracks installed applications and is structured differently from InventoryApplicationFile. It links application entries using the ProgramId value.

• If an executable appears in both InventoryApplicationFile and InventoryApplication, it indicates an installed application rather than just a copied or executed one.

• The installation date is stored in InventoryApplication, though with only day-level granularity.

Each entry, named according to the "ProgramID," facilitates easy association with InventoryApplicationFile.

3. InventoryDriverBinary Key

Amcache also records loaded drivers, which is particularly important when investigating rootkits or malicious drivers. Each driver has a dedicated subkey containing:

• Driver file name and path.

• SHA1 hash (if applicable).

• Digital signature details.

• Modification timestamps.

Drivers play a crucial role in system security and malware persistence. Suspicious drivers with missing metadata, strange names, or unusual file paths should be investigated further.

-------------------------------------------------------------------------------------------------------------

Forensic Analysis and Tools

We will talk about more in depth about two tool in next article. But i will give u name of tools lol.

• RegRipper (for extracting Amcache data from a forensic image).

• AmcacheParser (by Eric Zimmerman, specifically designed for Amcache analysis).

------------------------------------------------------------------------------------------------------------

Investigating Amcache for Threat Hunting

When analyzing Amcache for forensic purposes, keep these key points in mind:

• SHA1 hashes can help identify known malware or trusted applications. Compare hashes with VirusTotal or threat intelligence databases.

• File paths can reveal whether an executable was launched from an unusual location (e.g., C:\Users\Public\ or C:\Windows\Temp\).

• Compilation timestamps (LinkDate) can indicate when a binary was created, which is useful for correlating it with known threat actor campaigns.

• Presence in InventoryApplicationFile vs. InventoryApplication helps determine whether a file was merely present on the system or fully installed.

-------------------------------------------------------------------------------------------------------------

Example Case Study: Identifying a Suspicious Driver

Suppose we find an entry in InventoryDriverBinary that shows:

• A driver located in C:\Users\Public\ (a suspicious location).

• No metadata recorded (missing digital signature, no publisher info).

• A compilation date that aligns with recent malicious activity.

This would be a red flag. Next steps:

1. Extract the driver file and analyze it with PE tools (e.g., PEStudio, ExifTool).

2. Submit its SHA1 hash to VirusTotal for a threat check.

3. Check the Windows event logs for any driver-related warnings or errors.

   
   

If further investigation reveals that the driver is part of a known rootkit, this would confirm its malicious intent, leading to further analysis and potential remediation steps.

-------------------------------------------------------------------------------------------------------------

Presence vs. Execution: AmCache indicates the presence of a file but does not confirm its execution. This is crucial to understand when using AmCache data in forensic analysis.

-------------------------------------------------------------------------------------------------------------

Conclusion

Amcache.hve is an invaluable forensic artifact that provides deep insights into system activity. While it does not directly confirm execution, it serves as an excellent source for tracking file presence, gathering metadata, and identifying suspicious applications or drivers.

To maximize its effectiveness in investigations, analysts should:

• Use hashes for malware identification.

• Cross-reference Amcache data with Prefetch and event logs to confirm execution.

• Investigate unexpected driver entries to detect rootkits and persistence mechanisms.

By understanding and leveraging Amcache properly, forensic analysts can extract significant intelligence from Windows systems, making it a must-have tool in any incident response or malware investigation workflow.

----------------------------------------------------Dean--------------------------------------------