Following on from the previous [DFIR TOOLS] posts below, this time I will speak about AmcacheParser again from the Eric Zimmerman suite.
We will start with Erics description on its purpose:-
“Amcache.hve parser with lots of extra features. Handles locked files”
![](https://i0.wp.com/thesecuritynoob.com/wp-content/uploads/2022/09/image-9.png?resize=303%2C301&ssl=1)
But what is the Amcache.hve?
Again, like previously I will share links to excellent resources I find but in short:-
The Amcache.hve file is a registry file that stores the metadata information of executed applications that have been executed on the system!
Amcache.hve, not to be mistaken for ‘Shimcache or Prefetch’ which I will speak about in coming blog posts is a replacement for the pre windows 8 ‘RecentFilesCache.bcf’.
Amcache.hve is a small registry hive that stores a wealth of information about recently run applications and programs, including full path, file timestamps, and file SHA1 hash value, it is commonly found at the following location:
C:\Windows\AppCompat\Programs\Amcache.hve
And is standard within Windows operating system’s since windows 8.
I am here to speak about the tools and not the files themselves so if you want to read more on that here are a few good resources I found.
- Amcache.hve in Windows 8 – Goldmine for malware hunters
- Leveraging the Windows Amcache.hve File in Forensic Investigations
- ANALYSIS OF THE AMCACHE V2
- Revealing the RecentFileCache.bcf File
As you can see from forensics stand point it really is a must that we check out these files.
How do we use AmcacheParser?
The tool comes as an exe (AmcacheParser.exe) from the page of Eric Zimmerman, here.
![](https://i0.wp.com/thesecuritynoob.com/wp-content/uploads/2022/09/image-2.png?resize=640%2C203&ssl=1)
When downloaded we open a CMD as Admin and go to the location.
![](https://i0.wp.com/thesecuritynoob.com/wp-content/uploads/2022/09/image-3.png?resize=640%2C363&ssl=1)
From there we can run the command AmcacheParser.exe -h to open up the help to see the options.
![](https://i0.wp.com/thesecuritynoob.com/wp-content/uploads/2022/09/image-4.png?resize=640%2C584&ssl=1)
From there we run the tool for instance if I run:-
AmcacheParser.exe -f C:\Windows\appcompat\Programs\Amcache.hve –-csv c:\temp –dt yyyy-MM-ddTHH:mm:ss
This will:-
- Run AmcacheParser.exe
- -f tells it to use the file at that destination, i.e. C:\Windows\appcompat\Programs\Amcache.hve
- –csv tells the tool to export as this type of file and at the directory stated i.e. c:\temp
- –dt tells the tool to use a custom date/time format when displaying time stamps i.e. yyyy-MM-ddTHH:mm:ss
And then when run we get the parsed results out of SIX different .csv files for us to investigate.
![](https://i0.wp.com/thesecuritynoob.com/wp-content/uploads/2022/09/image-5.png?resize=640%2C368&ssl=1)
![](https://i0.wp.com/thesecuritynoob.com/wp-content/uploads/2022/09/image-6.png?resize=640%2C313&ssl=1)
From there we can load them into ‘TimeLine Explorer‘ that we spoke about HERE or even just use excel if you like.
![](https://i0.wp.com/thesecuritynoob.com/wp-content/uploads/2022/09/image-7.png?resize=640%2C346&ssl=1)
![](https://i0.wp.com/thesecuritynoob.com/wp-content/uploads/2022/09/image-8.png?resize=640%2C329&ssl=1)
There is lots of information we can look for like above there is ‘Found 397 unassociated file entry’.
An unassociated file entry is a program or application that is not associated with any known source like a Microsoft, Google, Adobe, HP etc so if you are looking for BAD files there is a high chance you can find them here.
Anyways, that is AmcacheParser.
Take it easy
Alex
1 thought on “[DFIR TOOLS] AmcacheParser, what is it & how to use!”