Following on from the previous [DFIR TOOLS] posts below, this time I will speak about AmcacheParser again from the Eric Zimmerman suite.
We will start with Erics description on its purpose:-
“Amcache.hve parser with lots of extra features. Handles locked files”
But what is the Amcache.hve?
Again, like previously I will share links to excellent resources I find but in short:-
The Amcache.hve file is a registry file that stores the metadata information of executed applications that have been executed on the system!
Amcache.hve, not to be mistaken for ‘Shimcache or Prefetch’ which I will speak about in coming blog posts is a replacement for the pre windows 8 ‘RecentFilesCache.bcf’.
Amcache.hve is a small registry hive that stores a wealth of information about recently run applications and programs, including full path, file timestamps, and file SHA1 hash value, it is commonly found at the following location:
C:\Windows\AppCompat\Programs\Amcache.hve
And is standard within Windows operating system’s since windows 8.
I am here to speak about the tools and not the files themselves so if you want to read more on that here are a few good resources I found.
- Amcache.hve in Windows 8 – Goldmine for malware hunters
- Leveraging the Windows Amcache.hve File in Forensic Investigations
- ANALYSIS OF THE AMCACHE V2
- Revealing the RecentFileCache.bcf File
As you can see from forensics stand point it really is a must that we check out these files.
How do we use AmcacheParser?
The tool comes as an exe (AmcacheParser.exe) from the page of Eric Zimmerman, here.
When downloaded we open a CMD as Admin and go to the location.
From there we can run the command AmcacheParser.exe -h to open up the help to see the options.
From there we run the tool for instance if I run:-
AmcacheParser.exe -f C:\Windows\appcompat\Programs\Amcache.hve –-csv c:\temp –dt yyyy-MM-ddTHH:mm:ss
This will:-
- Run AmcacheParser.exe
- -f tells it to use the file at that destination, i.e. C:\Windows\appcompat\Programs\Amcache.hve
- –csv tells the tool to export as this type of file and at the directory stated i.e. c:\temp
- –dt tells the tool to use a custom date/time format when displaying time stamps i.e. yyyy-MM-ddTHH:mm:ss
And then when run we get the parsed results out of SIX different .csv files for us to investigate.
From there we can load them into ‘TimeLine Explorer‘ that we spoke about HERE or even just use excel if you like.
There is lots of information we can look for like above there is ‘Found 397 unassociated file entry’.
An unassociated file entry is a program or application that is not associated with any known source like a Microsoft, Google, Adobe, HP etc so if you are looking for BAD files there is a high chance you can find them here.
Anyways, that is AmcacheParser.
Take it easy
Alex
1 thought on “[DFIR TOOLS] AmcacheParser, what is it & how to use!”