AmCache

Investigating AmCache

22/04/2022 Friday

AmCache.hve is a Windows system file that is created to store information related to program executions. The artifacts in this file can serve as a huge aid in an investigation, it records the processes recently run on the system and lists the paths of the files executed.

Digital Forensics Value of AmCache Artifacts

AmCache artifacts are important to investigations where the tracing of external storage devices, portable programs and anti-forensic programs might be required. The data contained in the file includes the execution paths, installation, execution, deletion times and more. It also stores the SHA1 hashes of the programs which can be used to compare against the hashes of malicious programs available in public database.

Location of AmCache Artifacts

AmCache.hve file is located at C:\Windows\appcompat\Programs\Amcache.hve

Structure of AmCache Artifacts

The AmCache.hve file is a registry hive file. The registry file format is a binary file analogous to a filesystem, with a group of keys, subkeys and values. These files are used by the operating system to store user, system, and application configurations.

Analyzing AmCache Artifacts with ArtiFast Windows

This section will discuss how to use ArtiFast Windows to extract AmCache artifacts from Windows machines and what kind of digital forensics insight we can gain from the artifacts.

After you have created your case and added evidence for the investigation, at the Artifact Parser Selection Phase, you can select AmCache Artifacts:

ArtiFast can analyze AmCache application files, executed programs, driver binaries, Pnp devices, driver packages, device containers, and application shortcuts from Windows 10 systems. And executed files and programs from Windows 8.1 systems. For demonstration purposes all the artifacts have been chosen, however you have the option to select one or more artifacts.

Once ArtiFast parser plugins complete processing the artifact for analysis, it can be reviewed via "Artifact View" or "Timeline View," with indexing, filtering, and searching capabilities. Below is a detailed description of AmCache artifacts in ArtiFast software.

AmCache Application Files Artifact

The artifact contains information on files used by executable programs. The details you can view include:

Application ID - Application unique identifier.
Application Name – Name of the application.
File Path - The path of the application file.
Size - The size of the application file.
SHA-1 Hash - Application file signature.
Long Path Hash – Hash of the long path associated with the file.
Publisher - Name of published application.
Application Version - Application version.
Link Date/Time - Link date and time of the file.
Binary File Version - Binary file version of the application.
Binary Type - Binary type of the application.
Product Name – Name of the product.
Product Version - Product version of the application.
Binary Product Version - Binary version of the product.
Language – Language code of the file.
PE File - Whether the file is a PE header.
OS Component - Whether the file is an operating system component.
USN - USN.
Last Update Date/Time - Registry key last update date/time.

AmCache Application Programs Artifact

The artifact contains information on programs that have been executed on the system. The details you can view include:

Program ID – The ID of the executed program.
Program Name - The name of the executed program.
Program Instance ID - The ID of the executed program Instance.
Manifest Path - Full path of manifest file.
Root Directory Path - Path of program directory.
Publisher - Name of published application.
Program Version – The program version.
Program Source - The source of the program.
Program Type - The type of program.
Install Date/Time – Date and time when the program was installed.
Store Application Type - Type of store the program was installed from.
OS Version at Install Time - OS version at time of program Installation.
Bundle Manifest Path - Bundle path of the manifest file.
Uninstall String - Path of the uninstall file for that program.
Registry Key Path - Registry key path for the uninstall file.
Msi Package Code - Msi package code.
Msi Product Code - Msi product code.
Hidden Arp - Hidden Arp.
Inbox Modern App - Inbox modern app.
Language – Language code of the program.
Last Update Date/Time - Registry key last update date/time.

AmCache Driver Binaries Artifact

The artifact contains information about driver binaries on the system, such as when they were signed, and services associated with them. The details you can view include:

Driver ID – The ID of the driver.
Driver Name - The name of the driver.
Driver Path - The path where the driver is located.
Driver Version - The driver version.
Service - The service associated with the driver.
Image Size - Driver file size.
Driver Last Write Date/Time – The date and time when the driver was last written to.
Driver Type - Driver type.
Driver Timestamp - Driver timestamp.
Driver Checksum - The checksum of the driver.
Product Name - The product that the driver is associated with.
Product Version - Product version of the driver.
Inf - The Inf file name.
Driver Company - The company that produces the driver.
WDF Version - WDF Version.
Driver Package Strong Name - Driver package strong name.
Driver in Box - Driver in box.
Driver Signed - Whether the driver is signed.
Driver Is Kernel Mode - Whether the driver operates in kernel mode.
Key Last Update Date/Time - Registry key last update date/time.

AmCache Pnp Devices Artifact

The artifact contains information on plug and play devices connected to the system. The details you can view include:

Driver ID - The ID of the driver.
Driver Name - The name of the driver.
Description - The description of the device.
Driver Version - The driver version.
Class - The class of the device.
Class GUID - The GUID of the device class.
Model - The device model.
Manufacturer - The device manufacturer.
Device State - Device state.
Inf - Inf extension file.
Driver Version Date - Driver version date.
Install Date - Install date.
First Install Date - First install date.
Service - Service.
Container ID - ID of the device container.
Problem Code - Problem code.
Provider - The device provider.
COMPID - COMPID.
Stack ID - Stack ID.
Hardware ID - Hardware ID of the device.
Parent ID - Parent ID.
Matching ID - Matching ID.
Enumerator - Enumerator.
Install State - Install state.
Driver Packages Strong Name - Driver packages strong name.
Bus Reported Description – Bus reported description.
Key Last Update Date/Time - Registry key last update date/time.

AmCache Driver Packages Artifact

The artifact contains information on driver packages on the system. The details you can view include:

Key - The registry key name.
Class GUID – Driver package class GUID.
Class - Name of the class.
Directory - Driver location.
Date - The date of the driver package.
Version - Driver version.
Provider - Driver provider.
Submission ID - Submission ID.
Driver in Box - Whether driver is in box.
INF - Inf extension file.
Is Active - Whether driver is active.
Hardware IDs – List hardware IDs associated with the package.
SYSFILE - SYSFILE.
Key Last Update Date/Time - Registry key last update date/time.

AmCache Device Containers Artifact

The artifact contains information on devices connected to the system. The details you can view include:

Key - The registry key name.
Model ID - Model ID of the device.
Model Name - The model name for the device.
Friendly Name - A display name for the device.
Model Number - The model number of the device.
Is Connected - Whether the device is connected.
Icon - The path to the icon for the device.
Manufacturer - Device manufacturer.
Primary Category - Primary category.
Categories - The category of the device.
Is Active - Whether the device is active.
Is Paired - Whether the device is paired.
Is Networked - Whether the device is networked.
State - Device state.
Is Machine Container - Whether the device is a machine container.
Discovery Method - Discovery method.
Last Update Date/Time - Registry key last update date/time.

AmCache Application Shortcuts Artifact

The artifact contains information on programs and file shortcuts used on the system. The details you can view include:

Key - The registry key name.
Shortcut Path - The path to the shortcut.
Last Update Date/Time - Registry key last update date/time.

In Windows version 8.1 ArtiFast parses 2 artifacts from the AmCache.hve file. AmCache files and programs artifacts which are explained in detail below.

AmCache Files Artifact

The artifact contains information on files used by executable programs. The details you can view include:

File Name - The name of the file.
File Description - The file description.
File Extension - File extension.
Full Path - The full path to the file.
File Size - The file size.
Program Name - The name of the program associated with the file.
Program ID – ID of the program associated with the file.
Program Version - Program version.
PE Header Size – Portable executable header size.
PE Header Checksum - Portable executable header checksum.
PE Header Hash - Portable executable header hash.
SHA-1 Hash - SHA-1 Hash.
Switchback Context - Switchback context.
Language Code - Language code of the file.
Linker Date/Time - Linker date and time of the file.
Last Modified Date/Time - Date and time when the file was last modified.
Last Modified Date/Time 2 - Last Modified Date/Time 2.
Key Last Update Date/Time - Registry key last update date/time.
Created Date/Time – Date and time when the file was created.

AmCache Programs Artifact

The artifact contains information on programs that have been executed on the system. The details you can view include:

Key - The registry key name.
Program Name - The name of the program.
Program Version - Program version.
Publisher Name – Program publisher name.
Package GUID - Package GUID.
Product GUID - Product GUID.
File List - List of file entries in package.
Path List - List of paths to files.
Install Source - Source of program installation.
Uninstall Registry Key – Path to uninstall registry key.
Msi Package - Msi package.
Msi Product - Msi product.
Language Code - Language code of the program.
Install Date/Time - Install date/time.
Uninstall Date/Time - Uninstall date/time.
Key Last Update Date/Time - Registry key last update date/time.