Introduction:
The Amcache.hve registry hive, introduced with Windows 8 and later backported to patched Windows 7 systems, is a treasure trove of information for digital forensics analysts. This registry hive contains valuable data related to executed executables, installed applications, and loaded drivers. In this blog post, we delve into the intricacies of the Amcache.hve, focusing on the InventoryApplicationFile, InventoryApplication, and InventoryDriverBinary keys.
InventoryApplicationFile: Navigating Executables
The InventoryApplicationFile key serves as an excellent starting point when dissecting Amcache data. Its subkeys are named per application, offering a straightforward method to identify executables of interest. While the hash generation algorithm hasn't been fully reversed, it seems linked to the full path of the executable. Analysts may encounter multiple keys with the same executable name but located in different folders. Key values provide additional insights, such as the renowned "FileID" value, offering the SHA1 hash (minus the initial four zeroes), "LowerCaseLongPath" for the full path, "Size" for file size, and "LinkDate" for the PE header compilation time. As you navigate through InventoryApplicationFile, you unveil a plethora of details associated with executed executables.
InventoryApplication: Unraveling Installed Applications
The InventoryApplication key within the Amcache hive complements the InventoryApplicationFile, focusing on installed applications. Each entry, named according to the "ProgramID," facilitates easy association with InventoryApplicationFile. The key provides crucial information, including installation date (granularity of one day) and detailed publisher information. While the last write times of registry keys may not necessarily indicate execution time, they signify the presence of the executable on the system. Combining information from InventoryApplication and InventoryApplicationFile offers a comprehensive view of both executed and installed applications.
InventoryDriverBinary: Decrypting Loaded Drivers
Loaded drivers play a pivotal role in investigations involving potential advanced malware infections. The InventoryDriverBinary key within Amcache.hve holds a wealth of information about drivers on the system. Each subkey corresponds to a driver, offering insights into anomalies based on known good/bad hashes, modification times, driver signing status, and metadata stored in the PE header. This information is invaluable when scrutinizing systems for advanced malware using rootkits, bootkits, or security tool evasion capabilities.
Real-world Example: Spotting Suspicious Drivers
In a real-world example, we encounter a driver with an unusual name in a non-standard folder, lacking recorded driver metadata. This prompts further investigation, including checking the digital signature, comparing timestamps with known activities, and querying the SHA1 hash against databases like VirusTotal. Ultimately, this driver turns out to be part of the F-Response forensics tool, highlighting the importance of thorough analysis.
Conclusion:
The Amcache.hve registry hive unveils a wealth of information crucial for digital forensics investigations. By navigating through InventoryApplicationFile, InventoryApplication, and InventoryDriverBinary keys, analysts can gain valuable insights into executed executables, installed applications, and loaded drivers.
Akash Patel
Comments