AmcacheParser.exe :- https://github.com/EricZimmerman/AmcacheParser
AppCompatCacheParser.exe :- https://github.com/EricZimmerman/AppCompatCacheParser
AppCompatCacheParser.exe (Shimcache):
can be used to parse an offline SYSTEM hive or to collect data on a live, running system. It currently parses data from Windows 7 and above systems.
If a SYSTEM hive is not given the -f switch, the running computer’s AppCompatCache value will be processed.
By default, all ControlSets in the SYSTEM hive are queried and processed, ensuring data existing in older control sets is not missed.
Commands 1:- AppCompatCacheParser.exe -t -f .\SYSTEM --csv c:\Users\User\Downloads -- csvf results.csv
-t Sorts last modified timestamps in descending order [default: False]
-f Full path to SYSTEM hive to process. If this option is not specified, the live Registry will be used.
If you have image of endpoint you can specify using -f
or
Command 2 :- AppCompatCacheParser.exe --csv c:\Users\User\Downloads --csvf results.csv
as this artifact is only written to registry upon system shutdown so implication are their for take an example in case of live response or capture memory image because data maybe not written in the registry. So, you can use volatility plugin to extract the artifact from memory in live response.
Windows volatility: (You can use ubuntu. I use windows so I have used window plugin)
Command 1:- python vol.py -f D:\memdump.mem windows.shimcachemem
AmcacheParser.exe:
Amcache.hve serves as a rich source of information for forensic analysts, providing insights into the history of applications, drivers, and system activities. The ability to track SHA1 hashes makes Amcache valuable for identifying both known legitimate files (known goods) and potentially malicious or renamed files (known bads).
Amcache tracks a variety of information, including installed applications, executed programs, loaded drivers, full path details, file size, publisher metadata, and multiple timestamps
Commands 1:- AmcacheParser.exe -i -f "C:\Windows\AppCompat\Programs\Amcache.hve" --csv "C:\Users\User\Downloads\file.csv"
-f For path
-i include file entries for program entries
Interpreting Amcache Data:
While Amcache is often categorized under "program execution," it's crucial to recognize that its inclusion in the database doesn't unequivocally indicate execution. Blanche Lagny's research highlights three major categories of files tracked in the latest version of Amcache:
Executed (and shimmed) GUI applications.
Executables and drivers copied as part of application execution.
Executables present in directories scanned by the Microsoft Compatibility Appraiser scheduled task.
The first category is directly related to execution, focusing on GUI applications that required shimming for compatibility. However, distinguishing these entries from the other two categories can be challenging, emphasizing the importance of utilizing Amcache as an indicator of executable and driver presence on the system.
Conclusion:
IAmcache emerges as a powerful artifact in Windows forensics, offering a nuanced perspective on program execution and the presence of drivers. As forensic analysts navigate the evolving landscape of Amcache, understanding its history, data structures, and the intricacies of interpretation becomes paramount. Leveraging Amcache alongside other artifacts, such as Prefetch, can provide a comprehensive view of system activity, aiding in investigations and digital forensic analyses.
Akash Patel
Comments