AmcacheParser

How to use AmCacheParser to parse the Windows AmCache in order to provide evidence of program execution during incident investigations.

AmcacheParser different from other Amcache parsers in that it does not dump everything available. Rather, it looks at both File entries and Program entries.

Program entries are found under Root\Programs and File entries are found under Root\File.

AmcacheParser gathers information about all the Program entries, then looks at all the File entries. In each file entry is a pointer to a Program ID (value 100). If this Program ID exists in Program entries, the File entry is associated with the Program entry.

At the end of this process you are left with things that didn't come from some kind of installed application.

Using the minimum options, AmcacheParser will only export Unassociated file entries.

Tool NameVersionMITRE ATT&CK TacticMITRE ATT&CK Technique

AmCacheParser

V1.5.1.0

Execution

Instructions

Extracting Application Data from a Live Host

The AmCache Parser can be deployed onto a host system to extract hive details. If a forensic image or copy of the amcache.hve file has been collected, the tool csn also parse these in place of live extraction.

amcacheparser.exe -f "C:\Path\To\amcache.hve" --csv "C:\Path\To\Output"

must be run as Administrator in order to interrogate the live hive. {: .prompt-info }

Extracting Application Data with Exclusion List Post-processing

AmCache Parser allows for exclusion lists to be configured during processing of the hive data. The format should be in the form of a new line separate .txt document containing single SHA1 hash entries for all applications wishing to be excluded from the results. This is a great option to minimize results for common or expected applications.

amcacheparser.exe -f "C:\Path\To\amcache.hve" -w "C:\Path\To\Exclusions.txt" --csv "C:\Path\To\Output"

must be run as Administrator in order to interrogate the live hive. {: .prompt-info }

Output

DeviceContainers

Contains a list of OS devices such as bluetooth, printers, etc. Has links to DevicePnps

DevicePnPs

Contains a list of Plug and Play devices such as bluetooth, USB, etc. More verbose details than those contained in DeviceContainers

DriveBinaries

Contains a list of drivers

DriverPackages

Contains of list of package information that links to both DeviceContainers and DevicePnPs

ShortCuts

Contains a listing of identified .LNK files

UnassociatedFileEntries

Contains a list of file entries that are unassociated with an installer. The command switch -i can be added to the execution command to include all file entries.

PreviousWxTcmdNextJumpListExplorer (JLE)

Last updated