What is AmCache and Why is it Critical for Forensics?

In digital forensics and incident response (DFIR), the Windows AmCache is a vital artifact for identifying malicious activity. Stored in the Amcache.hve registry hive, it tracks the execution of software, preserving metadata like file paths, compilation timestamps, and SHA-1 hashes. This makes it invaluable for uncovering evidence of programs, such as self-deleting ransomware, even after the original files are gone. Unlike some other artifacts, AmCache’s persistence and the inclusion of file hashes allow analysts to hunt for threats across a network and query threat intelligence feeds like VirusTotal.

The AmCache contains several key subkeys of interest to investigators. The InventoryApplicationFile key tracks every executable discovered on the system, while InventoryApplication details formally installed software. For identifying kernel-level threats, the InventoryDriverBinary key provides metadata on every loaded driver, a common target for malware. Finally, InventoryApplicationShortcut logs information about .lnk shortcut files.

Limitations and the AmCache-EvilHunter Tool

While powerful, AmCache has limitations. It doesn’t always confirm direct execution, sometimes only indicating a file’s presence. A significant constraint is that it calculates the SHA-1 hash on only the first 31MB of a file. Attackers can exploit this by creating larger malware, making the stored hash useless for lookups against threat intelligence databases. To streamline analysis, the article introduces a new tool called AmCache-EvilHunter. This command-line utility parses the Amcache.hve file, allowing analysts to filter results by date, search for keywords, and identify suspicious patterns like executables with missing publisher information. Crucially, it integrates directly with Kaspersky OpenTIP and VirusTotal to automate hash lookups, speeding up threat detection and incident response.