Tuesday, 10 May 2016

Amcache on Windows 7

The amcache registry hive which made its debut in windows 8, is now also showing up on Windows 7 systems. I was alerted to this by a fellow DFIR analyst Clint Hastings, who noticed this and has been using my scripts to parse them on windows 7 for some time now.

Amcache on Windows 7


So, what happened? After a bit of investigation on my machines, it was traced to Windows Update KB2952664, which updates the application inventory and telemetry (Microsoft terminology for the programs that monitor application usage) executables and libraries.

The update first came out in April 2015, but it appears as if it was not widely deployed (automatically) until around October.

Both Amcache.hve and RecentFileCache.bcf are updated now. I verified this information by parsing both these artifacts. Amcache of-course, had a lot more detail about the same files. So, don't forget to look for amcache on your windows 7 examinations.

5 comments:

  1. Good to know - thanks for the update!

    ReplyDelete
  2. Hey Yogesh! Cool beans! Question though. Is the sha1 hash you mentioned an actual SHA1 of the binary, or is it a Windows Authenticode hash (which uses SHA1, but is different)

    On an unrelated note, I was just trying to parse some IE RecoveryStore files yesterday, and discovered that your IETravelogParser.EnPack EnScript doesn't work under EnCase 7.10.05. I get the error, '"CANCHECK" is an unknown identifier'. Is there any chance you'd be willing to update this for the current version of EnCase 7?

    ReplyDelete
    Replies
    1. John, its SHA1 of the binary itself. I just updated the travelog script to work with version 7, however its version 7.02 for now. Email me and let me know if this works.

      Delete
  3. This problem caused a headache to me back when my PC got stuck in it. I spent days searching everywhere on the internet but couldn't find the solution and at last I had to reinstall windows. Good post!

    ReplyDelete