What is DFIR triage? (glossary)
Triage is the fast pass. Twenty hosts came back from a sweep and the question is which ones get a full investigation. You do not have time to image and timeline all twenty. You collect a small fixed set of artefacts, parse them, run two or three canonical filters, and produce a yes/no per host with enough evidence to defend the call.
That is the whole point. Done right, it takes minutes per host. Done wrong, it produces false confidence either way and you find out three weeks later.
The shape of a good triage#
- Collect a fixed set fast. KAPE
!SANS_Triage, VelociraptorWindows.Forensics.Triage, or your in-house equivalent. - Parse with CSV-producing tools. Eric Zimmerman's suite, mostly.
- Apply the canonical filter for each artefact. For Amcache it is "unsigned PE in user-writable path with
IsPeFile = True". - Hash-pivot anything that survives the filter. VirusTotal, internal TI feed, threat intel platform.
- Time-bound on the survivors. Pull a window of activity around their
KeyLastWriteTimestamp.
The standard Windows kit#
| Artefact | The question it answers |
|---|---|
| Amcache | Was this PE present, with what hash and when? |
| Prefetch | Did it actually run, and when? |
| Security event log (EVTX) | Who logged on, who failed, what processes started with what command line? |
| Sysmon | Real-time process, file, network, image load. |
| SYSTEM hive | Shimcache, services, autostarts. |
| NTUSER.DAT | UserAssist, RunMRU, RecentDocs, shellbags. |
| SOFTWARE hive | Autoruns, installed software. |
| Browser history | Initial-access vector for phishing or drive-by. |
| Recent MFT / USN | Filesystem creates around the suspected window. |
Why Amcache earns its place at the front#
Three reasons. It is one file. It carries hashes you can submit straight to VirusTotal. It survives binary deletion better than anything else in the set. The "unsigned PE in user-writable path" filter on UnassociatedFileEntries.csv typically returns under 50 rows on a typical infected workstation, and most of those either light up on a TI lookup or have an obvious benign explanation (portable apps, dev tools).
For the full Amcache-driven triage playbook, see Hunting commodity malware with Amcache.
Related terms#
Related posts
- Hunting commodity malware with Amcache
An Amcache-first triage playbook for commodity malware on Windows. The filters that surface attacker tooling, the pivots that confirm execution, and the cross-host queries that scope the incident.
- Volatility and Amcache: extracting the hive from memory images
When you only have a RAM dump, Volatility extracts the in-memory copy of Amcache.hve. Hand off to AmcacheParser. The cases where this is the only option.
- RegRipper amcache plugin: what it does and when to use it
RegRipper's amcache plugin produces a plain-text Amcache report. Useful when you're already running RegRipper across other hives or need narrative output. Use AmcacheParser when you need CSV.
- What is SRUM (SRUDB.dat)? (glossary)
SRUM is the ESE database Windows uses to track per-application resource usage by hour over 30-60 days. The only Windows artefact with per-app network-byte totals. Critical for exfil.