Posts tagged "anti-forensics"

• Can Amcache be cleared by attackers?

  Yes — an attacker with admin rights can edit or delete Amcache.hve, but the cleanup is detectable: Volume Shadow Copies, transaction logs, and the appraiser's own log usually preserve the prior state.

  2026-05-24

• Recovering deleted-binary evidence from Amcache

  When an attacker deletes a binary, Amcache often preserves its hash, path, publisher, and inventory time. A practical workflow for using Amcache to investigate wiped artefacts.

  2026-05-24