Posts tagged "anti-forensics"
- Can Amcache be cleared by attackers?
Yes, with admin. No, not cleanly. Shadow copies, transaction logs, and the appraiser's own footprint usually preserve the prior state. Tampering is one of the more reliably caught attacker behaviours on Windows.
2026-05-24
- Recovering deleted-binary evidence from Amcache
Amcache outlives the binaries it records. Path, SHA-1, publisher, link date, and inventory time persist for months after the attacker wipes the file. The practical workflow.
2026-05-24