Posts tagged "comparison"

• What's a .pf file vs an Amcache entry?

  .pf files are Windows Prefetch records — proof a binary executed, with run timestamps and loaded-files lists. Amcache entries record presence, with the SHA-1 hash and metadata.

  2026-05-24

• Amcache vs SRUM: presence vs long-window resource usage

  SRUM tracks resource usage by application over 30+ days; Amcache inventories every binary present on disk. Here is how they complement each other in a Windows DFIR timeline.

  2026-05-24

• Amcache vs ShimCache: when each artefact wins

  ShimCache and Amcache both record binaries that touched a Windows host. They are different mechanisms with different limits — here is when to use each, and what their overlap actually proves.

  2026-05-24

• Amcache vs Prefetch: what each one really proves

  Amcache records presence; Prefetch records execution. A practical reference for when to use each, what they overlap on, and how to combine them in a DFIR timeline.

  2026-05-24

• Amcache parsers compared: AmcacheParser CLI, browser tool, Volatility, RegRipper

  Side-by-side comparison of the four ways to parse a Windows Amcache.hve hive in 2026 — Eric Zimmerman's AmcacheParser CLI, the browser tool, Volatility 3, and RegRipper.

  2026-05-24