Posts tagged "dfir"
- What the Amcache actually tells you in a DFIR investigation
A practitioner's view on the Amcache.hve hive: what each entry really proves, where the timestamps lie to you, and the mistakes that keep showing up in incident reports.
2026-05-27
- Amcache vs Shimcache: which artifact answers which question
Two adjacent Windows artifacts with very different forensic properties. What each really records, where their timestamps lie, and a decision table for casework.
2026-05-27
- The Amcache timestamps, decoded
Every FILETIME and DateTime-as-string field across the Amcache keys, what each really tracks, and how Win7, Win10 and Win11 disagree about the same artifact.
2026-05-27
- SHA-1 in the Amcache: pivoting from disk to threat intel
How the Amcache FileId field becomes the most useful pivot in a DFIR investigation, why hashes beat paths, and the workflow for hash-pivoting at scale.
2026-05-27
- Investigating a real incident with the Amcache: walkthrough
A fictional but realistic ransomware investigation, walked through the Amcache evidence end to end: the SHA-1 pivot, the corroboration, and the limits of the hive.
2026-05-27
- The Amcache.hve binary format, in practice
A walkthrough of the Amcache.hve on-disk structure: the regf hive layout, the subkeys that matter in DFIR, and the tools that read them without lying to you.
2026-05-27
- Acquiring Amcache.hve from live and dead systems
How to collect Amcache.hve and its transaction logs correctly on live and dead hosts, the file-lock pitfalls, and what good IR collection scripts actually do.
2026-05-27
- Volatility and Amcache: extracting the hive from memory images
When you only have a RAM dump, Volatility extracts the in-memory copy of Amcache.hve. Hand off to AmcacheParser. The cases where this is the only option.
2026-05-24
- RegRipper amcache plugin: what it does and when to use it
RegRipper's amcache plugin produces a plain-text Amcache report. Useful when you're already running RegRipper across other hives or need narrative output. Use AmcacheParser when you need CSV.
2026-05-24
- What is DFIR triage? (glossary)
Triage is the fast pass that decides whether a host is worth a full investigation. Amcache is one of the cheapest, most productive artefacts in the triage kit.
2026-05-24
- AmcacheParser output columns explained: every CSV field decoded
Field-by-field reference for AmcacheParser's CSV output. FileId, PathHash, ProgramId, LinkDate, BinFileVersion, IsPeFile, and every other column, with the pivots that matter.
2026-05-24
- AmcacheParser download guide: official sources, mirrors, and verification
Where to get AmcacheParser. Get-ZimmermanTools, direct download, KAPE, Velociraptor. Plus checksum verification and the air-gapped install pattern.
2026-05-24
- AmcacheParser: the complete guide to Eric Zimmerman's tool
The reference for AmcacheParser. What it does, how to install and run it, how to read the CSVs, and when the browser parser is the better tool for the moment.
2026-05-24
- AmcacheParser CLI cheatsheet: every flag, with worked examples
Copy-paste reference for AmcacheParser.exe. Every flag explained. KAPE, Velociraptor, and PowerShell batch patterns you can use directly.
2026-05-24
- Amcache on Windows Server: cadence, coverage, and quirks
Server Amcache: same format, same schema, much slower appraiser cadence and a different operating context. The patterns that matter for server-side DFIR.
2026-05-24
- Amcache on Windows 11 and Windows 10: schema, cadence, and quirks
Modern Amcache. The Inventory* schema introduced in 1709, the appraiser cadence, and the build-specific quirks worth knowing before you misread evidence.
2026-05-24
- Amcache vs SRUM: presence vs long-window resource usage
SRUM tracks per-app resource usage by hour over 30-60 days. Amcache inventories every PE on disk. They overlap on almost nothing and pair beautifully on exfil cases.
2026-05-24
- Amcache vs Prefetch: what each one really proves
Amcache records presence. Prefetch records execution. Where they overlap, they corroborate. Where they diverge, the divergence is the finding.
2026-05-24
- USB and device history from Amcache: InventoryDeviceContainer and InventoryDevicePnp
Amcache's device records give you the cleanest 'what hardware ever touched this machine?' tabular view Windows offers. Plus the limits and the join key.
2026-05-24
- Amcache timestamps explained: KeyLastWriteTimestamp vs LinkDate vs the rest
Every timestamp Amcache exposes, what each one means, and which one to pivot on. Confusing them is the #1 mistake new analysts make.
2026-05-24
- Amcache registry structure: every key explained
Key-by-key tour of Amcache.hve. Root\InventoryApplicationFile, InventoryApplication, InventoryDriverBinary, the legacy Programs and File keys, and what every notable value means.
2026-05-24
- Amcache ProgramId explained: the 44-character application identity
ProgramId is the 44-char identity hash Windows computes from application metadata. Stable across hosts. The pivot that catches re-compiles where Hash misses.
2026-05-24
- Amcache parsers compared: AmcacheParser CLI, browser tool, Volatility, RegRipper
Four mature parsers for Amcache.hve. Same hive, different workflows. The decision rule comes down to install footprint, batchability, and where each one wins.
2026-05-24
- Hunting commodity malware with Amcache
An Amcache-first triage playbook for commodity malware on Windows. The filters that surface attacker tooling, the pivots that confirm execution, and the cross-host queries that scope the incident.
2026-05-24
- Lateral movement and Amcache: ProgramId pivoting across hosts
One suspicious ProgramId or Hash on host A becomes a query against every other host's Amcache. The playbook for scoping the spread across the estate.
2026-05-24
- The definitive Amcache.hve forensic reference: every key, every value, every timestamp
Field-by-field, schema-by-schema. What each Inventory* sub-key holds, what every timestamp means, how the schema evolved from Windows 7 to 11, and what Amcache will and will not prove.
2026-05-24
- Where Amcache.hve is located on disk (and how to collect it)
Path: C:\Windows\AppCompat\Programs\Amcache.hve plus the .LOG files. Always all three. Plus the right way to collect from a live host and from shadow copies.
2026-05-24
- Recovering deleted-binary evidence from Amcache
Amcache outlives the binaries it records. Path, SHA-1, publisher, link date, and inventory time persist for months after the attacker wipes the file. The practical workflow.
2026-05-24
- Amcache: the complete Windows .hve forensics reference
Amcache is the hive the Compatibility Appraiser writes every PE on disk into, with SHA-1, full path, publisher, link date, and a key write time. The reference, from format to investigative use.
2026-05-24
- Amcache FileId explained: the SHA-1 hash format Windows stores
FileId is '0000' plus the SHA-1 of the first 31 MiB. Strip the prefix or your VirusTotal lookups silently return nothing. The full reference, with the traps.
2026-05-24