Posts tagged "dfir"

• Volatility and Amcache: extracting the hive from memory images

  A practical guide to recovering Amcache from a Windows memory image using Volatility — when memory-side recovery is the only option, which plugins to use, and how to hand off to AmcacheParser.

  2026-05-24

• RegRipper amcache plugin: what it does and when to use it

  A practical guide to RegRipper's amcache plugin — what it parses, how its text output differs from AmcacheParser's CSV, and when to reach for it instead of (or alongside) the Zimmerman tool.

  2026-05-24

• What is DFIR triage? (glossary)

  DFIR triage is the rapid first-pass examination of a suspected-compromised host to confirm or rule out a compromise within minutes. Amcache is one of the fastest triage artefacts on Windows.

  2026-05-24

• AmcacheParser output columns explained: every CSV field decoded

  A field-by-field reference for AmcacheParser's CSV output — FileId, PathHash, ProgramId, LinkDate, BinFileVersion, IsPeFile, and every other column, with the pivots that matter in DFIR.

  2026-05-24

• AmcacheParser download guide: official sources, mirrors, and verification

  Every way to download Eric Zimmerman's AmcacheParser — Get-ZimmermanTools, direct download, KAPE, Velociraptor — with checksum verification and air-gapped install patterns.

  2026-05-24

• AmcacheParser: the complete guide to Eric Zimmerman's tool

  A definitive guide to AmcacheParser — what it does, how to install and run Eric Zimmerman's CLI, how to read its CSV output, and when to reach for the browser-based alternative.

  2026-05-24

• AmcacheParser CLI cheatsheet: every flag, with worked examples

  A practical command-line reference for Eric Zimmerman's AmcacheParser — every flag explained, with KAPE, Velociraptor, and PowerShell batch-processing patterns you can copy and paste.

  2026-05-24

• Amcache on Windows Server: cadence, coverage, and quirks

  Amcache on Windows Server 2016, 2019, 2022, and 2025 — appraiser cadence differences from desktop, what changes for hardened or Core installs, and the patterns that matter for server-side DFIR.

  2026-05-24

• Amcache on Windows 11 and Windows 10: schema, cadence, and quirks

  How Amcache.hve behaves on modern Windows 10 and Windows 11 — the Inventory* schema introduced in 1709, the appraiser cadence, and the build-specific quirks worth knowing.

  2026-05-24

• Amcache vs SRUM: presence vs long-window resource usage

  SRUM tracks resource usage by application over 30+ days; Amcache inventories every binary present on disk. Here is how they complement each other in a Windows DFIR timeline.

  2026-05-24

• Amcache vs ShimCache: when each artefact wins

  ShimCache and Amcache both record binaries that touched a Windows host. They are different mechanisms with different limits — here is when to use each, and what their overlap actually proves.

  2026-05-24

• Amcache vs Prefetch: what each one really proves

  Amcache records presence; Prefetch records execution. A practical reference for when to use each, what they overlap on, and how to combine them in a DFIR timeline.

  2026-05-24

• USB and device history from Amcache: InventoryDeviceContainer and InventoryDevicePnp

  Amcache's InventoryDeviceContainer and InventoryDevicePnp keys give analysts a clean answer to 'what hardware ever connected to this host?'. A practical guide to USB and peripheral investigations.

  2026-05-24

• Amcache timestamps explained: KeyLastWriteTimestamp vs LinkDate vs the rest

  A reference for every timestamp Amcache exposes — KeyLastWriteTimestamp, LinkDate, InstallDate, MsiInstallDate, LastModified — what each one means, and which one to pivot on.

  2026-05-24

• Amcache registry structure: every key explained

  A key-by-key tour of the Amcache.hve registry hive — Root\\InventoryApplicationFile, InventoryApplication, InventoryDriverBinary, the legacy Programs and File keys, and what every notable value means.

  2026-05-24

• Amcache ProgramId explained: the 44-character application identity

  A reference for Amcache's ProgramId — how Windows builds the 44-character identity hash, how to use it to join file records to applications, and how to pivot it across hosts in a hunt.

  2026-05-24

• Amcache parsers compared: AmcacheParser CLI, browser tool, Volatility, RegRipper

  Side-by-side comparison of the four ways to parse a Windows Amcache.hve hive in 2026 — Eric Zimmerman's AmcacheParser CLI, the browser tool, Volatility 3, and RegRipper.

  2026-05-24

• Hunting commodity malware with Amcache

  A practical Amcache-first triage playbook for commodity malware on Windows endpoints — the filters that surface attacker tooling, the pivots that confirm execution, and the cross-host queries that scope the incident.

  2026-05-24

• Lateral movement and Amcache: ProgramId pivoting across hosts

  A single suspicious ProgramId on one host becomes a query you can run against every other host's Amcache. The full lateral-movement scoping playbook with concrete queries.

  2026-05-24

• The definitive Amcache.hve forensic reference: every key, every value, every timestamp

  A field-by-field, schema-by-schema reference for Windows Amcache.hve — what each Inventory* subkey records, what every timestamp actually means, how the schema evolved from Windows 7 through Windows 11, and what Amcache can and cannot prove in DFIR.

  2026-05-24

• Where Amcache.hve is located on disk (and how to collect it)

  The exact file paths for Amcache.hve and its transaction logs across Windows versions, plus the right way to collect them for forensic analysis with KAPE, Velociraptor, or manually.

  2026-05-24

• Recovering deleted-binary evidence from Amcache

  When an attacker deletes a binary, Amcache often preserves its hash, path, publisher, and inventory time. A practical workflow for using Amcache to investigate wiped artefacts.

  2026-05-24

• Amcache: the complete Windows .hve forensics reference

  Amcache is the Windows registry hive that records every PE binary the appraiser has inventoried, with SHA-1, path, publisher, and inventory time. Full reference.

  2026-05-24

• Amcache FileId explained: the SHA-1 hash format Windows stores

  A deep dive on Amcache's FileId field — why it starts with 0000, why it's a SHA-1 of the first 31 MiB, how to use it for VirusTotal lookups, and the traps that mislead analysts.

  2026-05-24