Posts tagged "glossary"
- What is SRUM (SRUDB.dat)? (glossary)
SRUM is the ESE database Windows uses to track per-application resource usage by hour over 30-60 days. The only Windows artefact with per-app network-byte totals. Critical for exfil.
2026-05-24
- What is Shimcache (AppCompatCache)? (glossary)
Shimcache is the kernel-maintained loader cache in the SYSTEM hive. 1024 entries, no hash, stale until reboot. Different from Amcache; pair them.
2026-05-24
- What is Amcache ProgramId? (glossary)
ProgramId is the 44-character application-identity hash Amcache stores. Stable across hosts for the same install. Catches re-compiles and renames where Hash misses.
2026-05-24
- What is Windows Prefetch? (glossary)
Windows Prefetch is the directory of .pf files that proves execution. Up to 8-10 run times per binary plus the files loaded in the first ten seconds. The strongest Windows execution evidence.
2026-05-24
- What is LinkDate in Amcache? (glossary)
LinkDate is the PE TimeDateStamp. Attacker-controllable. Use it for build clustering, not for host timelines.
2026-05-24
- What is KeyLastWriteTimestamp in Amcache? (glossary)
The registry write time of the Amcache key. Closest thing to 'when the appraiser recorded this'. The single field new analysts most often confuse with LinkDate.
2026-05-24
- What is Root\InventoryApplicationFile? (glossary)
The principal Amcache key. One sub-key per PE the appraiser inventoried, with hash, path, publisher, link date, and a registry write time. Where 90% of analyst time goes.
2026-05-24
- What is Amcache FileId? (glossary)
FileId is '0000' plus the SHA-1 of the first 31 MiB of the file. Strip the prefix before you hit VirusTotal or you will silently get back nothing.
2026-05-24
- What is DFIR triage? (glossary)
Triage is the fast pass that decides whether a host is worth a full investigation. Amcache is one of the cheapest, most productive artefacts in the triage kit.
2026-05-24
- What is the Compatibility Appraiser? (glossary)
The scheduled task that walks the filesystem, inventories PE files, and writes the records into Amcache.hve. Understand its cadence or misread your timeline.
2026-05-24
- What is BYOVD (Bring-Your-Own-Vulnerable-Driver)? (glossary)
BYOVD is the trick of loading a signed-but-broken kernel driver to get ring 0 without bypassing Driver Signature Enforcement. Amcache's driver records are how you spot it.
2026-05-24
- What is Amcache.hve? (glossary)
Amcache.hve is the Windows hive the Compatibility Appraiser writes every PE it finds into, with SHA-1, full path, publisher, and an inventory timestamp. Survives the binary it records.
2026-05-24