How does this skill help in malware investigations?

It automates the extraction of SHA-1 hashes from the registry hive, allowing for quick correlation against threat intelligence databases like VirusTotal or MISP.

What tools are required for this Amcache analysis skill?

This skill utilizes Eric Zimmerman's AmcacheParser and Timeline Explorer, requiring the .NET 6+ runtime for execution on the analysis machine.

Can it recover data from locked or active systems?

Yes, provided the hive and its transaction logs (.LOG1 and .LOG2) are collected using raw disk access tools like KAPE or FTK Imager.

Why is Amcache important for digital forensics?

Amcache provides evidence of file existence, hashes, and metadata for programs and drivers, even if the files themselves have been deleted from the disk.

Does Amcache prove a program was actually executed?

While Amcache indicates a program was present and registered, it is best used alongside Prefetch and ShimCache (AppCompatCache) artifacts to confirm actual execution.

Windows Amcache Forensic Analysis

Name: Windows Amcache Forensic Analysis
Author: mukul975

bymukul975

•

4,121

•

Seguridad y Pruebas

Parses and analyzes Windows Amcache.hve registry artifacts to uncover evidence of program execution, driver loading, and application installation.

This skill provides specialized guidance for analyzing Windows Amcache artifacts, a crucial source of evidence in digital forensics and incident response (DFIR). It enables users to extract metadata about executed programs, installed applications, and loaded drivers using industry-standard tools like Eric Zimmerman's AmcacheParser. By correlating SHA-1 hashes with threat intelligence and reconstructing activity timelines, this skill helps investigators identify malicious software, detect deleted executables, and uncover unauthorized system changes even when other forensic artifacts have been cleared.

Características Principales

014,121 GitHub stars

02Extraction of SHA-1 hashes for threat intelligence correlation via VirusTotal or CIRCL

03Analysis of uncommitted transaction logs for comprehensive data recovery

04Identification of unauthorized software installations and driver loading history

05Automated parsing of Amcache.hve registry hives using AmcacheParser

06Reconstruction of forensic timelines to track attacker activity sequence

Casos de Uso

01Identifying unauthorized remote access tools or hacking utilities used during an incident

02Investigating malware infections by identifying suspicious executables and their disk origins

03Detecting 'Bring Your Own Vulnerable Driver' (BYOVD) attacks through driver binary analysis

Características Principales

014,121 GitHub stars

02Extraction of SHA-1 hashes for threat intelligence correlation via VirusTotal or CIRCL

03Analysis of uncommitted transaction logs for comprehensive data recovery

04Identification of unauthorized software installations and driver loading history

05Automated parsing of Amcache.hve registry hives using AmcacheParser

06Reconstruction of forensic timelines to track attacker activity sequence

Casos de Uso

01Identifying unauthorized remote access tools or hacking utilities used during an incident

02Investigating malware infections by identifying suspicious executables and their disk origins

03Detecting 'Bring Your Own Vulnerable Driver' (BYOVD) attacks through driver binary analysis