What is the “AmCache” Windows forensic artifact?

The AmCache, or Application Compatibility Cache, is a Windows artifact that serves as a component of the Application Compatibility database. Its primary purpose is to support the operating system in identifying and resolving compatibility issues with various applications. The AmCache is stored within a registry hive file, typically located at %SystemRoot%\AppCompat\Programs\Amcache.hve. This hive is not loaded into the active registry while the system is running, but it is regularly updated. Its structure contains detailed records about applications that have been run on the system, making it a critical source of information for forensic analysis.

For a DFIR investigator, the entries in the AmCache provide definitive evidence of program execution. Each record can contain the full path of the executed program, the file’s last modification time, and, most importantly, its SHA1 hash. This information is invaluable for tracking the execution of legitimate programs, portable applications, and malicious code. By hashing the executables, the AmCache allows an investigator to verify a program against known malware databases, even if the original file has been deleted from the system. Analyzing the AmCache helps build a timeline of application execution, identify programs run from removable media, and uncover evidence of anti-forensic techniques.

Enterprise Forensic Applications

The execution tracking provided by the AmCache.hve is critical for establishing timelines in advanced investigations. During M&A Cyber Due Diligence, TensorGuard leverages AmCache to identify if unauthorized administrative tools or dormant malware droppers were executed on a target company’s network months before the acquisition. It is also highly effective in detecting insider threats by proving the execution of portable exfiltration utilities directly from USB drives.

Collecting, Decoding, and Viewing “AmCache” with TensorGuard

1. Create a TensorGuard account and sign in to the TensorGuard console at https://app.tensorguard.com.
2. Select “Case Manager”, then the plus button to create a case. This will contain your enrolled devices, their reports, and any manually submitted collections.
3. Linked inside the case menu, download the TensorGuard Forensic Collector and run it on your target system.
4. In the console, click the plus button for “New Enrollment”, copy the enrollment key, and paste it into the TensorGuard Forensic Collector on your target device.
5. Now that you have a device enrolled, select the device(s), and click “Send Signal”. Answer the questions regarding what you want to look for in the analysis, any alerting on positive findings, and if the collection and analysis should be recurring.
6. Once the report is generated, you’ll have AmCache delivered in the browser, alongside an executive summary and timeline of findings.