mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-06-11 05:34:55 +03:00
mukul975
68 lines
2.0 KiB
Markdown
68 lines
2.0 KiB
Markdown
# API Reference: Analyzing Windows Amcache Artifacts
|
|
|
|
## Amcache.hve Location
|
|
```
|
|
C:\Windows\AppCompat\Programs\Amcache.hve
|
|
```
|
|
|
|
## Registry Keys
|
|
| Key Path | Contents |
|
|
|----------|---------|
|
|
| Root\InventoryApplicationFile | File execution evidence with SHA-1 |
|
|
| Root\InventoryApplication | Installed application metadata |
|
|
| Root\InventoryDevicePnp | PnP device connection history |
|
|
| Root\InventoryDriverBinary | Driver binary metadata |
|
|
|
|
## regipy Python Library
|
|
```bash
|
|
pip install regipy
|
|
```
|
|
|
|
```python
|
|
from regipy.registry import RegistryHive
|
|
|
|
reg = RegistryHive('/path/to/Amcache.hve')
|
|
for subkey in reg.get_key('Root\\InventoryApplicationFile').iter_subkeys():
|
|
values = {v.name: v.value for v in subkey.iter_values()}
|
|
print(values.get('Name'), values.get('LowerCaseLongPath'))
|
|
```
|
|
|
|
## AmcacheParser (Eric Zimmerman)
|
|
```bash
|
|
# Parse Amcache.hve to CSV
|
|
AmcacheParser.exe -f C:\evidence\Amcache.hve --csv C:\output\
|
|
|
|
# Include device and driver entries
|
|
AmcacheParser.exe -f Amcache.hve --csv output\ -i
|
|
```
|
|
|
|
### Output CSV Columns
|
|
| Column | Description |
|
|
|--------|------------|
|
|
| Name | Application/file name |
|
|
| LowerCaseLongPath | Full lowercase path |
|
|
| Publisher | Software publisher |
|
|
| FileId | SHA-1 hash (prefixed with 0000) |
|
|
| Size | File size in bytes |
|
|
| LinkDate | PE compilation timestamp |
|
|
| Version | File version string |
|
|
| ProgramId | Associated program GUID |
|
|
|
|
## Forensic Value
|
|
| Artifact | Evidence |
|
|
|----------|---------|
|
|
| SHA-1 hash | File identification even after deletion |
|
|
| LowerCaseLongPath | Execution path including USB/temp |
|
|
| LinkDate | PE compile time (timestomping detection) |
|
|
| Publisher | Legitimacy verification |
|
|
| Last Modified | Registry key update timestamp |
|
|
|
|
## Suspicious Indicators
|
|
| Pattern | Concern |
|
|
|---------|---------|
|
|
| Path contains \\Temp\\ | Execution from temp directory |
|
|
| Path contains \\Downloads\\ | User-downloaded execution |
|
|
| Missing Publisher | Unsigned/unknown binary |
|
|
| LinkDate far from file date | Possible timestomping |
|
|
| Known tool names (mimikatz, psexec) | Attacker tooling |
|