AmCache Analysis
The AmCache is an artifact which stores metadata related to PE execution and program installation on Windows 7 and Server 2008 R2 and above.
Frequently overlooked and understudied, this database is rarely fully exploited when doing incident response. Indeed, its correct interpretation is complex: a lot of special cases can occur that have to be taken into account when performing an analysis. However, the information collected by the AmCache is extremely useful and the lack of awareness about this artifact makes it very valuable, since it is easily overlooked by attackers erasing their tracks. The purpose of this paper is to restore the confidence in the AmCache among digital forensic examiners by providing an extensive reference of the conclusions that can be drawn when analyzing this artifact. Relying on existing public research, this paper also depends heavily on tests performed in a controlled environment. Those tests were used to validate, rectify or refine the conclusions found in the scientific literature and to fill the gaps in previous researches. For instance, traces left by the installation of a program in Windows 7 were not explored yet and several changes in the inner workings of the AmCache in Windows 8 and 10 needed to be documented.
ANSSI - CoRIIN_2019 - Analysis AmCache
This research has been presented to the SANS DFIRSummit by Blanche Lagny.