analyzing-windows-amcache-artifacts

Featured

Parses and analyzes the Windows Amcache.hve registry hive to extract evidence of program execution, application installation, and driver loading for digital forensics investigations. Uses Eric Zimmerman's AmcacheParser and Timeline Explorer for artifact extraction, SHA-1 hash correlation with threat intel, and timeline reconstruction. Activates for requests involving Amcache forensics, program execution evidence, Windows artifact analysis, or application compatibility cache investigation.

AI & Automation 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 99/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Analyzing Windows Amcache Artifacts ## When to Use - Determining which programs have existed or executed on a Windows system during incident response - Correlating SHA-1 hashes from Amcache against known malware databases (VirusTotal, CIRCL, MISP) - Building an application installation and execution timeline for forensic investigations - Identifying deleted executables that leave traces in Amcache even after file removal - Investigating insider threats by documenting which portable or unauthorized applications were present - Analyzing driver loading history to detect rootkits or malicious kernel modules **Do not use** as sole proof of program execution. Amcache proves file existence and metadata registration, but ShimCache (AppCompatCache) and Prefetch provide stronger execution evidence. Use all three artifacts together for conclusive analysis. ## Prerequisites - A forensic image or live triage copy of `C:\Windows\appcompat\Programs\Amcache.hve` (and associated `.LOG1`, `.LOG2` transaction logs) - Eric Zimmerman's AmcacheParser (`AmcacheParser.exe`) downloaded from https://ericzimmerman.github.io/ - Eric Zimmerman's Timeline Explorer for viewing parsed CSV output - Optionally: Registry Explorer for manual hive inspection - A SHA-1 whitelist of known-good executables (e.g., NSRL hashset) for filtering - .NET 6+ runtime installed (required by current EZ tools) - Write access to an output directory for CSV results ## Workflow ### Step 1: Acquire the Amcache.hve File E...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Featured

performing-windows-artifact-analysis-with-eric-zimmerman-tools

Perform comprehensive Windows forensic artifact analysis using Eric Zimmerman's open-source EZ Tools suite including KAPE, MFTECmd, PECmd, LECmd, JLECmd, and Timeline Explorer for parsing registry hives, prefetch files, event logs, and file system metadata.

12,642 Updated today
mukul975
AI & Automation Featured

analyzing-windows-registry-for-artifacts

Extract and analyze Windows Registry hives to uncover user activity, installed software, autostart entries, and evidence of system compromise.

12,642 Updated today
mukul975
AI & Automation Featured

analyzing-prefetch-files-for-execution-history

Parse Windows Prefetch files to determine program execution history including run counts, timestamps, and referenced files for forensic investigation.

12,642 Updated today
mukul975
AI & Automation Featured

analyzing-windows-prefetch-with-python

Parse Windows Prefetch files using the windowsprefetch Python library to reconstruct application execution history, detect renamed or masquerading binaries, and identify suspicious program execution patterns.

12,642 Updated today
mukul975
AI & Automation Featured

investigating-ransomware-attack-artifacts

Identify, collect, and analyze ransomware attack artifacts to determine the variant, initial access vector, encryption scope, and recovery options.

12,642 Updated today
mukul975