Analyzing Windows Amcache Artifacts

When to Use

• Determining which programs have existed or executed on a Windows system during incident response
• Correlating SHA-1 hashes from Amcache against known malware databases (VirusTotal, CIRCL, MISP)
• Building an application installation and execution timeline for forensic investigations
• Identifying deleted executables that leave traces in Amcache even after file removal
• Investigating insider threats by documenting which portable or unauthorized applications were present
• Analyzing driver loading history to detect rootkits or malicious kernel modules

Do not use as sole proof of program execution. Amcache proves file existence and metadata registration, but ShimCache (AppCompatCache) and Prefetch provide stronger execution evidence. Use all three artifacts together for conclusive analysis.

Prerequisites

• A forensic image or live triage copy of C:\Windows\appcompat\Programs\Amcache.hve (and associated .LOG1, .LOG2 transaction logs)
• Eric Zimmerman's AmcacheParser (AmcacheParser.exe) downloaded from https://ericzimmerman.github.io/
• Eric Zimmerman's Timeline Explorer for viewing parsed CSV output
• Optionally: Registry Explorer for manual hive inspection