Hello and welcome back to Windows Registry Forensics Course 8, the AmCache file. We're going to be covering the AmCache file in this course. The first thing we want to know is where to find the AmCache file out on the file path. Where we're going to find that is under our C Windows app compact programs, programs is a directory and the AmCache hive is within the program's directory. The AmCache hive file was introduced in Windows 8. The AmCache hive file stores information relating to the execution of applications, including applications that have been run from removable media, such as a USB thumb drive. We can also see applications that have been run and then deleted. This will show us applications that were executed and then deleted. The AmCache high file stores artifacts such as timestamps to include the last write timestamp and the install dates, the application name, the application version, path to the executable ADL file for the application path to the uninstall string, source information, publisher name, volume GUIDs, and container IDs of connected devices from which the applications were run. It doesn't just store connected devices like we saw back in the system file with a USB store. This stores information about USB devices from which applications were run. When we see this, we can check this against our mounted devices and mount points too. Mounted devices we looked at, and we also looked at mount points too back in the end-user dot hive. Now not every program is going to have all this information. It's going to really depend on the programmer application itself. But this is all the possible information we can get from the entries in the AmCache hive. Throughout this course, we're going to look at all that information. Again, we're going to look at some of the subkeys of interest within the AmCache hive. When we first look at it, we can see the file structure is much like our Windows Explorer. We have folders and subfolders. The first subkey we're going to look at is Device Census, and this basically tells us about the physical machine itself. We're going to see information such as the processor, the battery, the camera, the firmware, the hardware, the network. Here we're looking at the processor, in this slide, and we can see how many cores the processor has, what the clock speed of it is, the manufacturer and the model name, and some more identifying information down at the bottom there. The next subkey we're going to cover is going to be the file subkey. One thing I wanted to point out is it does give us a full path to the executable. You will see that in several of the subkeys, but this is one of the subkeys that does give us a full path to the actual executable inventory application subkey. There's a lot of information in here and this is one of the ones we're really going to take a close look at. First, you see the subkey and then beneath it, you can see we have several folders with a GUID as their folder name. If we look over to the right-hand side, we're going to have a program ID. We're going to have an OS version at the time that the file was executed, that the application was executed, we'll have the version of the operating system. We're going to have those dates and times. We see a Microsoft installer date. We see a last modified date. We see an install date, and then we see an install date from a linked file. We can see the name of it. It's a Google Drive. The publisher is Google. We can see the registry key path. This is the path within not out on the file system where the executable is, but where we can see this in the registry and that would be in our software hive. Under the while 64, 32 node, Microsoft Windows current version uninstall. We can see the source, it's going to be the Microsoft installer, and we do see the uninstall string here. The next subkey we're going to take a look at is going to be the inventory application file subkey, and what is very special about this key is that you have the key name. We have our less write time, which we did have for all the other keys also. But that file ID, which is actually a Shaw one hash value that is padded with four leading zeros. You'd need to take off the four leading zeros, but that is the Shaw, one hash value of the actual executable file. Where this becomes important is we can run this against a list of say you had a list of known malware files, blacklist items, that you could run against your results from the AmCache file and see if you have any of those hash values on your system. On the same note, you could run it against a whitelist, a list of known good files to eliminate these files. We wouldn't even have to view them. But if you have a certain list of known malware that you're looking for, and say an incident response case, you definitely want to take advantage of the AmCache hive. When you're doing incident response, you should definitely be checking the AmCache hive, and also the AppCompactCache, which we looked at, and the services subkey in the system hive. We do have something called the inventory device container subkey. The two key pieces of information in this subkey, it does have a last right time, but it's going to have a model name and a friendly name. Basically we're talking about, devices that were connected to the system, and they ran some type of executable, probably their installation, and we get a description of what that device is. In this case, we're looking at a microphone. But we have several subkeys there and we're going to go through those when we do our walkthrough. We also have something called the AmCache inventory device, plug-and-play, PnP subkey. This is going to give us information on devices that are plug-and-play. It's going to give us a ContainerId, a DriverId, and the driver's executables. It's going to give us a description, in this case, we're looking at an HP webcam. It's going to tell us the manufacturer and model. In our program subkey, which will be the last one we look at, underneath that you see, again, GUIDs, and we see again a last rate time. But this is going to tell us the source, it came from AddRemovePrograms. It's going to show us the file path where this particular program is located, out in the file system, and that would be under C Program Files 86. We're looking at Mozilla Thunderbird, and it gives you the rest of the file path, ending with the GUID. Now it also beneath that, gives you the location of where we can find information on this file in the registry. Again, that's going to be Hkey local machine software. We're looking again at the Wow6432Node Microsoft Windows CurrentVersion, Uninstall, Mozilla Thunderbird. We can see it's Mozilla. We can see it's Mozilla Thunderbird. We can see the version number, and we can see that it's in x86. It's probably a 32-bit version of the program. In our walkthrough, we're going to cover the keys we just took a look at. We're going to look at the DeviceCensus subkey, the file subkey, inventory application subkey, inventory application file subkey, inventory device container, inventory device plug-and-play, PnP, subkey, and the programs subkey. The items we're going to need for this walkthrough, is we're going to need Registry Explorer, and Ivan's AmCache file. Let's bring up Registry Explorer. Let's go ahead and you would load the AmCache file, like we've done before, File, Load hive, navigate out to where you saved the file, and click "Open," and the hive will load. Once the hive is loaded, we can go ahead and expand it. The first subkey we talked about was this DeviceCensus subkey. We can see the number of values and the number of subkeys, and the last write timestamp. Go ahead and expand that subkey. This is the one that tells us information about hardware devices, that were installed on the system. We have a camera installed, we have memory installed, hardware, and we can see the device name is actually the name of the computer. We have a computer hardware ID. We can see information about the battery. We can see we have information about a camera. We have firmware information, which tells us the firmware release date, and the manufacturer of the firmware, and the firmware version number. If we look at the information regarding the OS, we can see the device time zone, is Eastern Standard Time, and the OS addition is professional. If we look at storage, we can see we have some data in the disk capacity. We could convert that hex to decimal. There are four byte values. We saw the process and we looked at our slides. Moving on to our next key, let's close up DeviceCensus. Let's look at the file subkey. Underneath the File subkey, you can see that we have GUIDS. If we expand the GUID, you can see that we have subfolders. If we clicked on one of the subfolders, in this key, we're going to get the file path to the deal or executable. If you're looking at a program like OneDrive you're going to see it has several deals, and executables. Some of them may pertain to the update of it, some of it may pertain to other parts of the program. But you can see you're going to have a file path to each and every one of those, under that subkey. If we look at our next subkey, now what's very interesting here is you can see the file path, to the executable. It's coming from an F drive, which is removable media. We know that this application was executed from removable media. Then the drive was mounted at F at the time. We also know the name and the version number. If we go to the next subkey, we can see we have a VM installation launcher, VMware tools. We can see this came from a D drive, not our local C drive, a D drive. We can also see coming from the D drive, in this file path. Oracle Corporation, who's the manufacturer. It was Oracle VM VirtualBox Guest additions. Some really good information here in this subkey, and it is the file path, that absolute file path, which also shows executables that were run from removable media. You'd probably want to go back and take a look at your shellbags. Remember we looked at shellbags in our last section, our last course, and we were able to see removable media and directories because it tracks directories that were accessed, whether they were accessed on the C drive, or they were accessed on removable media. The next subkey we're going to take a look at is inventory application subkey. Again, underneath the subkey we see GUIDS, and when we look at the GUID, you're going to see the ProgramId, and this is something you can search throughout the file system, and this ProgramId will be consistent on different machines. It is the idea of the program, and in this case it's DesktopLearning, that we have the name of the program, and we have the package full name. We have the operating system version at the time of installation, and we have an install date and time. You can look through here, some of these will have more information than others. Here, we're looking at a registry key path, and we can actually see a user SID, and a machine SID. We could track this back to a machine, and a specific user. It's a OneDrive setup. We can see the root directory path, it's under the user profile, which would be this 1001 user. We can see where it is out on the file system, appdata/local/microsoft/onedrive. We have an installation modification date and an install date. They are the same. We have a source that came from add/remove programs. We have a version. We have a publisher, and of course, we have a name. Like I said, you can look through all of these, there's quite a few. All of them are going to have different information and they all have an individual keyless right time. It's a lot of information in that subkey. The next subkey we're going to look at is InventoryApplicationFile subkey. Like I said, the file ID is the sha-1 hash value of the executable file minus these four leading zeros. We have a file path also. The file path is going to give us the name. We have a version. You could take a look through here and see what different programs were executed. You can see the file path and that hash value, which is what is very important. That file ID, that hash value can be used, like I said, if you're doing incident response, you definitely want to check this hive. You would want to run a list of known bad files, known malware that you're looking for against the results from this hive. Moving down to our InventoryDeviceContainer subkey, this is our computer, and this is the friendly name of our computer. The model name, we're looking in a virtual machine, so it's virtual box, and it gives us the path to the DIL file. These are audio speakers that were installed at one time. Again, we have the path to the DIL. You can see we have Microsoft Print to PDF, then we have the path to the DIL. What we're going to get in this subkey is the program friendly name and the path to the DIL file or the executable file. InventoryDevicePnp, plug and play. These are going to be plug and play USB devices that were installed on the system. You can see there's quite a few of them here. We have a ClassGuid and we have a ContainerID. Like we saw in USB store and in USB, we can look at ContainerIDs. We have a manufacturer, we have a driver name, we have a class. In this case it's a mouse. We have a parent folder ID. Moving on to our next subkey, we're going to look at Programs. Again, we can see we have Guids underneath there. We have a last right time for the subkey. Each of the subkeys is a directory. This subkey, we're going to get the name of the program, the manufacturer, and the path to the uninstall. We can also see it was installed using the Microsoft installer. We have another source here, add remove programs. We have the file path where it's located within the file system. We also have the file path within the Registry in the software file, where we can get more information on this. Like I said before, some of these will have more information in them than others. But generally, in this subkey, you're going to be able to see the name of the program. You're going to be able to see the source. You will get a file path. It may be within the Registry. You may get both file paths like we just saw in the last subkey we looked at, or you may just get one of them and you'll get the manufacturer. Actually this has both of them also. It says C/ProgramFiles/WinCap. We also have the file path within the Registry. As you can see, there is an awful lot of information in the AmCache hive. It's definitely a place you want to be checking from malware. Like I said, you'd also want to look in the Amcompactcache, which we talked about when we covered the system hive. Also the services subkey, which we talked about when we covered the system hive. In our next section, we are going to use a command line tool by Eric Zimmerman, which we downloaded before. It's called the Amcacheparser.exe, and it is command line. I will walk you through that and show you how to use it, and we'll take a look at the output it gives us.
