The Association of Digital Forensics, Security and Law (ADFSL)
The Amcache.hve is a registry hive file that is created by Microsoft® Windows® to store the information related to execution of programs. This paper highlights the evidential potential of Amcache.hve file and its application in the area of user activity analysis. The study uncovers numerous artifacts retained in Amcache.hve file when a user performs certain actions such as running host-based applications, installation of new applications, or running portable applications from external devices. The results of experiments demonstrate that Amcache.hve file stores intriguing artifacts related to applications such as timestamps of creation and last modification of any application; name, description, publisher name and version of applications; execution file path, SHA-1 hash of executable files etc. These artifacts are found to persist even after the applications have been deleted from the system. Further experiments were conducted to evaluate forensic usefulness of the information stored in Amcache.hve and it was found that Amcache.hve information is propitious to trace the deleted applications, malware programs and applications run from external devices. Finally, comparison of information in Amcache.hve file with information in other similar sources (IconCache.db, SRUDB.dat and Prefetch files) is shown, in order to provide more useful information to forensic investigators.
AccessData. (2014). Registry viewer. http://accessdata.com/product -download/digital-forensics/ registry-viewer-1-8-0-5. ([accessed 26-Feb-2016])
Carvey, H. (2005). The windows registry as a forensic resource. Digital Investigation, 2(3), 201-205.
Carvey, H. (2011). Windows registry forensics: Advanced digital forensic analysis of the windows registry. Elsevier.
Carvey, H. (2013). Regripper. https://code.google.com/archive/p/ regripper/downloads. ([accessed 26-Feb-2016])
Carvey, H., & Altheide, C. (2005). Tracking usb storage: Analysis of windows artifacts generated by usb storage devices. Digital Investigation, 2(2), 94-100.
Collie, J. (2013). The windows iconcache.db: A resource for forensic artifacts from usb connectable devices. Digital Investigation, 9(3), 20G-210.
Davis, A. (2012). Leveraging the application compatibility cache in forensic investigations. http ://dl.mandiant.com/EE/library/ Whitepaper_ShimCacheParser.pdf. ([accessed 21-March-2016])
Harrell, C. (2013). Revealing the recentfilecache. bcf file. http ://journeyintoir.blogspot.in/ 2013/12/revealing -recentfilecachebcf-file.html. ([accessed 14-April-2016])
Khatri, Y. (2013). Amcache.hve in windows 8 - goldmine for malware hunters. http://www.swiftforensics.com/ 2013/12/amcachehve-in-windows-8 -goldmine-for. html. ([accessed 10-March-2016])
Khatri, Y. (2015). Forensic implications of system resource usage monitor (grum) data in windows 8. Digital Investigation, 12, 53-65.
Kim, M., & Lee, S. (2015). Forensic analysis using amcache.hve. In Digital forensics and cyber crime: 7th international conference, icdf2c 2015, seoul, South Korea, October 6-8, 2015. revised selected papers (Vol. 157, p. 215).
Lee, C.-Y., & Lee, S. (2014). Structure and application of iconcache.db files for digital forensics. Digital Investigation, 11 (2), 102-110.
Mee, V., & Jones, A. (2005). The windows operating system registry-a central repository of evidence. In Proceedings from e-crime and computer evidence conference (Vol. 2005).
Mee, V., Tryfonas, T., & Sutherland, I. (2006). The windows registry as a forensic artefact: Illustrating evidence collection for internet usage. digital investigation, 3(3), 166-173.
Microsoft. (2016). Understanding shims. https: / jtechnet.microsoft.com/ en us/library/ dd837644 %28v=ws.l0%29.aspx. ([accessed 09-March-2016])
NirSoft. (2013). Regscanner. http://www.nirsoft.net/utils/ regscanner .html. ([accessed 26-Feb-2016])
Singh, B., & Singh, U. (2016). A forensic insight into windows 10 jump lists. Digital Investigation, 17, 1-13.
Singh, B., & Singh, U. (2017). A forensic insight into windows 10 cortana search. Computers & Security, 66, 142-154.
Wong, L. W. (2007). Forensic analysis of the windows registry. Forensic Focus, 1.
Zimmerman, E. (2015). Registry explorer jrecmd version 0. 7.1. 0. https://ericzimmerman.github.io/. ([accessed 26-Feb-2016])
Singh, Bhupendra and Singh, Upasna
"Leveraging the Windows Amcache.hve File in Forensic Investigations,"
Journal of Digital Forensics, Security and Law: Vol. 11
, Article 7.
Available at: http://commons.erau.edu/jdfsl/vol11/iss4/7