Prior Publisher

The Association of Digital Forensics, Security and Law (ADFSL)


The Amcache.hve is a registry hive file that is created by Microsoft® Windows® to store the information related to execution of programs. This paper highlights the evidential potential of Amcache.hve file and its application in the area of user activity analysis. The study uncovers numerous artifacts retained in Amcache.hve file when a user performs certain actions such as running host-based applications, installation of new applications, or running portable applications from external devices. The results of experiments demonstrate that Amcache.hve file stores intriguing artifacts related to applications such as timestamps of creation and last modification of any application; name, description, publisher name and version of applications; execution file path, SHA-1 hash of executable files etc. These artifacts are found to persist even after the applications have been deleted from the system. Further experiments were conducted to evaluate forensic usefulness of the information stored in Amcache.hve and it was found that Amcache.hve information is propitious to trace the deleted applications, malware programs and applications run from external devices. Finally, comparison of information in Amcache.hve file with information in other similar sources (IconCache.db, SRUDB.dat and Prefetch files) is shown, in order to provide more useful information to forensic investigators.


AccessData. (2014). Registry viewer. http://accessdata.com/product -download/digital-forensics/ registry-viewer-1-8-0-5. ([accessed 26-Feb-2016])

Carvey, H. (2005). The windows registry as a forensic resource. Digital Investigation, 2(3), 201-205.

Carvey, H. (2011). Windows registry forensics: Advanced digital forensic analysis of the windows registry. Elsevier.

Carvey, H. (2013). Regripper. https://code.google.com/archive/p/ regripper/downloads. ([accessed 26-Feb-2016])

Carvey, H., & Altheide, C. (2005). Tracking usb storage: Analysis of windows artifacts generated by usb storage devices. Digital Investigation, 2(2), 94-100.

Collie, J. (2013). The windows iconcache.db: A resource for forensic artifacts from usb connectable devices. Digital Investigation, 9(3), 20G-210.

Davis, A. (2012). Leveraging the application compatibility cache in forensic investigations. http ://dl.mandiant.com/EE/library/ Whitepaper_ShimCacheParser.pdf. ([accessed 21-March-2016])

Harrell, C. (2013). Revealing the recentfilecache. bcf file. http ://journeyintoir.blogspot.in/ 2013/12/revealing -recentfilecachebcf-file.html. ([accessed 14-April-2016])

Khatri, Y. (2013). Amcache.hve in windows 8 - goldmine for malware hunters. http://www.swiftforensics.com/ 2013/12/amcachehve-in-windows-8 -goldmine-for. html. ([accessed 10-March-2016])

Khatri, Y. (2015). Forensic implications of system resource usage monitor (grum) data in windows 8. Digital Investigation, 12, 53-65.

Kim, M., & Lee, S. (2015). Forensic analysis using amcache.hve. In Digital forensics and cyber crime: 7th international conference, icdf2c 2015, seoul, South Korea, October 6-8, 2015. revised selected papers (Vol. 157, p. 215).

Lee, C.-Y., & Lee, S. (2014). Structure and application of iconcache.db files for digital forensics. Digital Investigation, 11 (2), 102-110.

Mee, V., & Jones, A. (2005). The windows operating system registry-a central repository of evidence. In Proceedings from e-crime and computer evidence conference (Vol. 2005).

Mee, V., Tryfonas, T., & Sutherland, I. (2006). The windows registry as a forensic artefact: Illustrating evidence collection for internet usage. digital investigation, 3(3), 166-173.

Microsoft. (2016). Understanding shims. https: / jtechnet.microsoft.com/ en us/library/ dd837644 %28v=ws.l0%29.aspx. ([accessed 09-March-2016])

NirSoft. (2013). Regscanner. http://www.nirsoft.net/utils/ regscanner .html. ([accessed 26-Feb-2016])

Singh, B., & Singh, U. (2016). A forensic insight into windows 10 jump lists. Digital Investigation, 17, 1-13.

Singh, B., & Singh, U. (2017). A forensic insight into windows 10 cortana search. Computers & Security, 66, 142-154.

Wong, L. W. (2007). Forensic analysis of the windows registry. Forensic Focus, 1.

Zimmerman, E. (2015). Registry explorer jrecmd version 0. 7.1. 0. https://ericzimmerman.github.io/. ([accessed 26-Feb-2016])



To view the content in your browser, please download Adobe Reader or, alternately,
you may Download the file to your hard drive.

NOTE: The latest versions of Adobe Reader do not support viewing PDF files within Firefox on Mac OS and if you are using a modern (Intel) Mac, there is no official plugin for viewing PDF files within the browser window.