Amcache

Windows Amcache stores metadata related to execution of Windows applications. Data is stored in the C:\Windows\appcompat\Programs\Amcache.hve Registry file. This Registry file also contains other metadata such as OS, hardware, and application info. However, artemis will only collect data related to the execution of Windows applications.
The Registry artifact may be used if you want to collect the full Registry data from Amcache.hve.

Other Parsers:

• Velociraptor
• AmcacheParser

References:

• Libyal
• ANSSI

TOML Collection

system = "windows"

[output]
name = "amcache_collection"
directory = "./tmp"
format = "json"
compress = false
endpoint_id = "6c51b123-1522-4572-9f2a-0bd5abd81b82"
collection_id = 1
output = "local"

[[artifacts]]
artifact_name = "amcache"
[artifacts.amcache]
# Optional
# alt_drive = 'D'

Collection Options

• alt_drive Expects a single character value. Will use an alternative drive letter when parsing Amcache. This configuration is optional. By default artemis will use the %systemdrive% value (typically C)

Output Structure

An array of Amcache entries

export interface Amcache {
  /**Timestamp when the application was first executed in UNIXEPOCH seconds */
  first_execution: number;
  /**Path to application */
  path: string;
  /**Name of application */
  name: string;
  /**Original name of application from PE metadata */
  original_name: string;
  /**Version of application from PE metadata */
  version: string;
  /**Executable type and arch information */
  binary_type: string;
  /**Application product version from PE metadata */
  product_version: string;
  /**Application product name from PE metadata */
  product_name: string;
  /**Application language */
  language: string;
  /**Application file ID. This is also the SHA1 hash */
  file_id: string;
  /**Application linking timestamp as MM/DD/YYYY HH:mm:ss*/
  link_date: string;
  /**Hash of application path */
  path_hash: string;
  /**Program ID associated with the application */
  program_id: string;
  /**Size of application */
  size: string;
  /**Application publisher from PE metadata */
  publisher: string;
  /**Application Update Seqeuence Number (USN) */
  usn: string;
  /**SHA1 hash of the first ~31MBs of the application */
  sha1: string;
  /**Path in the Amcache.hve file */
  reg_path: string;
}