Skip to content
Hermes Codex

Amcache & RecentFileCache Forensic Analysis

Executive Summary

Section titled “Executive Summary”

The Amcache (on Windows 8 and later) and its predecessor, the RecentFileCache (on Windows 7), are critical artefacts generated by the Windows Application Compatibility service. For DFIR analysts, they act as the “identity card” of executable files, providing metadata such as full file paths, installation dates, and—most importantly—the SHA1 hash of the binaries.

Objective and Mechanism

Section titled “Objective and Mechanism”

These artefacts are not security-oriented; they exist to ensure application compatibility across Windows updates.

How it Works:

Section titled “How it Works:”
  1. When a program is executed, the application compatibility service extracts metadata from the Portable Executable (PE) header.
  2. This information, including the file path and cryptographic hashes, is stored in a database.
  3. On modern Windows, this database is the Amcache.hve file, which is structured as a Registry Hive.

Location and Structure

Section titled “Location and Structure”

The location of these artefacts varies by OS version:

  • Windows 8/10/11:
    • Artefact: Amcache.hve
    • Path: C:\Windows\appcompat\Programs\Amcache.hve
    • Format: Registry Hive (requires specialized parsing tools).
  • Windows 7:
    • Artefact: RecentFileCache.bcf
    • Path: C:\Windows\AppCompat\Programs\RecentFileCache.bcf

Forensic Utility

Section titled “Forensic Utility”

Amcache is highly complementary to Prefetch and Shimcache. While Prefetch provides execution history, Amcache provides the definitive identification of the file.

  • Cryptographic Identification: The SHA1 hash allows analysts to uniquely identify binaries and correlate them with threat intelligence databases (e.g., VirusTotal), even if the malware has been renamed.
  • Path Verification: Analysts can identify masqueraded threats by comparing the executable’s path in Amcache against the legitimate system location.
  • Duo Analysis (The “Winning Duo”):
    • Use Prefetch to determine execution timestamps.
    • Use Amcache to determine the SHA1 hash and full file path.
    • Combine these for a positive identification of a threat and a solid timeline.
  • Removable Media Tracing: Amcache often tracks programs launched from external storage, assisting in tracing physical infection vectors.

Analysis Tools

Section titled “Analysis Tools”

Since these files are binary or registry hives, manual inspection is not feasible. Use these standard tools:

  • AmcacheParser.exe (Eric Zimmerman): The industry-standard tool for extracting and parsing the Amcache.hve file into readable CSV formats.
  • RegRipper: An alternative tool with dedicated plugins for registry hive analysis, including Amcache.

Detection and Hunting

Section titled “Detection and Hunting”

For effective threat hunting, correlate Amcache data with: