tag:blogger.com,1999:blog-9518042.post869885385911104434..comments2024-03-19T07:46:20.437-05:00Comments on Windows Incident Response: AmCache.hveUnknownnoreply@blogger.comBlogger8125tag:blogger.com,1999:blog-9518042.post-11641803161660586522017-01-18T10:17:39.939-05:002017-01-18T10:17:39.939-05:00The AmCache.hve file is NOT part of the Registry, ...The AmCache.hve file is NOT part of the Registry, it's a separate file. I extracted it from the image using FTK Imager.<br /><br />Again, I'm using the RegRipper amcache.pl plugin to parse it.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-62599379065273024792017-01-18T10:15:56.215-05:002017-01-18T10:15:56.215-05:00hey harlan,
how were you able to extract the amc...hey harlan, <br /><br />how were you able to extract the amcache.hve file from registry? i understand you can't parse the amcache file on a live machine. what software or technique was used?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-75253326499001142722017-01-18T06:36:58.203-05:002017-01-18T06:36:58.203-05:00It's a RegRipper plugin...It's a RegRipper plugin...H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-77660220817244980122017-01-18T04:15:55.659-05:002017-01-18T04:15:55.659-05:00hi Harlan,
What tool did you use to parse the amc...hi Harlan,<br /><br />What tool did you use to parse the amcache.hve file?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-30341600489371463662016-10-30T05:31:01.713-05:002016-10-30T05:31:01.713-05:00Teck0,
"s part of my analysis, I parsed the ...Teck0,<br /><br />"s part of my analysis, I parsed the AppCompatCache value and found one of my indicators..."H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-18121736588786662972016-10-29T16:43:09.635-05:002016-10-29T16:43:09.635-05:00It''s a great article. Thanks Harlan. Do y...It''s a great article. Thanks Harlan. Do you have analyzed the shimcache ? Teck0https://www.blogger.com/profile/15546611396432938733noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-76888769163232598682016-10-29T11:38:47.992-05:002016-10-29T11:38:47.992-05:00Anonymous,
I didn't say "three locations...Anonymous,<br /><br />I didn't say "three locations"...I said three entries. If you look at the AmCache.hve information, there are three different file reference numbers, and two paths. Of the two paths that point to the Downloads folder, the entries have different times associated with them, and different file references.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-39297395781699011782016-10-29T11:35:23.663-05:002016-10-29T11:35:23.663-05:00Looks like two locations, not three, unless I am m...Looks like two locations, not three, unless I am missing something?Anonymousnoreply@blogger.com