The AmCache is an artifact that stores metadata related to PE execution and program installation on Windows 7 and Server 2008 R2 and above. Frequently overlooked and understudied, this database is rarely fully exploited when doing incident response. Indeed, its correct interpretation is complex: a lot of special cases can occur that have to be taken into account when performing an analysis. However, the information collected by the AmCache is extremely useful, and the lack of awareness about this artifact makes it very valuable, since it is easily overlooked by attackers erasing their tracks. In this talk we will present the basics of the AmCache and then highlight the relevance of its use through various examples. In one example,
an attacker has deleted the malware used to infect a computer, but the AmCache analysis helps the analyst retrieve the hash of the malware. In another example, an attacker has installed a vulnerable driver on a computer and AmCache can help prove this installation. The rest of the examples will focus on what AmCache can bring in more recent versions of Windows 10.
This presentation is a follow-up on Blanche Lagny’s research on AmCache, which can be accessed at
www.ssi.gouv.fr/uploads/2019/01/anssi-coriin_2019-analysis_amcache.pdf.
Speaker:
Blanche Lagny (@moustik01), Digital Forensic Investigator@ANSSI_FR ANSSI