AmCache.hve

windowsExecution EvidenceDisk Image

Location

C:\Windows\appcompat\Programs\Amcache.hve

Description

Application compatibility cache hive tracking program execution with SHA1 hashes, file paths, publisher metadata, and first-execution timestamps.

Forensic Value

AmCache provides SHA1 hashes for executed binaries, enabling immediate VirusTotal lookups even after the attacker deletes the original file. First-execution timestamps establish when a tool was first introduced to the system. Entries persist across reboots and are harder to anti-forensic than Prefetch.

Tools Required

KAPEAmcacheParser (Eric Zimmerman)Registry Explorer (Eric Zimmerman)

Acquisition Methods

FTK Imager Full Disk Image

windows — physical

EnCase Forensic Full Disk Image

windows — physical

dd / dc3dd Raw Disk Image

windows — physical

Guymager Full Disk Image

windows — physical

FTK Imager Logical Image (AD1)

windows — logical