LITIGATION SUPPORT TIP OF THE NIGHT

Amcache is a database on Windows operating systems which has information on applications that have been run on a PC. This registry 'hive' will usually be located at C:\Windows\appcompat\Programs\Amcache.hve on Windows 10.

Eric Zimmerman has a collection of open source forensic tools which can be downloaded here. Amcache Parser will help you access the contents of the Amcache file. Unzip the executable file and open the command prompt in admin mode. Run this command which points to the hive registry and designates that a .csv file should be generated:

AmcacheParser.exe -f C:\Windows\appcompat\Programs\Amcache.hve –-csv c:\temp

In my test tonight, Amcache Parser created six .csv files.

Among other information these files show you when devices have been connected to a computer . . .

. . . and when applications have been run on a computer.

Digital Forensics and Incident Response (DFIR) is a term for the application of digital forensic techniques to cyber security. It is the collection and preservation of digital evidence to either defend against a cyberattack, or conduct an investigation into one.

DFIR focuses first on containment of a threat. Then the elimination of the malware, unauthorized access, or other causes of the threat can be addressed. The incident can then be assessed, and preventive measures suggested and implemented. EnCase Endpoint Investigator is a tool commonly used for DFIR projects.

Common DFIR techniques on Windows systems include:

1. Review of the Application Compatibility Cache - to check what programs where run on a Windows operating system. The cache is designed to allow software written for earlier versions of Windows to run in the current version.

2. Extracting text from binary files - a search can be run for email addresses; IP addresses; and other information with regular expressions.

3. Event log parsing - event logs are stored in the same format on Windows. During DFIR their various data elements should be processed simultaneously.

4. Review of Prefetch files - the files stored at C:\Windows\Prefetch can be analyzed to show which programs have been run on a Windows computer.

5. Review of Shadow Volumes - deleted and wiped files can be recovered from these periodic back-ups.

6. Shellbag artifacts - these indicate when a folder was accessed.

7. Recycle Bin artifacts - contain information on the time a file was deleted and its original location.

8. Jumplist - hold information on which files have been opened by which applications.

9. Windows timeline - Windows 10 has a timeline showing which files and applications have been opened for the past 30 days.

10. NFTS file system - include records of when a system has been booted and changes have been made to individual files.

11. Windows registry - its files can be processed automatically.

12. LNK - shortcut .lnk files show when files have been opened.

Each week, Windows creates restore points, which are copies of program and system files. Restore points will also be created when new applications or device drivers are installed.

You can use a PowerShell command to generate a list of the restore points that exist on a computer. The command:

Get-ComputerRestorePoint

. . . will generate a list of the restore points and quickly give you information on when key events have taken place.