Browse > Article
http://dx.doi.org/10.13089/JKIISC.2015.25.3.573

Method of estimating the deleted time of applications using Amcache.hve  

Kim, Moon-Ho (Center for Information Security Technologies, Korea University)
Lee, Sang-jin (Center for Information Security Technologies, Korea University)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.25, no.3, 2015 , pp. 573-583 More about this Journal
Abstract
Amcache.hve file is a registry hive file regarding Program Compatibility Assistant, which stores the executed information of applications. With Amcache.hve file, We can know execution path, first executed time as well as deleted time. Since it checks both the first install time and deleted time, Amcache.hve file can be used to draw up the overall timeline of applications when used with the Prefetch files and Iconcache.db files. Amcache.hve file is also an important artifact to record the traces of anti-forensic programs, portable programs and external storage devices. This paper illustrates the features of Amcache.hve file and methods for utilization in digital forensics such as estimation of deleted time of applications.
Keywords
Digital forensics; Amcache.hve; User behavior;
Citations & Related Records
연도 인용수 순위
  • Reference
1 Microsoft, "Inside the Registry," http://technet.microsoft.com/en-us/library/cc750583.aspx ; December 4, 2013[accessed March 2014].
2 Yogesh Khatri, "Amcache.hve in Windows 8 - Goldmine for malware hunters," http://www.swiftforensics.com/2013/12/amcachehve-in-windows-8-goldmine-for.html ; December 4, 2013[accessed March 2014].
3 Yogesh Khatri. "Amcache.hve - Part 2," http://www.swiftforensics.com/2013/12/amcachehve-part-2.html ; December 26, 2013[accessed March 2014).
4 Corey Harrell, "Revealing the RecentFile Cache.bcf File," http://journeyintoir.blogspot.in/2013/12/revealing-recentfilecachebcf-file.html ; December 2, 2013[access ed March 2014).
5 M. Russinovich and B. Cogswell, Microsof t, process monitor(2013) Available from http://technet.microsoft.com/en-ie/sysinternals/bb896645.aspx
6 Jain, Anu, and Gurpal Singh Chhabra, "Anti-forensics techniques: An analytical review," Contemporary Computing (IC3), 2014 Seventh International Conference on. IEEE, pp. 412-418, Aug. 2014.
7 Corey Harrell, "Revealing Program Compatibility Assistant HKCU AppCompatFlags Registry Keys," http://journeyintoir.blogspot.kr/2013/12/revealing-program-compatibility.html ; December 17, 2013[accessed March 2014).
8 Mark E. Russinovich, David A. Solomon and Alex Ionescu, $Windows^{(R)}$ Internals, 5th Ed., Microsoft press, pp. 332-333, 2009.
9 MSDN Blogs. "Misinformation and the The Prefetch Flag," http://blogs.msdn.com/b/ryanmy/archive/2005/05/25/421882.aspx ; December 17, 2013[accessed March 2014).
10 Chan-Youn Lee and Sangjin Lee, "Structure and application of IconCache.db files for digital forensics," Digital Investigation, vol. 11, no. 2, pp. 102-110, June. 2014.   DOI