Amcache/Syscache/RecentFileCache Analysis

Windows utilizes several databases as part of its Application Compatibility framework to track program execution, primarily for compatibility purposes but also creating valuable forensic artifacts.

• The Amcache.hve file (located at C:\Windows\AppCompat\Programs\Amcache.hve on Windows 8/10/11) is a registry hive that logs details about executed applications. It records the executable path, SHA1 hash of the file, program installation/first execution time (often derived from link file creation), and potentially deletion timestamps. While not always reflecting the absolute last execution time as accurately as Prefetch, Amcache provides strong proof that a program was present and executed at least once, and entries can persist even after uninstallation. The SHA1 hash is particularly useful for identifying known malicious executables even if they were renamed. AmcacheParser (Eric Zimmerman) is the standard tool for parsing this hive.

• On older systems, primarily Windows 7, the precursor artifact is Syscache.hve. It's often located within System Volume Information (C:\Windows\System32\config\System.sav\Syscache.hve or similar), requiring administrative privileges or offline mounting to access. It serves a similar function to Amcache, tracking executed programs and drivers. The community tool Ruedas has been noted for its ability to parse Syscache.hve.

• Another related artifact, RecentFileCache.bcf (found at C:\Windows\AppCompat\Programs\RecentFileCache.bcf on Win 7/8/10, though its usage varies), is a binary file tracking recently executed files. It can sometimes capture execution evidence missed by other caches or provide slightly more recent timestamps. RecentFileCacheParser (Eric Zimmerman) is used to analyze its contents. Collectively, these caches help establish a historical record of program execution on a system, complementing other artifacts like Prefetch.