amcache.device_containers

$ target-query <path/to/target> -f amcache.device_containers

Details

Module	dissect.target.plugins.os.windows.amcache.AmcachePlugin
Output	records

Module documentation

Appcompat plugin for amcache.hve.

Supported registry keys:

for old version of Amcache: * File * Programs

for new version of Amcache: • InventoryDriverBinary • InventoryDeviceContainer • InventoryApplication • InventoryApplicationFile * InventoryApplicationShortcut

References:

• https://binaryforay.blogspot.com/2015/04/appcompatcache-changes-in-windows-10.html

• https://cyber.gouv.fr/sites/default/files/2019/01/anssi-coriin_2019-analysis_amcache.pdf

• https://aboutdfir.com/new-windows-11-pro-22h2-evidence-of-execution-artifact/

Function documentation

Return InventoryDeviceContainer records from Amcache hive.

Amcache is a registry hive that stores information about executed programs. The InventoryDeviceContainer key holds the device containers that are in cache. Example devices are bluetooth, printers, audio, etc.

References:

• https://binaryforay.blogspot.com/2017/10/amcache-still-rules-everything-around.html

• https://docs.microsoft.com/en-us/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803

• https://www.andreafortuna.org/2017/10/16/amcache-and-shimcache-in-forensic-analysis/