If you read about the Amcache registry hive and what information it contains, you will find a lot of references that it contains the SHA-1 hash of the file in the corresponding registry entry. Now that especially comes in handy if files are deleted from disk. You can use the SHA-1 extracted from the Amcache to search indicator of compromise lists or simply on the internet in general.
I recently came across a discussion, where someone was asking about an explanation of SHA-1 hashes recorded in Amcache not matching the SHA-1 hash of the actual files. Another person claimed that this can happen, as the SHA-1 hash in Amcache is only calculated for the first 31,457,280 bytes (about 31.4 MB) of large files. Well time to take this to a test.
The Amcache registry hive is typically used in investigations to gain knowledge on executed files. It can be found at the following path: C:\Windows\AppCompat\Programs\Amcache.hve
The executables of 7-Zip and RegistryExplorer were chosen to be candidates for testing. Let’s start by calculating their SHA-1 hashes on disk:
As you can see, the files have the following SHA-1 hash values:
|File name||SHA-1 hash|
If we now execute both files and afterwards acquire the Amcache hive, we can have a look at the recorded values. In this test KAPE was used to acquire the Amcache and Registry Explorer to open it.
By reviewing the FileId value and removing the prefix ‘0000’, we can see that this actually is the SHA-1 hash value of the file on disk. But the size of the 7z.exe file is below 31,457,280 bytes.
Doing the same exercise again for RegistryExplorer.exe leads to an expected SHA-1 hash value of: 0f487a4beec16dba123cbc860638223abb51d432 . That value clearly does not match the SHA-1 hash we calculated earlier. The RegistryExplorer.exe file has a file size larger than 31,457,280 bytes.
So if it is true, that the SHA-1 stored in Amcache is calculated at max on the first 31,457,280 bytes of a file, we should be able to get the same result as above.
Above you can see how the dd command was used to get a file containing only the bytes that should be considered for the hash calculation of the Amcache entry. The hashes for both the original file and the stripped file are shown as well.
Putting this all next to each other:
|File||SHA-1 hash value|
|Original on disk||E50B8FA6F73F76490818B19614EE8AEFD0AA7A49|
|Stripped file on disk||0f487a4beec16dba123cbc860638223abb51d432|
The SHA-1 hash of the first 31,457,280 bytes matches what is recorded in Amcache. I tested this on Windows 10 and Windows 8, both 64 bit versions, showing exactly the same behaviour.
The testing performed shows that the Amcache records a SHA-1 hash for files, but for larger files only for the first 31,457,280 bytes. This also means that taking the SHA-1 hash from Amcache and search it online has its limitations. The size of the file needs to be taken into account.
Two very basic sayings in digital forensics and incident response have been proven right:
About the Author
Olaf Schwarz is a Senior Incident Response Consultant at NVISO. You can find Olaf on Twitter and LinkedIn.
You can follow NVISO Labs on Twitter to stay up to date on all out future research and publications.
One thought on “Amcache contains SHA-1 Hash – It Depends!”
This article really saved my bacon today, thank you so much!