Amcache contains SHA-1 Hash – It Depends!

If you read about the Amcache registry hive and what information it contains, you will find a lot of references that it contains the SHA-1 hash of the file in the corresponding registry entry. Now that especially comes in handy if files are deleted from disk. You can use the SHA-1 extracted from the Amcache to search indicator of compromise lists or simply on the internet in general.

I recently came across a discussion, where someone was asking about an explanation of SHA-1 hashes recorded in Amcache not matching the SHA-1 hash of the actual files. Another person claimed that this can happen, as the SHA-1 hash in Amcache is only calculated for the first 31,457,280 bytes (about 31.4 MB) of large files. Well time to take this to a test.

The Amcache registry hive is typically used in investigations to gain knowledge on executed files. It can be found at the following path: C:\Windows\AppCompat\Programs\Amcache.hve

The executables of 7-Zip and RegistryExplorer were chosen to be candidates for testing. Let’s start by calculating their SHA-1 hashes on disk:

Figure 1: Calculating SHA-1 hashes for files on disk

As you can see, the files have the following SHA-1 hash values:

File nameSHA-1 hash
7z.exe1189CEBEB8FFED7316F98B895FF949A726F4026F
RegistryExplorer.exeE50B8FA6F73F76490818B19614EE8AEFD0AA7A49
Table 1: SHA-1 hashes on disk

If we now execute both files and afterwards acquire the Amcache hive, we can have a look at the recorded values. In this test KAPE was used to acquire the Amcache and Registry Explorer to open it.

Figure 2: Amcache.hve: Root\InventoryApplicationFile\7z.exe|afe683e0fa522625

By reviewing the FileId value and removing the prefix ‘0000’, we can see that this actually is the SHA-1 hash value of the file on disk. But the size of the 7z.exe file is below 31,457,280 bytes.

Figure 3: Amcache.hve: Root\InventoryApplicationFile\registryexplorer|54c8640d4bd6cc38

Doing the same exercise again for RegistryExplorer.exe leads to an expected SHA-1 hash value of: 0f487a4beec16dba123cbc860638223abb51d432 . That value clearly does not match the SHA-1 hash we calculated earlier. The RegistryExplorer.exe file has a file size larger than 31,457,280 bytes.

So if it is true, that the SHA-1 stored in Amcache is calculated at max on the first 31,457,280 bytes of a file, we should be able to get the same result as above.

Figure 4: Getting SHA-1 hash of first 31,457,280 bytes

Above you can see how the dd command was used to get a file containing only the bytes that should be considered for the hash calculation of the Amcache entry. The hashes for both the original file and the stripped file are shown as well.

Putting this all next to each other:

FileSHA-1 hash value
Original on diskE50B8FA6F73F76490818B19614EE8AEFD0AA7A49
Amcache entry0f487a4beec16dba123cbc860638223abb51d432
Stripped file on disk0f487a4beec16dba123cbc860638223abb51d432
Table 2: Comparing SHA-1 hashes for RegistryExplorer.exe

The SHA-1 hash of the first 31,457,280 bytes matches what is recorded in Amcache. I tested this on Windows 10 and Windows 8, both 64 bit versions, showing exactly the same behaviour.

Conclusion

The testing performed shows that the Amcache records a SHA-1 hash for files, but for larger files only for the first 31,457,280 bytes. This also means that taking the SHA-1 hash from Amcache and search it online has its limitations. The size of the file needs to be taken into account.

Two very basic sayings in digital forensics and incident response have been proven right:

It depends!

Always validate!

About the Author

Olaf Schwarz is a Senior Incident Response Consultant at NVISO. You can find Olaf on Twitter and LinkedIn.

You can follow NVISO Labs on Twitter to stay up to date on all out future research and publications.

Leave a Reply