# Amcaching In

So the description for this challenge briefly explains what amcache is, and also gives a link to a file.&#x20;

If you want more information on Amcache, [this is a great link](https://www.andreafortuna.org/2017/10/16/amcache-and-shimcache-in-forensic-analysis/).

So upon research, I found RegRipper can be used to do this, however, there are plenty of other great tools out there. The one I decided to use for this challenge was [AmCacheParser](https://github.com/EricZimmerman/AmcacheParser).

AmCacheParser runs on Windows and is basically a tool to analyse and "parse" Amcache. so the command we run this through the windows command prompt.

```
AmcacheParser.exe -f "Amcache.hve" --csv OutputFolder
```

We run the above command in the `AmcacheParser` folder. To break this down we run `AmcacheParser.exe` taking the `-f` argument which tells the tool which file to take as an input, we then specify the file given which was `Amcache.hve`. We also need to give an output for the files, this is the `--csv` part of the command and we specify the folder next. This will run the tool and the output will be in the file `OutputFolder`, or whatever you chose to name it.

![We know have a lot of excel files.](https://815184494-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MInDVexIZ47VkOdGSlp%2F-MKKgDkUv_X97DEXeCi9%2F-MKKilM_Sk31YuyCbAjE%2Fimage.png?alt=media\&token=e3ddeafc-cce3-40f2-97ac-91ef0a75307b)

So as the above image shows, we now have a lot of Excel files to sort through, I first re-read the description to see what we needed and it led me to look in the `20201017155041_Amcache_UnassociatedFileEntries` entry, which looks a bit like this:

![There is lots of data here given to us from the AmcacheParser tool.](https://815184494-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MInDVexIZ47VkOdGSlp%2F-MKKgDkUv_X97DEXeCi9%2F-MKKjDh-C-BeaAAaJKe_%2Fimage.png?alt=media\&token=0b854f70-f0f9-4766-bc63-9d499860a32b)

Once here i then used the find tool (`CTRL + F`) to search for `mpowers` which was the user given to us by the description. Below are the entries for `mpowers`, more specifically from the full path column.

| Full Path:                                                                                                       |
| ---------------------------------------------------------------------------------------------------------------- |
| c:\users\mpowers\appdata\local\temp\d930e9b6-7d1b-4a5d-804e-ce667e431ff9\dismhost.exe                            |
| c:\users\mpowers\desktop\ftk imager\ftk imager.exe                                                               |
| c:\users\mpowers\downloads\python-3.7.0-amd64-webinstall.exe                                                     |
| c:\users\mpowers\appdata\local\temp\4{b04d01b2-0174-4ef5-8fb5-84584c0964f5}.be\python-3.7.0-amd64-webinstall.exe |
| c:\users\mpowers\appdata\local\temp\4{4a1d9cda-5382-4f04-b44d-51927f9c602a}.cr\python-3.7.0-amd64-webinstall.exe |
| c:\users\mpowers\desktop\sub-win-x64\_104.148.109.124\_5682\_3262.exe                                            |

So as shown above, we have quite a lot of file paths. We were told to find what he installed, so I instantly looked deeper at the python install executables. It is very clear he installed `Python` on the system so i tried the flag as `flag{python}` and we scored the flag.&#x20;

> Writeup created by Chris Harris (@cjharris18)