Amcaching In

The amcache can be a pretty handy tool to help build out a timeline of execution during an investigation, and is always located in \%SystemRoot%\AppCompat\Programs\Amcache.hve what was the application

So the description for this challenge briefly explains what amcache is, and also gives a link to a file.

If you want more information on Amcache, this is a great link.

So upon research, I found RegRipper can be used to do this, however, there are plenty of other great tools out there. The one I decided to use for this challenge was AmCacheParser.

AmCacheParser runs on Windows and is basically a tool to analyse and "parse" Amcache. so the command we run this through the windows command prompt.

AmcacheParser.exe -f "Amcache.hve" --csv OutputFolder

We run the above command in the AmcacheParser folder. To break this down we run AmcacheParser.exe taking the -f argument which tells the tool which file to take as an input, we then specify the file given which was Amcache.hve. We also need to give an output for the files, this is the --csv part of the command and we specify the folder next. This will run the tool and the output will be in the file OutputFolder, or whatever you chose to name it.

We know have a lot of excel files.

So as the above image shows, we now have a lot of Excel files to sort through, I first re-read the description to see what we needed and it led me to look in the 20201017155041_Amcache_UnassociatedFileEntries entry, which looks a bit like this:

There is lots of data here given to us from the AmcacheParser tool.

Once here i then used the find tool (CTRL + F) to search for mpowers which was the user given to us by the description. Below are the entries for mpowers, more specifically from the full path column.

Full Path:

c:\users\mpowers\appdata\local\temp\d930e9b6-7d1b-4a5d-804e-ce667e431ff9\dismhost.exe

c:\users\mpowers\desktop\ftk imager\ftk imager.exe

c:\users\mpowers\downloads\python-3.7.0-amd64-webinstall.exe

c:\users\mpowers\appdata\local\temp\4{b04d01b2-0174-4ef5-8fb5-84584c0964f5}.be\python-3.7.0-amd64-webinstall.exe

c:\users\mpowers\appdata\local\temp\4{4a1d9cda-5382-4f04-b44d-51927f9c602a}.cr\python-3.7.0-amd64-webinstall.exe

c:\users\mpowers\desktop\sub-win-x64_104.148.109.124_5682_3262.exe

So as shown above, we have quite a lot of file paths. We were told to find what he installed, so I instantly looked deeper at the python install executables. It is very clear he installed Python on the system so i tried the flag as flag{python} and we scored the flag.

Writeup created by Chris Harris (@cjharris18)