Amcaching In
The amcache can be a pretty handy tool to help build out a timeline of execution during an investigation, and is always located in \%SystemRoot%\AppCompat\Programs\Amcache.hve what was the application
So the description for this challenge briefly explains what amcache is, and also gives a link to a file.
If you want more information on Amcache, this is a great link.
So upon research, I found RegRipper can be used to do this, however, there are plenty of other great tools out there. The one I decided to use for this challenge was AmCacheParser.
AmCacheParser runs on Windows and is basically a tool to analyse and "parse" Amcache. so the command we run this through the windows command prompt.
AmcacheParser.exe -f "Amcache.hve" --csv OutputFolder
We run the above command in the AmcacheParser
folder. To break this down we run AmcacheParser.exe
taking the -f
argument which tells the tool which file to take as an input, we then specify the file given which was Amcache.hve
. We also need to give an output for the files, this is the --csv
part of the command and we specify the folder next. This will run the tool and the output will be in the file OutputFolder
, or whatever you chose to name it.

So as the above image shows, we now have a lot of Excel files to sort through, I first re-read the description to see what we needed and it led me to look in the 20201017155041_Amcache_UnassociatedFileEntries
entry, which looks a bit like this:

Once here i then used the find tool (CTRL + F
) to search for mpowers
which was the user given to us by the description. Below are the entries for mpowers
, more specifically from the full path column.
Full Path:
c:\users\mpowers\appdata\local\temp\d930e9b6-7d1b-4a5d-804e-ce667e431ff9\dismhost.exe
c:\users\mpowers\desktop\ftk imager\ftk imager.exe
c:\users\mpowers\downloads\python-3.7.0-amd64-webinstall.exe
c:\users\mpowers\appdata\local\temp\4{b04d01b2-0174-4ef5-8fb5-84584c0964f5}.be\python-3.7.0-amd64-webinstall.exe
c:\users\mpowers\appdata\local\temp\4{4a1d9cda-5382-4f04-b44d-51927f9c602a}.cr\python-3.7.0-amd64-webinstall.exe
c:\users\mpowers\desktop\sub-win-x64_104.148.109.124_5682_3262.exe
So as shown above, we have quite a lot of file paths. We were told to find what he installed, so I instantly looked deeper at the python install executables. It is very clear he installed Python
on the system so i tried the flag as flag{python}
and we scored the flag.
Writeup created by Chris Harris (@cjharris18)
Last updated
Was this helpful?