No description, website, or topics provided.
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
lib initial commit Sep 18, 2018
tcl initial commit Sep 18, 2018
tk initial commit Sep 18, 2018
Amcache_Scan$py.class
Amcache_Scan.py initial commit Sep 18, 2018
Amcache_Scan_py_GPL_License.txt initial commit Sep 18, 2018
GUI_Settings.db3 bug fixes Oct 4, 2018
README.md Create README.md Oct 18, 2018
amcache2sqlite.exe initial commit Sep 18, 2018
cacert.pem initial commit Sep 18, 2018
python27.dll initial commit Sep 18, 2018
sqlite3.dll initial commit Sep 18, 2018

README.md

Amcache_Scan

How to use Amcache_Scan Autopsy Plugin:

  1. Place files in %AppData$\Roaming\Autopsy\Python_modules
  2. In Configure Ingest Modules, select Amcache Scan.
  3. Enter VirusTotal API Key. Select the 'Private API Key?' Checkbox if you have private VirusTotal API Key.

The module will parses the following key: - Amcache.hve\Root\File*?*? - Amcache.hve\Root\Programs*? - Amcache.hve\Root\InventoryApplicationFile*? - Amcache.hve\Root\InventoryDeviceContainer*? - Amcache.hve\Root\InventoryDevicePnp*? - Amcache.hve\Root\InventoryDriverBinary*? - Amcache.hve\Root\InventoryDriverPackage*? - Amcache.hve\Root\InventoryApplicationShortcut*?

After the keys are parsed, the results are added to Autopsy, then the VirusTotal scanning begins using the SHA1 hashes from Amcache.hve\Root\File*?*? and Amcache.hve\Root\InventoryApplicationFile*?.