• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.25 no.3
• /
• pp.573-583
• /
• 2015

Amcache.hve file is a registry hive file regarding Program Compatibility Assistant, which stores the executed information of applications. With Amcache.hve file, We can know execution path, first executed time as well as deleted time. Since it checks both the first install time and deleted time, Amcache.hve file can be used to draw up the overall timeline of applications when used with the Prefetch files and Iconcache.db files. Amcache.hve file is also an important artifact to record the traces of anti-forensic programs, portable programs and external storage devices. This paper illustrates the features of Amcache.hve file and methods for utilization in digital forensics such as estimation of deleted time of applications.