AmCaching In
Challenge:
The amcache can be a pretty handy tool to help build out a timeline of execution during an investigation, and is always located in
\%SystemRoot%\AppCompat\Programs\Amcache.hvewhat was the application installed by the user mpowers? Submit the flag asflag{program}.
Solution:
The provided Zip archive contained a AMCache file (Amcache.hve) which I analyzed using the amcache plug-in for RegRipper:
$ perl rip.pl.linux -r Amcache.hve -p amcache | grep mpowers
Launching amcache v.20200515
c:\users\mpowers\appdata\local\temp\d930e9b6-7d1b-4a5d-804e-ce667e431ff9\dismhost.exe LastWrite: 2018-08-08 03:17:33Z
c:\users\mpowers\desktop\ftk imager\ftk imager.exe LastWrite: 2018-08-08 20:19:12Z
c:\users\mpowers\downloads\python-3.7.0-amd64-webinstall.exe LastWrite: 2018-07-23 13:38:02Z
c:\users\mpowers\appdata\local\temp\4\{b04d01b2-0174-4ef5-8fb5-84584c0964f5}\.be\python-3.7.0-amd64-webinstall.exe LastWrite: 2018-07-23 13:38:23Z
c:\users\mpowers\appdata\local\temp\4\{4a1d9cda-5382-4f04-b44d-51927f9c602a}\.cr\python-3.7.0-amd64-webinstall.exe LastWrite: 2018-07-23 13:38:18Z
c:\users\mpowers\desktop\sub-win-x64_104.148.109.124_5682_3262.exe LastWrite: 2018-08-08 05:21:15Z
I saw two possible choices for the flag, ftk imager or python so I tried them both and the the accepted flag was flag{python}.
Leave a comment