ericzimmerman / amcacheparser Goto Github PK

Parsing the following files
Pooh.hve
Pooh.hve.LOG1

via AmcacheParser.exe -f "\full\win\path\to\Pooh.hve" --csv "\full\win\path\to\current\folder"

produces:

AmcacheParser version 1.3.3.0

Author: Eric Zimmerman ([email protected])
https://github.com/EricZimmerman/AmcacheParser

Command line: -f Pooh.hve --csv .

Hive does not contain a File and/or Programs key. Processing cannot continue
Hive did not contain program entries nor file entries. Exiting

Just simply running AmcacheParser.exe on a Windows OS that has FIPS enabled causes it to crash.

Unhandled Exception: System.TypeInitializationException: The type initializer for '<Module>' threw an exception. ---> System.TypeInitializationException: The type initializer for 'LibZ.Injected.AsmZResolver' threw an exception. ---> System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.
   at System.Security.Cryptography.MD5CryptoServiceProvider..ctor()
   --- End of inner exception stack trace ---
   at System.RuntimeMethodHandle.InvokeMethod(Object target, Object[] arguments, Signature sig, Boolean constructor)
   at System.Reflection.RuntimeConstructorInfo.Invoke(BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
   at System.Security.Cryptography.CryptoConfig.CreateFromName(String name, Object[] args)
   at System.Security.Cryptography.MD5.Create()
   at LibZ.Injected.AsmZResolver.Hash(String text)
   at LibZ.Injected.AsmZResolver..cctor()
   --- End of inner exception stack trace ---
   at LibZ.Injected.AsmZResolver.Initialize()
   at LibZ.Injected.LibZInitializer.Initialize()
   at .cctor()
   --- End of inner exception stack trace ---

This can be solved by using a different hashing algorithm instead of MD5, use SHA1 or SHA256 for example.

Hi Eric,

I ran the AmcacheParser and got the error attached in the Screenshot, unfortunately I can't copy/zip the amcahe.hve and send it to you because the file is in use, is there any info I can give you to help fix the error, or do you know how to stop it so that I can send it to you?

I am getting the following Exception while running the amcache parser in windows 10
"An unhandled exception of type 'System.NotSupportedException' occurred in FluentCommandLineParser.dll".Can you please help me with this.

Not an issue, more a request.

AmcacheParser currently outputs dates in MM-dd-yyyy HH:mm:ss format, as defined in FECacheOutputMap (https://github.com/EricZimmerman/AmcacheParser/blob/master/AmcacheParser/Program.cs#L351) and PECacheOutputMap (https://github.com/EricZimmerman/AmcacheParser/blob/master/AmcacheParser/Program.cs#L381).

When loading the TSV output into a tool such as Excel, Excel fails to recognise some of the dates correctly because it's expecting them to be in my (UK) locale, i.e. dd-MM-yyyy HH:mm:ss.

I appreciate that changing the code to detect the correct locale for the user might be a pain, but I'd suggest that a format of yyyy-MM-dd HH:mm:ss might be more universally accepted by tools reading the TSV.

In the InventoryDriverBinary keys the DriverID values are typically the SHA1 hash of the driver (with two null bytes prepended). Would it be possible to either strip those first two bytes from the data presented in the CSV output or create a new column for the SHA1 hash (with the bytes stripped)? This would make it easier to grab those values out of the output for checks against known good/known bad hash databases.

Hi there,

I got this error when running the util on an Amcache.hve extracted off a dead box. Other utilities, such as RegRipper seem to have no problem. Any thoughts on what might be going on?

Brian

In a Windows 10 image release 1511, build 10586, the Amcache hive contains the Root\InventoryApplication key which you use to determine whether it is the "old" or "new" format, but it is not, in fact, the "new" format. (The Root\InventoryApplication in this hive contains only the ProviderSyncId value and no child keys). AmcacheParser fails to parse it, thinking that it's the new format:

Hive does not contain a InventoryApplicationFile and/or InventoryApplication key. Processing cannot continue
Hive did not contain program entries nor file entries.