mbevilacqua
commented
6 years ago Hi there, would really need more details to process this. What didn't work, what format did you feed to it, etc..
Open nwf9 opened 6 years ago
mbevilacqua
commented
6 years ago Hi there, would really need more details to process this. What didn't work, what format did you feed to it, etc..
nwf9
commented
6 years ago Hi Matias,
The actual parser did not parse anything even of Windows 7. I obtain this message below :
python AmCacheParser.py Amcache.hve doesn't appear to be an Amcache.hve hive
Give me your private email if you want to test with my Amcache sample.
mbevilacqua
commented
6 years ago So that python script is a helper object not intended to be called directly.
If you have individual hives you want to parse I suggest you try one of these:
https://github.com/williballenthin/python-registry/blob/master/samples/amcache.py
https://github.com/EricZimmerman/AmcacheParser
On Mon, Jul 16, 2018 at 14:10 nwf9 notifications@github.com wrote:
Hi Matias,
The actual parser did not parse anything even of Windows 7. I obtain this message below :
python AmCacheParser.py Amcache.hve doesn't appear to be an Amcache.hve hive
Give me your private email if you want to test with my Amcache sample.
— You are receiving this because you commented.
Reply to this email directly, view it on GitHub https://github.com/mbevilacqua/appcompatprocessor/issues/15#issuecomment-405227209, or mute the thread https://github.com/notifications/unsubscribe-auth/AE_b9bHoAHVej1UBIzeUEPdfN-B4l06Lks5uHIK3gaJpZM4VD-Te .
nwf9
commented
6 years ago It's not my issue. I have test this python script because i have a lot of warning messages when i want to ingest all the amcache artifact like below
2018-07-17 10:31:17,916 WARNING No ingest plugin could process: Amcache_00d2553d69920a5c473755b1c178a7d12c1eb2d3ae3dcef26e4dfe8e509ae203_35977nm.hve (skipping file) [size: 2883584] 2018-07-17 10:31:17,921 WARNING No ingest plugin could process: Amcache_0a51a1ca98fb8dca18037804a39d99ba4c42e897b8a6886e1e346f14fc9e4ec0_47533nm.hve (skipping file) [size: 1835008]
mbevilacqua
commented
6 years ago Are you able to process those with any of the two above mentioned tools? If that works, could you try a debug run (-v) and send over the Output.log file?
nwf9
commented
6 years ago It works only with Eric Zimmerman Tools and not with willi ballenthin because it didn't understand the Amcache format.
./amcache.py -v Amcache.hve ERROR:amcache:doesn't appear to be an Amcache.hve hive
Zimmerman
AmcacheParser.exe -f "C:\Users\xxxx\Desktop\appcompatprocessor-master\Amcache.hve" --csv toto AmcacheParser version 1.0.0.3
Author: Eric Zimmerman (saericzimmerman@gmail.com) https://github.com/EricZimmerman/AmcacheParser
Command line: -f Amcache.hve --csv toto
Header length is smaller than the size of the file. Found hbin with size 0 at absolute offset 0x192000 Initial processing complete. Building tree... Found root node! Getting subkeys... Hive processing complete! Flushing record lists...
'Amcache.hve' is in new format!
Total file entries found: 481 Total shortcuts found: 143 Total device containers found: 31 Total device PnPs found: 82 Total drive binaries found: 250 Total driver packages found: 13
Found 218 unassociated file entries
Results saved to: toto
Total parsing time: 0.366 seconds.
mbevilacqua
commented
5 years ago
Hi guys,
Amcache parser did not works because of the new structure. Can you update the parser ?
Regards