Incident Response with EZTools - Evidence of Execution

AmCacheParser is bundled with EZTools, this tool can be used to parse the Amcache.hve and provide us with a vast amount of information about what files have been executed on the system.

Amcache can provide a timeline of which program was executed and when it was first run and last modified. This also provides additional detail, giving us the File Path, Version, Hash, and etc.

From an incident response perspective, it is necessary for the responder to have the ability and skill to quickly triage to patient zero and identify the cause or action performed before the incident was detected.

During an incident, an executable may be launched, which causes our system to behave in an odd way. Getting an evidence of this execution on the system can help the responder pivot the investigation.

Windows Application Compatibility Forensics