Hello, I work for the French Law Enforcement and I am training to become an investigator specializing in digital technologies. I am currently writing a thesis on Autopsy. I am testing the Process_AmCache module obtained on GitHub on my local disk but it does not seem to work. It finishes in a second and does not give any results. Is this normal? Thank you
No that should probably take longer. If you look at the Autopsy.log.X file for that case it may have an error or something in it from the module run.
Looks like there was an issue reading the amcache.hve file. Can you try and export the file from Autopsy and see if there is any issues doing that?
I was able to extract the AmCache.hve file which was located under the path C:\Windows\AppCompat\Programs\Amcache.hve without any problem using Autopsy.
I also tried creating a new case and adding the file as a logical file and then running the ingest module. It doesn’t work either.
I will take a look at it as time permits.