Skill UI

A specialized tool for digital forensics investigators that parses the Windows Amcache.hve registry hive. It extracts crucial evidence regarding program execution history, application installation metadata, and loaded driver binaries. By correlating SHA-1 hashes and reconstructing timelines, users can determine which executables ran on a system, aiding in incident response and threat detection.

This guide demonstrates how to build comprehensive forensic super-timelines using Plaso (log2timeline) to correlate events across diverse sources. It covers the entire workflow, from processing disk images and various logs (MFT, registry, browser history) to generating standardized CSV, JSONL exports, and visualizing the results in tools like Timesketch for deep investigative analysis.