Phill Moore (@phillmoore.bsky.social)

While doing some digging at my old job we found that sometimes Amcache might present data that isn't reflected in the PE it relates to. We didn't figure out why this happens, but Velociraptor is the perfect tool for digging in deeper thinkdfir.com/2026/04/25/t... #DFIR

loading . . .

Trust but Verify: Amcache’s OriginalFilename Field Isn’t Always Accurate During an engagement at $lastdayjob we found a possible bug in AmCache so I wanted to dig into it a bit deeper. Mostly this is a call for help, and an explanation of how to test! TLDR Sometimes AmC… https://thinkdfir.com/2026/04/25/trust-but-verify-amcaches-originalfilename-field-isnt-always-accurate/