Add Amcache Pca function

[Zawadidone]

• Review artefact new Windows 11 "execution" artefact in the PcaGeneralDb1.txt and/or PcaGeneralDb0.txt
• Add function that parses the entries in these txt file(s)

References

• 13 Cubed - A New Program Execution Artifact - Windows 11 22H2 Update!
• https://github.com/fox-it/dissect.target/blob/main/dissect/target/plugins/os/windows/amcache.py(https://github.com/fox-it/dissect.target/blob/main/dissect/target/plugins/os/windows/amcache.py)
• https://aboutdfir.com/new-windows-11-pro-22h2-evidence-of-execution-artifact/(https://aboutdfir.com/new-windows-11-pro-22h2-evidence-of-execution-artifact/)
• https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Windows/AppCompatPCA.tkape(https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Windows/AppCompatPCA.tkape)
• https://github.com/AndrewRathbun/DFIRArtifactMuseum/blob/main/Windows/Amcache/Win11/RathbunVM/PcaGeneralDb0.txt(https://github.com/AndrewRathbun/DFIRArtifactMuseum/blob/main/Windows/Amcache/Win11/RathbunVM/PcaGeneralDb0.txt)

[Zawadidone]

The PR #120 added the functionality to parse PcaGeneralDb0.txt. The following additional files could also be added to the applaunch record and function:

• PcaAppLaunchDic.txt
• PcaGeneralDb1.txt - Extra fields

PcaGeneralDb0.txt

2022-12-19 17:57:45.865|2|%programfiles%\freefilesync\freefilesync.exe|freefilesync|freefilesync.org|11.28|000633a92018be9965dd4f5fbff878d2c1cc00000904|Abnormal process exit with code 0x2

• Timestamp
• Application name
• Software vendor
• File version
• Program ID (not a hash)
• Exit message

[Schamper]

Yeah I kept this issue open for that reason :)