# Analyzing Evidence of Program Execution

<figure><img src="/files/vcWRDCwbtKjyivWaSNaN" alt=""><figcaption></figcaption></figure>

## BAM (Background Activity Moderator)

**Registry**: HKLM\SYSTEM\CurrentControlSet\Services\bam\UserSettings

**BAM** tracks which applications and processes were executed, even if they are no longer active or present on the system.

Q) Which executables did the BAM record for the User (RID 1000) include, their last execution date and time?

Let's open the SYSTEM hive into Registry Explorer.

<figure><img src="/files/rKavF5hpQyGkq5GNtuz3" alt=""><figcaption></figcaption></figure>

Alternatively, we can utilize the results obtained from RegRipper.

<figure><img src="/files/It3lbRqfdYS5QwBQ9w3T" alt=""><figcaption></figcaption></figure>

## Application Compatibility Cache (ShimCache)

**Register**: `HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache`

The **Application Compatibility Cache (ShimCache)** is a feature in Windows operating systems designed to maintain compatibility for applications running on newer versions of Windows. It tracks the execution of applications, storing metadata such as the file path, last modified date, and file size.

ShimCache provides a snapshot of executables present on the system at the time of its last shutdown or reboot. This can be invaluable in digital forensic investigations to reconstruct timelines and detect unauthorized activities.

Since ShimCache entries are written to the hard drive during shutdown, it makes it harder for malicious actors to wipe out evidence of their activities.

Let's open the SYSTEM hive into Registry Explorer.

<figure><img src="/files/pQu3LK3AuSvvJZObzmy8" alt=""><figcaption></figcaption></figure>

Cache Entry Positions are stored in chronological order, with the most recent entries at the top. This allows investigators to quickly see the most recent applications executed before a system shutdown or reboot.

By examining the order of entries, forensic analysts can reconstruct a timeline of application executions, helping to identify when specific actions were taken on the system.

Alternatively, we can utilize the results obtained from RegRipper.

<figure><img src="/files/AOGEMEtSvsX65cqZhwl3" alt=""><figcaption></figcaption></figure>

We can also use a tool called **`AppCompatCacheParser`**.

```bash
AppCompatCacheParser.exe -f C:\Cases\Analysis\Registry\SYSTEM --csv C:\Cases\Analysis\Execution
```

<figure><img src="/files/KqKRYpcsmwuYVXBT4NtD" alt=""><figcaption></figcaption></figure>

Let's open this file using Timeline Explorer.

<figure><img src="/files/oJ2jpTywdOvYmPA4qVgr" alt=""><figcaption></figcaption></figure>

The Timeline Explorer confirms whether the executable was executed.

## Overview of the Amcache

**Registry:** C:\Windows\AppCompat\Programs\Amcache.hve

The **Amcache.hve** file, located in the `C:\Windows\AppCompat\Programs` directory, is a forensic goldmine for investigating application execution on Windows systems. It serves as a database containing metadata about executables and other application-related artifacts that have been run on the system.

Unlike ShimCache, the Amcache records detailed metadata, often linked to executables that were executed rather than just accessed.

Let's open Amcache.hve using Registry Explorer.

<figure><img src="/files/uG9lRM4w2vhrchQlwJ0K" alt=""><figcaption></figcaption></figure>

We can also use a tool called AmcacheParser.

```bash
AmcacheParser.exe -f C:\Cases\E\Windows\AppCompat\Programs\Amcache.hve --csv C:\Cases\Analysis\Execution
```

<figure><img src="/files/10lgUJtriwZU5emfLcXZ" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/eOtuVrsgcDodrj3BHeuk" alt=""><figcaption></figcaption></figure>

Let's open "UnassociatedFileEntries" file using Timeline Explorer.

<figure><img src="/files/TTm35whyTUZCYZZ8kjnZ" alt=""><figcaption></figcaption></figure>

## Windows Prefetch analysis with PECmd

**Path:** `C:\Windows\Prefetch\*.pf`

Windows Prefetch is a performance optimization feature designed to speed up the loading of applications by caching information about their execution. From a forensic perspective, Prefetch files provide valuable evidence of program execution, helping investigators identify what programs were run, when, and how often.

Prefetch files can provide evidence of program execution, even if the application has been deleted. This can be crucial in malware investigations and timeline analysis.

<figure><img src="/files/fO4YPDFFj80402HnxDks" alt=""><figcaption></figcaption></figure>

Let's use PECmd to examine the contents of the prefetch file "ATOMICSERVICE.EXE-CFFBD82A."

```bash
PECmd.exe -f C:\Cases\E\Windows\prefetch\ATOMICSERVICE.EXE-CFFBD82A.pf
```

<figure><img src="/files/q4X2Qs7FYEOLabZ7DQXB" alt=""><figcaption></figcaption></figure>

## Windows Prefetch Timeline Analysis

```bash
PECmd.exe -d C:\Cases\E\Windows\prefetch --csv C:\Cases\Analysis\Execution
```

<figure><img src="/files/CJSUgbehApiBN2t6o5ww" alt=""><figcaption></figcaption></figure>

Let's open "PECmd\_Output.csv" using Timeline Explorer.

<figure><img src="/files/dMSdfQw9gdVJbZ1hT2Ja" alt=""><figcaption></figcaption></figure>

Next, let's open "PECmd\_Output\_Timeline" using Timeline Explorer.

<figure><img src="/files/ReDuwWbBAZU2EYIFdARm" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://faresbltagy.gitbook.io/footprintinglabs/practical-windows-forensics/analyzing-evidence-of-program-execution.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.