FaresMorcy
  • Whoami
  • Footprinting Labs
    • Lab - Easy
    • Lab - Medium
    • Lab - Hard
  • Shells & Payloads
    • The Live Engagement
  • Password Attacks
    • Lab - Easy
    • Lab - Medium
    • Lab - Hard
  • Active Directory Enumeration & Attacks
    • Active Directory Enumeration & Attacks
    • AD Enumeration & Attacks - Skills Assessment Part I
    • AD Enumeration & Attacks - Skills Assessment Part II
  • SOC Hackthebox Notes & Labs
    • Security Monitoring & SIEM Fundamentals Module
    • Windows Event Logs & Finding Evil Module
    • Introduction to Threat Hunting & Hunting With Elastic Module
    • Understanding Log Sources & Investigating with Splunk Module
      • Introduction To Splunk & SPL
      • Using Splunk Applications
      • Intrusion Detection With Splunk (Real-world Scenario)
      • Detecting Attacker Behavior With Splunk Based On TTPs
      • Detecting Attacker Behavior With Splunk Based On Analytics
      • Skills Assessment
    • Windows Attacks & Defense
      • Kerberoasting
      • AS-REProasting
      • GPP Passwords
      • GPO Permissions/GPO Files
      • Credentials in Shares
      • Credentials in Object Properties
      • DCSync
      • Golden Ticket
      • Kerberos Constrained Delegation
      • Print Spooler & NTLM Relaying
      • Coercing Attacks & Unconstrained Delegation
      • Object ACLs
      • PKI - ESC1
      • Skills Assessment
    • Intro to Network Traffic Analysis Module
    • YARA & Sigma for SOC Analysts Module
      • Developing YARA Rules
      • Hunting Evil with YARA (Windows Edition)
      • Hunting Evil with YARA (Linux Edition)
      • Sigma and Sigma Rules
      • Developing Sigma Rules
      • Hunting Evil with Sigma (Chainsaw Edition)
      • Hunting Evil with Sigma (Splunk Edition)
      • Skills Assessment
  • TryHackme SOC 1
    • TShark
      • TShark: The Basics
      • TShark: CLI Wireshark Features
      • TShark Challenge I: Teamwork
      • TShark Challenge II: Directory
    • Tempest
    • Boogeyman 1
    • Boogeyman 2
    • Boogeyman 3
  • TryHackme SOC 2
    • Advanced Splunk
      • Splunk: Exploring SPL
      • Splunk: Setting up a SOC Lab
      • Splunk: Dashboards and Reports
      • Splunk: Data Manipulation
      • Fixit
    • Advanced ELK
      • Slingshot
    • Threat Hunting
      • Threat Hunting: Foothold
      • Threat Hunting: Pivoting
      • Threat Hunting: Endgame
  • TryHackme Rooms
    • Investigating Windows
    • Splunk 2
    • Windows Network Analysis
  • Powershell Scripting Fundamentals
  • SANS SEC504 & Labs
    • Book one
      • Live Examination
      • Network Investigations
      • Memory Investigations
      • Malware Investigations
      • Accelerating IR with Generative AI
      • Bootcamp: Linux Olympics
      • Bootcamp: Powershell Olympics
    • Book Two
      • Hacker Tools and Techniques Introduction
      • Target Discovery and Enumeration
      • Discovery and Scanning with Nmap
      • Cloud Spotlight: Cloud Scanning
      • SMB Security
      • Defense Spotlight: Hayabusa and Sigma Rules
    • Book Three
      • Password Attacks
      • Cloud Spotlight: Microsoft 365 Password Attacks
      • Understanding Password Hashes
      • Password Cracking
      • Cloud Spotlight: Insecure Storage
      • Multipurpose Netcat
    • Book Four
      • Metasploit Framework
      • Drive-By Attacks
      • Command Injection
      • Cross-Site Scripting
      • SQL Injection
      • Cloud Spotlight: SSRF and IMDS
    • Book Five
      • Endpoint Security Bypass
      • Pivoting and Lateral Movement
      • Hijacking Attacks
      • Establishing Persistence
      • Defense Spotlight: RITA
      • Cloud Spotlight: Cloud Post-Exploitation
  • SANS SEC511 & Labs
    • Resources
      • Primers
      • References
      • Tools
        • Network
        • Elastic Stack
      • Printable Versions
    • Book One
      • Part One
      • Part Two
      • Part Three
    • Book Two
      • Part One
      • Part Two
      • Part Three
      • Part Four
    • Book Three
      • Part One
      • Part Two
      • Part Three
      • Part Four
    • Book Four
      • Part One
      • Part Two
      • Part Three Lab
      • Part Four Lab
    • Book Five
      • Part One Lab
      • Part Two Lab
      • Part Three Lab
  • CyberDefenders
    • XXE Infiltration Lab
    • T1594 Lab
    • RetailBreach Lab
    • DanaBot Lab
    • OpenWire Lab
    • BlueSky Ransomware Lab
    • Openfire Lab
    • Boss Of The SOC v1 Lab
    • GoldenSpray Lab
    • REvil Lab
    • ShadowRoast Lab
    • SolarDisruption Lab
    • Kerberoasted Lab
    • T1197 Lab
    • Amadey Lab
    • Malware Traffic Analysis 1 Lab
    • Insider Lab
    • Volatility Traces Lab
    • FalconEye Lab
    • GitTheGate Lab
    • Trident Lab
    • NerisBot Lab
  • Practical Windows Forensics
    • Data Collection
    • Examination
    • Disk Analysis Introduction
    • User Behavior
    • Overview of disk structures, partitions and file systems
    • Finding Evidence of Deleted Files with USN Journal Analysis
    • Analyzing Evidence of Program Execution
    • Finding Evidence of Persistence Mechanisms
    • Uncover Malicious Activity with Windows Event Log Analysis
    • Windows Memory Forensic Analysis
  • Hackthebox Rooms
    • Campfire-1
    • Compromised
    • Brutus
    • Trent
    • CrownJewel-1
  • WEInnovate Training
    • Weinnovate - Active Directory Task One
    • Build ELK Lab
      • Configure Elasticsearch and Kibana setup in ubuntu
      • Configure Fluent-Bit to send logs to ELK
      • Set up Winlogbeat & Filebeat for log collection
      • Send Logs from Winlogbeat through Logstash to ELK
      • Enable Windows Audit Policy & Winlogbeat
      • Elasticsearch API and Ingestion Pipeline
    • SOAR
      • Send Alerts To Email & Telegram Bot
      • Integrate Tines with ELK
    • SOC Practical Assessment
    • Lumma C2
    • Network Analysis
  • Build ELK Lab
    • Configure Elasticsearch and Kibana setup in ubuntu
    • Configure Fluent-Bit to send logs to ELK
    • Set up Winlogbeat & Filebeat for log collection
    • Send Logs from Winlogbeat through Logstash to ELK
    • Enable Windows Audit Policy & Winlogbeat
    • Elasticsearch API and Ingestion Pipeline
  • Build Home Lab - SOC Automation
    • Install & configure Sysmon for deep Windows event logging
    • Set up Wazuh & TheHive for threat detection & case management
    • Execute Mimikatz & create detection rules in Wazuh
    • Automate everything with Shuffle
    • Response to SSH Attack Using Shuffle, Wazuh, and TheHive
  • Home Lab (Attack & Defense Scenarios)
    • Pass-the-Hash Attack & Defense
    • Scheduled Task Attack & Defense
    • Kerberoasting Attack & Defense
    • Kerberos Constrained Delegation
    • Password Spraying Attack & Defense
    • Golden Ticket Attack & Defense
    • AS-REProasting Attack & Defense
    • DCSync Attack & Defense
  • Home Lab (FIN7 (Carbanak Group) – Point of Sale (POS) Attack on Hospitality Chains)
  • Home Lab (Lumma Stealer)
Powered by GitBook
On this page
  • BAM (Background Activity Moderator)
  • Application Compatibility Cache (ShimCache)
  • Overview of the Amcache
  • Windows Prefetch analysis with PECmd
  • Windows Prefetch Timeline Analysis
  1. Practical Windows Forensics

Analyzing Evidence of Program Execution

PreviousFinding Evidence of Deleted Files with USN Journal AnalysisNextFinding Evidence of Persistence Mechanisms

Last updated 5 months ago

BAM (Background Activity Moderator)

Registry: HKLM\SYSTEM\CurrentControlSet\Services\bam\UserSettings

BAM tracks which applications and processes were executed, even if they are no longer active or present on the system.

Q) Which executables did the BAM record for the User (RID 1000) include, their last execution date and time?

Let's open the SYSTEM hive into Registry Explorer.

Alternatively, we can utilize the results obtained from RegRipper.

Application Compatibility Cache (ShimCache)

Register: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache

The Application Compatibility Cache (ShimCache) is a feature in Windows operating systems designed to maintain compatibility for applications running on newer versions of Windows. It tracks the execution of applications, storing metadata such as the file path, last modified date, and file size.

ShimCache provides a snapshot of executables present on the system at the time of its last shutdown or reboot. This can be invaluable in digital forensic investigations to reconstruct timelines and detect unauthorized activities.

Since ShimCache entries are written to the hard drive during shutdown, it makes it harder for malicious actors to wipe out evidence of their activities.

Let's open the SYSTEM hive into Registry Explorer.

Cache Entry Positions are stored in chronological order, with the most recent entries at the top. This allows investigators to quickly see the most recent applications executed before a system shutdown or reboot.

By examining the order of entries, forensic analysts can reconstruct a timeline of application executions, helping to identify when specific actions were taken on the system.

Alternatively, we can utilize the results obtained from RegRipper.

We can also use a tool called AppCompatCacheParser.

AppCompatCacheParser.exe -f C:\Cases\Analysis\Registry\SYSTEM --csv C:\Cases\Analysis\Execution

Let's open this file using Timeline Explorer.

The Timeline Explorer confirms whether the executable was executed.

Overview of the Amcache

Registry: C:\Windows\AppCompat\Programs\Amcache.hve

The Amcache.hve file, located in the C:\Windows\AppCompat\Programs directory, is a forensic goldmine for investigating application execution on Windows systems. It serves as a database containing metadata about executables and other application-related artifacts that have been run on the system.

Unlike ShimCache, the Amcache records detailed metadata, often linked to executables that were executed rather than just accessed.

Let's open Amcache.hve using Registry Explorer.

We can also use a tool called AmcacheParser.

AmcacheParser.exe -f C:\Cases\E\Windows\AppCompat\Programs\Amcache.hve --csv C:\Cases\Analysis\Execution

Let's open "UnassociatedFileEntries" file using Timeline Explorer.

Windows Prefetch analysis with PECmd

Path: C:\Windows\Prefetch\*.pf

Windows Prefetch is a performance optimization feature designed to speed up the loading of applications by caching information about their execution. From a forensic perspective, Prefetch files provide valuable evidence of program execution, helping investigators identify what programs were run, when, and how often.

Prefetch files can provide evidence of program execution, even if the application has been deleted. This can be crucial in malware investigations and timeline analysis.

Let's use PECmd to examine the contents of the prefetch file "ATOMICSERVICE.EXE-CFFBD82A."

PECmd.exe -f C:\Cases\E\Windows\prefetch\ATOMICSERVICE.EXE-CFFBD82A.pf

Windows Prefetch Timeline Analysis

PECmd.exe -d C:\Cases\E\Windows\prefetch --csv C:\Cases\Analysis\Execution

Let's open "PECmd_Output.csv" using Timeline Explorer.

Next, let's open "PECmd_Output_Timeline" using Timeline Explorer.