Analyzing Evidence of Program Execution
Last updated
Last updated
Registry: HKLM\SYSTEM\CurrentControlSet\Services\bam\UserSettings
BAM tracks which applications and processes were executed, even if they are no longer active or present on the system.
Q) Which executables did the BAM record for the User (RID 1000) include, their last execution date and time?
Let's open the SYSTEM hive into Registry Explorer.
Alternatively, we can utilize the results obtained from RegRipper.
Register: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache
The Application Compatibility Cache (ShimCache) is a feature in Windows operating systems designed to maintain compatibility for applications running on newer versions of Windows. It tracks the execution of applications, storing metadata such as the file path, last modified date, and file size.
ShimCache provides a snapshot of executables present on the system at the time of its last shutdown or reboot. This can be invaluable in digital forensic investigations to reconstruct timelines and detect unauthorized activities.
Since ShimCache entries are written to the hard drive during shutdown, it makes it harder for malicious actors to wipe out evidence of their activities.
Let's open the SYSTEM hive into Registry Explorer.
Cache Entry Positions are stored in chronological order, with the most recent entries at the top. This allows investigators to quickly see the most recent applications executed before a system shutdown or reboot.
By examining the order of entries, forensic analysts can reconstruct a timeline of application executions, helping to identify when specific actions were taken on the system.
Alternatively, we can utilize the results obtained from RegRipper.
We can also use a tool called AppCompatCacheParser
.
Let's open this file using Timeline Explorer.
The Timeline Explorer confirms whether the executable was executed.
Registry: C:\Windows\AppCompat\Programs\Amcache.hve
The Amcache.hve file, located in the C:\Windows\AppCompat\Programs
directory, is a forensic goldmine for investigating application execution on Windows systems. It serves as a database containing metadata about executables and other application-related artifacts that have been run on the system.
Unlike ShimCache, the Amcache records detailed metadata, often linked to executables that were executed rather than just accessed.
Let's open Amcache.hve using Registry Explorer.
We can also use a tool called AmcacheParser.
Let's open "UnassociatedFileEntries" file using Timeline Explorer.
Path: C:\Windows\Prefetch\*.pf
Windows Prefetch is a performance optimization feature designed to speed up the loading of applications by caching information about their execution. From a forensic perspective, Prefetch files provide valuable evidence of program execution, helping investigators identify what programs were run, when, and how often.
Prefetch files can provide evidence of program execution, even if the application has been deleted. This can be crucial in malware investigations and timeline analysis.
Let's use PECmd to examine the contents of the prefetch file "ATOMICSERVICE.EXE-CFFBD82A."
Let's open "PECmd_Output.csv" using Timeline Explorer.
Next, let's open "PECmd_Output_Timeline" using Timeline Explorer.