Skip to main content
HashnodeMithun Dev

Command Palette

Search for a command to run...

Tracing the Digital Footprints - Program Execution

Updated
6 min read
Tracing the Digital Footprints - Program Execution
M
Mithun Dev
Part of seriesWindows Forensics

In the realm of digital forensics, understanding how and when programs were executed on a Windows system is paramount. These insights can unravel the narrative of an incident, identify malicious activity, or reconstruct user behavior. Windows operating systems, by design, leave behind a trail of artifacts that, when properly analyzed, provide invaluable evidence of program execution. Let's delve into some key artifacts that shed light on this critical aspect of forensic investigations.

UserAssist

The UserAssist artifact tracks GUI-based programs that have been launched from the desktop environment on a Windows system.

  • Location: You'll find this data within the NTUSER.DAT HIVE, specifically at NTUSER.DAT\Software\Microsoft\Windows\Currentversion\Explorer\UserAssist\{GUID}\Count.

  • Interpretation: The values stored here are ROT-13 Encoded, meaning they need to be decoded to reveal the actual program names. The specific GUID (Globally Unique Identifier) can tell you more about the type of execution:

    • For Windows XP, the GUID 75048700 signifies "Active Desktop".

    • For Windows 7, 8, and 10, CEBFF5CD indicates "Executable File Execution," while F4E57C4B points to "Shortcut File Execution".

Windows 10 Timeline

Windows 10 introduced a "timeline" feature that records recently used applications and files, accessible via the "WIN+TAB" key. This data is meticulously stored in a SQLite database.

  • Location: The timeline data resides at C:\Users\<profile>\AppData\Local\ConnectedDevicesPlatform\<random-name-folder>\ActivitiesCache.db.

  • Interpretation: This artifact provides crucial information about application execution and even the focus count per application, offering insights into user interaction and engagement with specific programs.

BAM/DAM

The Windows Background Activity Moderator (BAM), and its related artifact DAM, are particularly useful for understanding background processes.

  • Location: On Windows 10 systems, these artifacts can be found in the SYSTEM hive: SYSTEM\CurrentControlSet\Services\bam\UserSettings\{SID} and SYSTEM\CurrentControlSet\Services\dam\UserSettings\{SID}.

  • Interpretation: BAM and DAM provide the full path of the executable file that was run on the system, along with its last execution date/time. This can be vital for tracking both legitimate and unauthorized background activity.

Shimcache (AppCompatCache)

The Windows Application Compatibility Database, often referred to as Shimcache or AppCompatCache, is a powerful artifact used by Windows to address potential application compatibility issues with executables.

  • Location:

    • On Windows XP, it's found at SYSTEM\CurrentControlSet\Control\SessionManager\AppCompatibility.

    • For Windows 7, 8, and 10, the location is SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache.

  • Interpretation: Any executable run on the Windows system could potentially be found in this key. This makes it an excellent resource for identifying systems where specific malware might have been executed. The time-based data within Shimcache can help determine the last time of execution or activity on the system.

    • Windows XP systems will contain at most 96 entries, and the LastUpdateTime is updated when files are executed.

    • Windows 7 systems can have up to 1,024 entries, but the LastUpdateTime field does not exist.

Amcache.hve

The Amcache.hve registry file is utilized by the ProgramDataUpdater task (associated with the Application Experience Service) to store data during process creation.

  • Location: On Windows 7, 8, and 10, this file is located at C:\Windows\AppCompat\Programs\Amcache.hve.

  • Interpretation: Amcache.hve contains an entry for every executable that has been run. This includes critical details such as the full path information of the executable, its $StandardInfo Last Modification Time, and the Disk volume from which it was executed. Notably, the First Run Time is equivalent to the Last Modification Time of the key itself. Furthermore, the SHA1 hash of the executable is also stored within the key, providing a valuable identifier for forensic analysis.

System Resource Usage Monitor (SRUM)

The System Resource Usage Monitor (SRUM) logs historical system performance, typically for 30 to 60 days. It records applications run, the user account responsible for each, and network activity (bytes sent/received) per application per hour.

  • Location: SRUM data is found in a registry key: SOFTWARE\Microsoft\WindowsNT\CurrentVersion\SRUM\Extensions\{d10ca2fe-6fcf-4f6d-848e-b2e99266fa89} (Application Resource Usage Provider), and in an ESE database at C:\Windows\System32\SRU\. Other extensions like {973F5D5C-1D90-4944-BE8E-24B94231A174} (Windows Network Data Usage Monitor) and {DD6636C4-8929-4683-974E-22C046A43763} (Windows Network Connectivity Usage Monitor) are also relevant.

  • Interpretation: Tools like srum_dump.exe can be used to cross-correlate the data between the registry keys and the SRUM ESE Database. This allows investigators to see not only what was run but who ran it and the associated network activity, providing a comprehensive picture of resource utilization.

Jump Lists

Introduced with Windows 7, Jump Lists provide quick access to frequently or recently used items and tasks directly from the taskbar.

  • Location: Jump List data is stored in the AutomaticDestinations folder: C:\%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations. Each file in this folder is uniquely prepended with the AppID of its associated application.

  • Interpretation:

    • The Creation Time of an AppID file indicates the first time of execution of the application (or the first time an item was added to that AppID file).

    • The Modification Time indicates the last time the application was executed with a file open (or the last time an item was added to the AppID file).

    • Each file within the AutomaticDestinations folder is a separate LNK file, stored numerically from earliest to most recent. A list of common Jump List IDs can further aid in interpretation.

Last-Visited MRU

The Last-Visited MRU (Most Recently Used) artifact specifically tracks the executable used by an application to open files documented in the OpenSaveMRU key.

  • Location:

    • On Windows XP, it's found at NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU.

    • On Windows 7, 8, and 10, the location is NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU.

  • Interpretation: Beyond just the executable, this artifact also tracks the directory location for the last file accessed by that application. For instance, it could show that Notepad.exe was last run using the C:\%USERPROFILE%\Desktop folder.

Prefetch

Windows uses Prefetch files to improve system performance by pre-loading code pages of frequently used applications. The Cache Manager monitors file and directory references for each application and maps them into a .pf file.

  • Location: Prefetch files are located at C:\Windows\Prefetch across Windows XP, 7, 8, and 10.

  • Interpretation: The very existence of a .pf file indicates that an application was executed on the system. Each .pf file contains valuable information, including the last time of execution, the number of times the program was run, and the device and file handles used by the program.

    • The first execution time can often be inferred from the Creation Date of the .pf file (minus approximately 10 seconds).

    • The last execution time is indicated by the embedded last execution time within the .pf file or the Last modification date of the .pf file (minus approximately 10 seconds).

    • It's important to note limitations: Windows XP and 7 are limited to 128 Prefetch files, while Windows 8 and 10 can store up to 1024. Windows 8-10 Prefetch files will also contain the last 8 execution times.

These Windows artifacts—UserAssist, Windows 10 Timeline, BAM/DAM, Shimcache, Amcache.hve, SRUM, Jump Lists, Last-Visited MRU, and Prefetch—collectively offer a powerful toolkit for digital forensic investigators. By understanding their descriptions, locations, and interpretations, examiners can reconstruct program execution events, identify suspicious activity, and build a clearer picture of user and system behavior. Each artifact provides unique pieces of the puzzle, and their combined analysis often yields the most comprehensive insights into the digital story.

Windows Forensics

Part 8 of 8
Start from the beginning

Tracing the Digital Footprints - Browser Usage

In the intricate world of digital forensics, browser artifacts are invaluable. They offer a deep dive into user activity, revealing visited websites, downloaded files, search queries, and even the "snapshot in time" of a user's online experience. Und...

More from this blog

Mithun Dev

9 posts