Program Execution Artifacts Investigation Guide

baComplete DFIR Workflow & Cheatsheet

📚 Table of Contents

🎯 Artifact Priority Matrix

Quick Decision Guide: Which Artifact to Check First?

Investigation Goal

Primary Artifacts

Secondary Artifacts

Timeframe

Prove Execution

Prefetch, BAM/DAM

Amcache, SRUM

Minutes

Execution Timeline

Prefetch (last 8 times), BAM/DAM

ShimCache, Timeline

Minutes

User Activity

UserAssist, Jump Lists

Timeline, MRU

15-30 min

Malware Presence

Prefetch, ShimCache, Amcache

BAM/DAM

15-30 min

File Access History

Jump Lists, MRU

Timeline, SRUM

30-45 min

Network Activity

SRUM

Timeline

30 min

Deleted Files

$J, $LogFile

MFT, ShimCache

45-60 min

PowerShell Activity

ConsoleHost_history.txt

Event Logs

15 min

Hidden Data

ADS

MFT

30 min

🔍 Investigation Workflow

Phase 1: Quick Triage (First 15 Minutes)

Step 1: Determine Investigation Scope

□ What's the alert/indicator?
□ Do we have a specific executable name?
□ Do we have a timeframe?
□ Is this live system or forensic image?
□ What's the suspected malware/activity?

Step 2: Collect Core Artifacts (Live System)

# Create collection directory
New-Item -Path "C:\DFIR_Collection" -ItemType Directory -Force

# Collect Prefetch
Copy-Item "C:\Windows\Prefetch\*" -Destination "C:\DFIR_Collection\Prefetch\" -Recurse

# Export registry hives
reg save HKLM\SYSTEM "C:\DFIR_Collection\SYSTEM" /y
reg save HKLM\SOFTWARE "C:\DFIR_Collection\SOFTWARE" /y
reg save HKLM\SAM "C:\DFIR_Collection\SAM" /y

# Copy user profiles (for specific user)
$User = "username"
Copy-Item "C:\Users\$User\NTUSER.DAT" -Destination "C:\DFIR_Collection\"
Copy-Item "C:\Users\$User\AppData\Local\Microsoft\Windows\UsrClass.dat" -Destination "C:\DFIR_Collection\"

# Collect Amcache
Copy-Item "C:\Windows\AppCompat\Programs\Amcache.hve" -Destination "C:\DFIR_Collection\"

# Collect PowerShell history
Copy-Item "C:\Users\$User\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt" -Destination "C:\DFIR_Collection\"

# Collect SRUM
Copy-Item "C:\Windows\System32\sru\SRUDB.dat" -Destination "C:\DFIR_Collection\"

# Collect Timeline
Copy-Item "C:\Users\$User\AppData\Local\ConnectedDevicesPlatform\*\ActivitiesCache.db" -Destination "C:\DFIR_Collection\" -Recurse

Step 3: Quick Wins - Check These First

# 1. Check Prefetch for executable
Get-ChildItem C:\Windows\Prefetch\MALWARE*.pf -ErrorAction SilentlyContinue

# 2. Check BAM/DAM for recent execution
reg query "HKLM\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings" /s | findstr /i "malware"

# 3. Check PowerShell history
Get-Content "C:\Users\*\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt"

# 4. Check running processes
Get-Process | Where-Object {$_.Name -like "*suspicious*"}

Phase 2: Detailed Analysis (30-60 Minutes)

Step 1: Execution Timeline Construction

Use these artifacts in order:
1. Prefetch (last 8 execution times + run count)
2. BAM/DAM (last execution time, up to 1 week)
3. Timeline (30 days of activity)
4. ShimCache (presence, not execution proof)
5. Amcache (presence, metadata, SHA1 hash)

Step 2: User Activity Analysis

1. UserAssist (GUI program launches)
2. Jump Lists (files accessed by applications)
3. MRU (recent documents, commands)
4. Timeline (comprehensive activity log)

Step 3: Persistence & IOC Extraction

1. Run Keys (registry persistence)
2. ShimCache (check unusual paths)
3. Amcache (get SHA1 hashes)
4. ADS (hidden files)

💾 Prefetch Analysis

Overview

Purpose: Evidence of program execution with timestamps
Location: C:\Windows\Prefetch
Format: (exename)-(hash).pf
Retention: Up to 1,024 files (128 on Server 2016+)
Enabled: Workstations by default, NOT on servers

Key Information Available

Data Point

Description

Forensic Value

Execution Count

Total times executed

Distinguish single vs. repeated execution

Last 8 Run Times

Win10/11 store last 8 timestamps

Timeline of activity

File Path

Original execution location

Identify unusual paths

Files Referenced

DLLs, resources loaded

Understand program behavior

Volumes

Drives accessed

Removable media usage

Creation Time

First execution time (-10 sec)

Initial compromise time

Modification Time

Last execution time (-10 sec)

Most recent activity

Registry Configuration Check

Check if Prefetch is Enabled:

# Check registry value
Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" -Name EnablePrefetcher

# Values:
# 0 = Disabled
# 1 = Application Prefetching Only
# 2 = Boot Prefetching Only  
# 3 = Both Enabled (default on workstations)

Collection & Analysis

Using PECmd (Prefetch Explorer Command Line):

# Single file analysis
.\PECmd.exe -f "C:\Windows\Prefetch\CMD.EXE-8E75B5BB.pf"

# Single file with CSV output
.\PECmd.exe -f "C:\Windows\Prefetch\MALWARE.EXE-1234ABCD.pf" --csv "C:\Analysis" --csvf malware_prefetch.csv

# Entire directory analysis
.\PECmd.exe -d "C:\Windows\Prefetch" --csv "C:\Analysis" --csvf all_prefetch.csv

# With quiet mode (less console output)
.\PECmd.exe -d "C:\Windows\Prefetch" -q --csv "C:\Analysis" --csvf all_prefetch.csv

# Include Volume Shadow Copies
.\PECmd.exe -d "C:\Windows\Prefetch" --csv "C:\Analysis" --csvf prefetch_with_vss.csv --vss

# Highlight suspicious keywords
.\PECmd.exe -d "C:\Windows\Prefetch" --csv "C:\Analysis" --csvf prefetch.csv -k "temp,downloads,appdata,public"

# High precision timestamps
.\PECmd.exe -d "C:\Windows\Prefetch" -q --csv "C:\Analysis" --csvf prefetch.csv --mp

Using WinPrefetchView:

1. Download from NirSoft
2. Run WinPrefetchView.exe
3. File → Select Folder → Choose C:\Windows\Prefetch
4. File → Export → CSV

Analysis Tips

🔴 Red Flags to Look For:

Multiple Prefetch Files for Same Executable
```
CMD.EXE-0BD30981.pf  (Normal: C:\Windows\System32\cmd.exe)
CMD.EXE-8A7E2C91.pf  (Suspicious: C:\Users\Public\cmd.exe)
```
- Different hash = different path or command line
- Indicates executable run from non-standard location

Executables from Suspicious Paths

# Search Prefetch for suspicious paths
.\PECmd.exe -d "C:\Windows\Prefetch" --csv "C:\Analysis" --csvf prefetch.csv -k "temp,appdata,downloads,public,recycle"

C:\Users\*\Downloads\
C:\Users\*\AppData\Local\Temp\
C:\Users\Public\
C:\$Recycle.Bin\
C:\ProgramData\

Known Malware Names

MIMIKATZ.EXE-*.pf
PSEXEC.EXE-*.pf (on non-admin workstation)
PROCDUMP.EXE-*.pf
PWDUMP.EXE-*.pf

Hosting Applications with Multiple Hashes

Normal:
- RUNDLL32.EXE (multiple hashes normal - based on DLL loaded)
- SVCHOST.EXE (multiple hashes normal - different services)
- DLLHOST.EXE
- BACKGROUNDTASKHOST.EXE

Investigation needed if count is excessive (>20)

Low Run Count with Recent Execution
- Run count = 1 or 2
- Recent modification time
- Possibly newly introduced malware

Prefetch Timeline Analysis:

# Parse all Prefetch and create timeline
.\PECmd.exe -d "C:\Windows\Prefetch" --csv "C:\Analysis" --csvf timeline.csv --mp

# Import into Excel/Timeline Explorer and sort by:
# - Last Run Time (column: LastRun)
# - Review "Previous Run Times" for pattern
# - Check "Run Count" for frequency
# - Examine "Files Loaded" for suspicious DLLs

Pro Tips:

⚠️ CRITICAL: Running forensic tools creates Prefetch files!

Prioritize Prefetch collection FIRST
Oldest files deleted when limit reached (1,024)
Use forensic imaging to preserve evidence

✅ Win10/11 Compression: Files are compressed - use PECmd to decompress automatically

✅ Execution != Success: Prefetch created even if program crashes/fails

✅ Network Execution: Programs run from network shares create Prefetch on local system

⚡ BAM/DAM Analysis

Overview

BAM: Background Activity Moderator
DAM: Desktop Activity Moderator
Purpose: Control background app activity
Available: Windows 10 1709+ / Server 2016+
Retention: ~7 days

Key Information Available

Data Point

Description

Full Path

Complete path to executable

Last Execution Time

Most recent execution timestamp

User SID

Which user executed the program

Location

HKLM\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\{SID}
HKLM\SYSTEM\CurrentControlSet\Services\dam\State\UserSettings\{SID}

Collection & Analysis

Manual Registry Query:

# Query BAM for all users
reg query "HKLM\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings" /s

# Query DAM for all users
reg query "HKLM\SYSTEM\CurrentControlSet\Services\dam\State\UserSettings" /s

# Search for specific executable
reg query "HKLM\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings" /s | findstr /i "malware.exe"

# Query for specific user SID
reg query "HKLM\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-XXX" /s

PowerShell Parsing:

# Parse BAM entries
$BAMPath = "HKLM:\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings"
Get-ChildItem $BAMPath | ForEach-Object {
    $UserSID = $_.PSChildName
    $Props = Get-ItemProperty $_.PSPath
    
    $Props.PSObject.Properties | Where-Object {$_.Name -like "*\*"} | ForEach-Object {
        $ExecutablePath = $_.Name
        $RawTimestamp = $_.Value
        
        # Convert timestamp (stored as filetime)
        if ($RawTimestamp -is [byte[]]) {
            $Timestamp = [DateTime]::FromFileTime([BitConverter]::ToInt64($RawTimestamp, 0))
        }
        
        [PSCustomObject]@{
            UserSID = $UserSID
            ExecutablePath = $ExecutablePath
            LastExecutionTime = $Timestamp
        }
    }
} | Export-Csv C:\Analysis\BAM_Parsed.csv -NoTypeInformation

Using RegistryExplorer:

1. Load SYSTEM hive
2. Navigate to: CurrentControlSet\Services\bam\State\UserSettings
3. Expand each SID subkey
4. Review values (executable paths with timestamps)
5. Export to CSV

Using BamParser.py:

# Parse exported SYSTEM hive
python BamParser.py -f SYSTEM -o bam_output.csv

Analysis Tips

Investigation Workflow:

1. Identify User → Match SID to username using:
   HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
   
2. Review Execution Paths → Look for:
   - Temp directories
   - Downloads folders
   - Removable media (E:, F:)
   - Suspicious locations
   
3. Correlate with Other Artifacts → Cross-reference with:
   - Prefetch (confirm execution + get more details)
   - Event Logs (logon sessions)
   - Timeline (broader activity context)

Red Flags:

✓ Service accounts executing interactive programs
✓ Executables from external drives
✓ Programs in temp/download folders
✓ Execution outside business hours
✓ Known attack tools (mimikatz, psexec, procdump)

Limitations:

⚠️ Shows LAST execution only (not historical) ⚠️ ~7 day retention ⚠️ Doesn't prove execution success ⚠️ Can be cleared on reboot (not persistent)

📋 ShimCache Analysis

Overview

Official Name: Application Compatibility Cache
Purpose: Track compatibility settings for programs
Key Feature: Tracks executables even if NOT executed
Location: SYSTEM registry hive
Retention: 1,024 entries (Win7+)

CRITICAL Understanding

⚠️ IMPORTANT: ShimCache in Win10+ does NOT prove execution
   - Proves: File existed/was present on system
   - Does NOT prove: File was actually executed
   - Use for: Malware presence, timeline, deleted file evidence

Key Information Available

Data Point

Description

Forensic Value

Full Path

Complete path to executable

Identify malware location

File Size

Size of executable

Cross-reference with known malware

Last Modified Time

File's last modification timestamp

Timeline analysis

Existence

Proof file was present

Evidence even if deleted

Location

Live System:
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache

File:
C:\Windows\System32\config\SYSTEM

Determine Current ControlSet:
HKLM\SYSTEM\Select\Current

Collection & Analysis

Using AppCompatCacheParser:

# Parse live system
.\AppCompatCacheParser.exe -t --csv "C:\Analysis" --csvf shimcache.csv

# Parse exported SYSTEM hive
.\AppCompatCacheParser.exe -f "C:\Evidence\SYSTEM" --csv "C:\Analysis" --csvf shimcache.csv

# Include all control sets
.\AppCompatCacheParser.exe -f "C:\Evidence\SYSTEM" --csv "C:\Analysis" --csvf shimcache_all.csv -t

Manual Registry Export:

# Export ShimCache key
reg export "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache" C:\Analysis\shimcache.reg

Analysis Tips

Understanding the Output:

Key Columns in CSV:
- CacheEntryPosition: Position in cache (0 = most recent)
- Path: Full path to executable
- LastModifiedTimeUTC: File's modification time
- Executed: (Win7/8 only - not reliable in Win10+)

Investigation Workflow:

Sort by CacheEntryPosition (most recent = position 0)
- Recent activity appears first
- Useful for timeline

Search for Suspicious Patterns:

# Import CSV and filter
$ShimCache = Import-Csv C:\Analysis\shimcache.csv

# Suspicious paths
$ShimCache | Where-Object {
    $_.Path -match "temp|tmp|downloads|public|appdata\\local\\temp|recycle"
}

# Known malware names
$ShimCache | Where-Object {
    $_.Path -match "mimikatz|psexec|procdump|pwdump|cobalt"
}

# Single/two letter executables
$ShimCache | Where-Object {
    $_.Path -match "\\[a-z]{1,2}\.exe$"
}

Cross-Reference with Prefetch:

ShimCache shows presence → Prefetch proves execution

If in ShimCache but NOT in Prefetch:
- May not have been executed
- May have been deleted
- May have been blocked

Red Flags:

🚩 Executables from:
   - C:\Users\Public\
   - C:\Windows\Temp\
   - C:\$Recycle.Bin\
   - System Volume Information
   - Removable media roots (E:\, F:\)

🚩 Unusual system tool locations:
   - cmd.exe NOT in System32
   - powershell.exe in Downloads
   - net.exe in Temp

🚩 LOLBins in suspicious contexts:
   - regsvr32.exe with DLLs from temp
   - rundll32.exe from appdata
   - mshta.exe from downloads

Timeline Analysis:

ShimCache updates on shutdown/reboot only!

Entries added to cache when:
1. File is first accessed
2. File metadata is checked
3. Compatibility check performed

Last Modified Time = File's timestamp, NOT when added to cache

Pro Tips:

✅ Deleted File Recovery: ShimCache may be only evidence of deleted malware

✅ Pre-Execution Evidence: Files scanned by AV/security tools appear in ShimCache

✅ Network Drive Execution: UNC paths captured if executed

⚠️ False Positives: Installers, Windows Updates create many entries

🗂️ Amcache Analysis

Overview

Location: C:\Windows\AppCompat\Programs\Amcache.hve
Purpose: Track installed applications and executed programs
Key Feature: Contains SHA1 hashes of executables!
Retention: Long-term (not time-limited)

Key Information Available

Data Point

Description

Forensic Value

Full Path

Complete path to executable

Malware location

SHA1 Hash

File hash

Malware identification

File Size

Size of file

Cross-reference

Compilation Time

PE header timestamp

Build date

Publisher

Code signing certificate

Legitimacy check

File Version

Version info

Specific variant

Language

Program language

Target analysis

File Modified Time

Last modification

Timeline

CRITICAL Understanding

⚠️ Amcache shows PRESENCE, not necessarily EXECUTION
   - Entries created during: Installation, file discovery, program execution
   - Use as: Evidence of file existence, hash extraction, metadata collection
   - Don't use as: Definitive proof of execution (use Prefetch for that)

Collection & Analysis

Collection (Live System):

# Copy Amcache files
Copy-Item "C:\Windows\AppCompat\Programs\Amcache.hve" -Destination "C:\Analysis\"
Copy-Item "C:\Windows\AppCompat\Programs\Amcache.hve.LOG1" -Destination "C:\Analysis\"
Copy-Item "C:\Windows\AppCompat\Programs\Amcache.hve.LOG2" -Destination "C:\Analysis\"

Collection (FTK Imager):

1. File → Add Evidence Item → Physical Drive
2. Navigate: [Windows]\AppCompat\Programs\
3. Select: Amcache.hve, Amcache.hve.LOG1, Amcache.hve.LOG2
4. Right-click → Export Files

Using AmcacheParser:

# Parse Amcache (live system)
.\AmcacheParser.exe -f "C:\Windows\AppCompat\Programs\Amcache.hve" --csv "C:\Analysis" --csvf amcache.csv

# Parse Amcache (exported file)
.\AmcacheParser.exe -f "C:\Evidence\Amcache.hve" --csv "C:\Analysis" --csvf amcache.csv

# Include unassociated file entries
.\AmcacheParser.exe -f "C:\Evidence\Amcache.hve" -i --csv "C:\Analysis" --csvf amcache_full.csv

# With whitelist (filter known goods)
.\AmcacheParser.exe -f "C:\Evidence\Amcache.hve" -w "C:\whitelists\microsoft.txt" --csv "C:\Analysis"

Using Registry Explorer:

1. Run RegistryExplorer.exe as Administrator
2. File → Load Hive → Select Amcache.hve
3. Navigate: ROOT → InventoryApplicationFile (programs executed)
4. Navigate: ROOT → InventoryDriverBinary (drivers loaded)
5. Review entries, export to CSV

Analysis Tips

Key Tables in Amcache:

InventoryApplicationFile: Executables that ran or were installed
InventoryDriverBinary: Driver files loaded
Programs: Installed applications (MSI, setup)

Investigation Workflow:

Extract SHA1 Hashes:

# Parse and extract hashes
.\AmcacheParser.exe -f Amcache.hve --csv C:\Analysis

# Open output CSV: Amcache_UnassociatedFileEntries.csv
# Column: SHA1

Check Hashes Against Threat Intelligence:

# Extract unique SHA1s
$Hashes = Import-Csv C:\Analysis\Amcache_UnassociatedFileEntries.csv | 
    Select-Object -ExpandProperty SHA1 -Unique

# Check against VirusTotal (API required)
# Check against internal malware database

Identify Suspicious Paths:

$Amcache = Import-Csv C:\Analysis\Amcache_UnassociatedFileEntries.csv

$Amcache | Where-Object {
    $_.FullPath -match "temp|downloads|public|appdata\\local\\temp"
} | Select-Object FullPath, SHA1, FileSize, Created, Modified

Check Unsigned/Unknown Publishers:

$Amcache | Where-Object {
    $_.Publisher -eq "" -or $_.Publisher -eq $null
} | Select-Object FullPath, SHA1, FileSize

Analyze Compilation Times:

# Executables compiled recently (possible custom malware)
$Amcache | Where-Object {
    $_.CompileTime -gt (Get-Date).AddDays(-30)
}

Red Flags:

🚩 No publisher information (unsigned)
🚩 Recent compilation time (custom-built malware)
🚩 Small file size (<100KB for .exe)
🚩 Suspicious paths (temp, downloads, appdata)
🚩 SHA1 hash matches known malware
🚩 Mismatched file names (e.g., "svchost.exe" in Downloads)

Cross-Reference Strategy:

Amcache → Get SHA1 → Check VirusTotal
         ↓
    Get Path → Check Prefetch (was it executed?)
         ↓
    Get Timestamp → Build timeline

Pro Tips:

✅ Hash Database: Build whitelist of known-good Microsoft hashes

✅ Driver Analysis: InventoryDriverBinary tracks drivers (rootkit detection)

✅ Portable Apps: External USB executables tracked

⚠️ Compilation Time: Can be forged by attacker

🔗 Jump Lists Analysis

Overview

Purpose: Track recently/frequently accessed files per application
Location: %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent\
Types:
- AutomaticDestinations (automatic)
- CustomDestinations (pinned to taskbar)
Retention: ~2,000 items per application

Key Information Available

Data Point

Description

Forensic Value

Target Path

File accessed

Document analysis

Timestamps

Access times

Timeline

File Size

Size of target

Verification

Volume Info

Local/Network/USB

Data exfil detection

Network Path

UNC paths

Lateral movement

MRU Order

Access frequency

User behavior

Location Details

AutomaticDestinations:
%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\

CustomDestinations:
%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\

Naming Format:
{AppID}.automaticDestinations-ms
{AppID}.customDestinations-ms

Example:
f01b4d95cf55d32a.automaticDestinations-ms = Microsoft Word

Common Application IDs

AppID

Application

f01b4d95cf55d32a

Microsoft Word

23646679aaccfae0

Microsoft Excel

1b72d5ec7c8ef7f6

Microsoft PowerPoint

5d696d521de238c3

Notepad

9b9cdc69c1c24e2b

File Explorer

fb3b0dbfee58fac8

Remote Desktop

7cfdf86b2e3d65ef

Paint

1ac14e77410f4e4b

Chrome

bc3e45ec13a6059e

Edge

Full List: https://dfir.to/EZJumpList

Collection & Analysis

Collection:

# Copy all jump lists for user
$User = "username"
Copy-Item "C:\Users\$User\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\*" -Destination "C:\Analysis\JumpLists\Auto\"
Copy-Item "C:\Users\$User\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\*" -Destination "C:\Analysis\JumpLists\Custom\"

Using JLECmd (JumpList Explorer Command Line):

# Single file
.\JLECmd.exe -f "C:\Users\john\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms" --csv "C:\Analysis" -q

# All jump lists for user
.\JLECmd.exe -d "C:\Users\john\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations" --csv "C:\Analysis" -q

# Both Auto and Custom
.\JLECmd.exe -d "C:\Users\john\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations" --csv "C:\Analysis" --csvf auto.csv -q
.\JLECmd.exe -d "C:\Users\john\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations" --csv "C:\Analysis" --csvf custom.csv -q

Using JumpListExplorer (GUI):

1. Run JumpListExplorer.exe
2. File → Load Jump List Directory
3. Select AutomaticDestinations folder
4. Review entries by application
5. Export → CSV

Analysis Tips

Investigation Workflows:

1. Recent Document Access:

# Parse all jump lists
.\JLECmd.exe -d "C:\Users\john\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations" --csv "C:\Analysis"

# Import and filter
$JumpLists = Import-Csv C:\Analysis\*.csv

# Documents accessed in last 7 days
$JumpLists | Where-Object {
    [datetime]$_.LastModified -gt (Get-Date).AddDays(-7)
} | Select-Object AppId, TargetPath, LastModified, FileSize

2. Network Share Access (Lateral Movement):

# Find UNC paths
$JumpLists | Where-Object {
    $_.TargetPath -match "^\\\\"
} | Select-Object AppId, TargetPath, LastModified

# Group by server
$JumpLists | Where-Object {$_.TargetPath -match "^\\\\"} | 
    Group-Object @{Expression={($_.TargetPath -split '\\')[2]}}

3. External Drive Usage:

# USB/External drives (E:, F:, etc.)
$JumpLists | Where-Object {
    $_.TargetPath -match "^[E-Z]:\\"
} | Select-Object AppId, TargetPath, VolumeLabel, VolumeSerialNumber

4. Sensitive File Access:

# Look for sensitive documents
$JumpLists | Where-Object {
    $_.TargetPath -match "password|confidential|secret|ssn|credential|private"
} | Select-Object AppId, TargetPath, LastModified

5. RDP Connection History:

# Remote Desktop jump lists (AppID: fb3b0dbfee58fac8)
$RDP = $JumpLists | Where-Object {$_.AppId -eq "fb3b0dbfee58fac8"}

# Extract destination IPs/hostnames
$RDP | Select-Object TargetPath, LastModified | Format-Table

Red Flags:

🚩 Access to \\C$ or \\ADMIN$ shares (lateral movement)
🚩 Documents from external drives (data exfiltration)
🚩 Access to unusual file types (.ps1, .exe, .dll via Office)
🚩 RDP connections to suspicious IPs
🚩 Recent access to sensitive documents during off-hours
🚩 Access to files on systems user shouldn't reach

Investigation Scenarios:

Scenario 1: Data Exfiltration

Check Jump Lists for:
1. External drive letters (E:, F:, G:)
2. Files copied to USB
3. Volume serial numbers (track specific USB devices)
4. Timestamp correlation with logon/logoff

Scenario 2: Lateral Movement

Check Jump Lists for:
1. UNC paths (\\SERVER\Share\)
2. Access to admin shares (\\HOST\C$)
3. RDP connection history
4. Timeline of access across multiple systems

Scenario 3: Document Activity

Check Jump Lists for:
1. Recently accessed files
2. Deleted documents (Jump List persists after deletion)
3. Access patterns (frequency)
4. Shared documents

Pro Tips:

✅ Persistence: Jump Lists survive file deletion (evidence of deleted files)

✅ MRU Order: Most recently used = position 0

✅ Link Files: Each entry is essentially a .lnk file with rich metadata

⚠️ Privacy Mode: Private browsing doesn't create jump list entries

🖱️ UserAssist Analysis

Overview

Purpose: Track GUI-based program launches
Location: NTUSER.DAT registry hive per user
Encoding: ROT13 (rotate 13 characters)
Retention: Persistent (doesn't age out)

Key Information Available

Data Point

Description

Forensic Value

Program Path

Full path to executable

Malware location

Last Run Time

Most recent execution

Timeline

Run Count

Number of times executed

Frequency analysis

Focus Time

Time application had focus

Usage duration

Focus Count

Times app received focus

User interaction

Location

Registry Path:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{GUID}\Count

File Location:
C:\Users\{Username}\NTUSER.DAT

GUIDs:
{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA} = Executable File Execution
{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F} = Shortcut File Execution

Collection & Analysis

Manual Registry Query (requires decoding):

# View raw (ROT13 encoded) entries
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count"

Using Registry Explorer (Recommended):

1. Run RegistryExplorer.exe as Administrator
2. File → Live System (or load NTUSER.DAT)
3. Navigate: ROOT → Software → Microsoft → Windows → CurrentVersion → Explorer → UserAssist
4. Expand CEBFF5CD (Executables) and F4E57C4B (Shortcuts)
5. Review decoded values
6. Export to CSV

Using RegRipper:

# Extract and parse NTUSER.DAT
.\rr.exe -r "C:\Users\john\NTUSER.DAT" -p userassist > userassist_output.txt

PowerShell Parsing with ROT13 Decode:

function Decode-ROT13 {
    param([string]$EncodedString)
    $decoded = ""
    foreach ($char in $EncodedString.ToCharArray()) {
        if ($char -match '[A-Za-z]') {
            $base = if ($char -match '[A-Z]') { 65 } else { 97 }
            $decoded += [char](((([int]$char - $base + 13) % 26) + $base))
        } else {
            $decoded += $char
        }
    }
    return $decoded
}

# Parse UserAssist
$UserAssistPath = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count"

Get-ItemProperty -Path $UserAssistPath | 
    Select-Object * -ExcludeProperty PS* | 
    ForEach-Object {
        $_.PSObject.Properties | Where-Object {$_.Name -notlike "PS*"} | ForEach-Object {
            $EncodedPath = $_.Name
            $DecodedPath = Decode-ROT13 $EncodedPath
            $Value = $_.Value
            
            # Parse value (binary data containing timestamps and counts)
            [PSCustomObject]@{
                DecodedPath = $DecodedPath
                RawValue = $Value
            }
        }
    } | Export-Csv C:\Analysis\UserAssist_Decoded.csv -NoTypeInformation

Analysis Tips

Investigation Workflow:

Load and Decode:
- Use Registry Explorer (automatic decoding)
- Or manually decode ROT13 values
Sort by Last Run Time:
```
Recent = Potential compromise timeframe
```

Filter Suspicious Executables:

# Look for executables from suspicious paths
# Temp directories, Downloads, Public folders

Check Run Counts:

Run Count = 1: Recently introduced program (possible malware)
High Count: Frequently used (legitimate or persistent malware)

Red Flags:

🚩 Executables from:
   - C:\Users\*\Downloads\
   - C:\Users\*\AppData\Local\Temp\
   - C:\Users\Public\
   - External drives

🚩 Known attack tools:
   - mimikatz.exe
   - procdump.exe
   - psexec.exe
   - nc.exe (netcat)

🚩 Suspicious patterns:
   - Random executable names
   - Single-letter executables (a.exe, x.exe)
   - Missing descriptions

Example Analysis:

Decoded Entry: C:\Users\John\Downloads\updater.exe
Last Run Time: 2025-11-29 02:34:12
Run Count: 1
Focus Time: 2 seconds

Analysis:
- Run from Downloads (suspicious)
- Executed once (recently introduced)
- Very short focus time (automated/non-GUI?)
- Generic name (suspicious)
→ HIGH PRIORITY for investigation

Pro Tips:

✅ GUI Only: Only tracks programs with GUI (not console applications)

✅ Persistence: Survives file deletion

✅ Focus Time: Helps distinguish user interaction vs. automated execution

⚠️ Encoding: ROT13 is obfuscation, not encryption

📅 Windows Timeline Analysis

Overview

Feature: Windows 10 Timeline (deprecated in late Win10/Win11)
Database: SQLite (ActivitiesCache.db)
Location: Per-user profile
Retention: 30 days
Status: Feature deprecated but database still populated

Key Information Available

Data Point

Description

Forensic Value

Application

Program executed

Activity identification

Start Time

Activity start

Timeline

End Time

Activity end

Duration calculation

Duration

How long active

Usage analysis

Files/URLs

Items opened

Content accessed

Expiration Time

Record expiry

Data retention

Location

C:\Users\{Username}\AppData\Local\ConnectedDevicesPlatform\{Profile-ID}\ActivitiesCache.db

Multiple profile IDs possible (one per Microsoft account/local account)

Collection & Analysis

Collection:

# Find and copy all Timeline databases
$User = "username"
Get-ChildItem "C:\Users\$User\AppData\Local\ConnectedDevicesPlatform\" -Recurse -Filter "ActivitiesCache.db" | 
    Copy-Item -Destination "C:\Analysis\Timeline\" -Force

Using WxTCmd (Windows Timeline Parser):

# Parse Timeline database
.\WxTCmd.exe -f "C:\Users\john\AppData\Local\ConnectedDevicesPlatform\L.john\ActivitiesCache.db" --csv "C:\Analysis" --csvf timeline.csv

# Parse all for user
Get-ChildItem "C:\Users\john\AppData\Local\ConnectedDevicesPlatform\" -Recurse -Filter "ActivitiesCache.db" | 
    ForEach-Object {
        .\WxTCmd.exe -f $_.FullName --csv "C:\Analysis" --csvf "timeline_$($_.Directory.Name).csv"
    }

Using DB Browser for SQLite:

1. Download DB Browser for SQLite
2. Open Database → Select ActivitiesCache.db
3. Browse Data tab → Select tables:
   - Activity (main activity records)
   - Activity_PackageId (application info)
   - ActivityOperation (changes)
4. Execute SQL queries or export tables

Useful SQL Queries:

-- All activities in last 7 days
SELECT 
    Id,
    AppId,
    PackageIdHash,
    AppActivityId,
    ActivityType,
    datetime(StartTime, 'unixepoch') as StartTime,
    datetime(EndTime, 'unixepoch') as EndTime,
    datetime(LastModifiedTime, 'unixepoch') as LastModified,
    OriginalPayload
FROM Activity
WHERE StartTime > strftime('%s', 'now', '-7 days')
ORDER BY StartTime DESC;

-- Application usage summary
SELECT 
    AppId,
    COUNT(*) as ActivityCount,
    SUM(EndTime - StartTime) as TotalDuration
FROM Activity
GROUP BY AppId
ORDER BY ActivityCount DESC;

-- Activities with URLs/files
SELECT 
    datetime(StartTime, 'unixepoch') as StartTime,
    AppId,
    json_extract(OriginalPayload, '$.displayText') as DisplayText,
    json_extract(OriginalPayload, '$.contentUri') as ContentUri
FROM Activity
WHERE ContentUri IS NOT NULL
ORDER BY StartTime DESC;

Analysis Tips

Investigation Workflows:

1. Timeline Reconstruction:

Use Timeline to understand:
- What applications were used
- When they were used
- For how long
- What files/URLs were accessed

2. Document Access Analysis:

-- Find specific document access
SELECT 
    datetime(StartTime, 'unixepoch') as AccessTime,
    AppId,
    json_extract(OriginalPayload, '$.displayText') as FileName
FROM Activity
WHERE OriginalPayload LIKE '%confidential%'
ORDER BY StartTime DESC;

3. Web Browsing History:

-- Extract URLs visited
SELECT 
    datetime(StartTime, 'unixepoch') as VisitTime,
    json_extract(OriginalPayload, '$.contentUri') as URL,
    json_extract(OriginalPayload, '$.displayText') as PageTitle
FROM Activity
WHERE AppId LIKE '%browser%'
ORDER BY StartTime DESC;

4. Application Usage Patterns:

- Peak usage hours
- Weekend vs. weekday activity
- After-hours usage
- Anomalous application usage

Red Flags:

🚩 Off-hours activity (nights, weekends)
🚩 Access to sensitive documents
🚩 Unusual applications
🚩 High activity during account compromise window
🚩 Access to external URLs/cloud storage

Pro Tips:

✅ JSON Payloads: OriginalPayload column contains rich JSON data

✅ Cross-Platform: Can sync across devices (Microsoft account)

✅ Persistence: Survives after feature deprecation

⚠️ Privacy: Users can disable/clear timeline

📊 SRUM Analysis

Overview

Name: System Resource Usage Monitor
Purpose: Track application resource usage, network activity
Location: C:\Windows\System32\sru\SRUDB.dat
Format: ESE database
Retention: 30-60 days

Key Information Available

Data Point

Description

Forensic Value

Network Usage

Bytes sent/received per app

Data exfiltration

Application Resource

CPU, memory usage

Resource analysis

Application Timeline

When apps ran

Execution timeline

Network Connectivity

Connected networks

Connection history

Energy Usage

Battery/power usage

Mobile device analysis

User Activity

Per-user stats

User behavior

Important Tables

{973F5D5C-1D90-4944-BE8E-24B94231A174} = Network Data Usage
{D10CA2FE-6FCF-4F6D-848E-B2E99266FA89} = Application Resource Usage  
{DD6636C4-8929-4683-974E-22C046A43763} = Network Connectivity Usage
{DA73FB89-2BEA-4DDC-86B8-6E048C6DA477} = Energy Usage (Win8+)
{FEE4E14F-02A9-4550-B5CE-5FA2DA202E37} = Energy Usage (Win10+)

Collection & Analysis

Collection (Requires Both Files):

# Copy SRUM database
Copy-Item "C:\Windows\System32\sru\SRUDB.dat" -Destination "C:\Analysis\"

# CRITICAL: Also copy SOFTWARE hive (needed for mapping)
Copy-Item "C:\Windows\System32\config\SOFTWARE" -Destination "C:\Analysis\"
Copy-Item "C:\Windows\System32\config\SOFTWARE.LOG1" -Destination "C:\Analysis\"
Copy-Item "C:\Windows\System32\config\SOFTWARE.LOG2" -Destination "C:\Analysis\"

Using SrumECmd:

# Parse SRUM (requires both SRUDB.dat and SOFTWARE hive in same directory)
.\SrumECmd.exe -d "C:\Analysis" --csv "C:\Analysis\SRUM_Output"

# Output files created:
# - SRUM_TEMPLATE_NETWORK_DATA_USAGE.csv
# - SRUM_TEMPLATE_APPLICATION_RESOURCE_USAGE.csv
# - SRUM_TEMPLATE_NETWORK_CONNECTIVITY.csv
# - And others...

Using FTK Imager to Extract:

1. File → Add Evidence Item → Physical Drive
2. Navigate: [Windows]\System32\sru\
3. Export: SRUDB.dat
4. Navigate: [Windows]\System32\config\
5. Export: SOFTWARE, SOFTWARE.LOG1, SOFTWARE.LOG2

Analysis Tips

Investigation Workflows:

1. Network Data Usage Analysis:

# Import network usage data
$NetworkData = Import-Csv "C:\Analysis\SRUM_Output\SRUM_TEMPLATE_NETWORK_DATA_USAGE.csv"

# Find applications with high data transfer
$NetworkData | 
    Group-Object Application | 
    ForEach-Object {
        [PSCustomObject]@{
            Application = $_.Name
            TotalBytesSent = ($_.Group | Measure-Object BytesSent -Sum).Sum
            TotalBytesReceived = ($_.Group | Measure-Object BytesReceived -Sum).Sum
            TotalBytes = ($_.Group | Measure-Object BytesSent -Sum).Sum + ($_.Group | Measure-Object BytesReceived -Sum).Sum
        }
    } | Sort-Object TotalBytes -Descending | Select-Object -First 20

# Suspicious data transfer
$NetworkData | Where-Object {
    $_.BytesSent -gt 100MB  # Large uploads (potential exfil)
} | Select-Object Timestamp, Application, BytesSent, BytesReceived, User

2. Application Resource Usage:

# Import resource usage
$ResourceData = Import-Csv "C:\Analysis\SRUM_Output\SRUM_TEMPLATE_APPLICATION_RESOURCE_USAGE.csv"

# Most CPU-intensive applications
$ResourceData | 
    Group-Object Application | 
    ForEach-Object {
        [PSCustomObject]@{
            Application = $_.Name
            TotalCPUTime = ($_.Group | Measure-Object ForegroundCycleTime -Sum).Sum
            ExecutionCount = $_.Count
        }
    } | Sort-Object TotalCPUTime -Descending | Select-Object -First 20

3. Timeline of Network Activity:

# Network activity timeline
$NetworkData | 
    Select-Object Timestamp, Application, BytesSent, BytesReceived, User | 
    Sort-Object Timestamp | 
    Where-Object {[datetime]$_.Timestamp -gt (Get-Date).AddDays(-7)} |
    Export-Csv C:\Analysis\Network_Timeline.csv -NoTypeInformation

4. Data Exfiltration Detection:

# Find unusual upload patterns
$NetworkData | 
    Where-Object {
        $BytesSent = [int64]$_.BytesSent
        $BytesReceived = [int64]$_.BytesReceived
        
        # High upload:download ratio
        $BytesSent -gt 0 -and $BytesReceived -gt 0 -and
        ($BytesSent / $BytesReceived) -gt 10
    } | Select-Object Timestamp, Application, BytesSent, BytesReceived, User |
    Export-Csv C:\Analysis\Potential_Exfiltration.csv -NoTypeInformation

5. Per-User Activity:

# Activity by user
$NetworkData | 
    Group-Object User | 
    ForEach-Object {
        [PSCustomObject]@{
            User = $_.Name
            TotalBytes = ($_.Group | Measure-Object BytesSent,BytesReceived -Sum).Sum
            Applications = ($_.Group.Application | Select-Object -Unique).Count
        }
    } | Sort-Object TotalBytes -Descending

Red Flags:

🚩 High data transfer by suspicious applications
🚩 Upload significantly exceeds download (exfiltration)
🚩 Network activity during off-hours
🚩 Unknown/unsigned applications with network usage
🚩 PowerShell/cmd.exe with network activity
🚩 Activity during suspected compromise window

Investigation Scenarios:

Scenario: Data Exfiltration

1. Check Network Data Usage table
2. Identify applications with high BytesSent
3. Correlate timestamps with authentication logs
4. Check application legitimacy (Amcache, Prefetch)
5. Identify destination (if available in logs)

Scenario: Resource Abuse

1. Check Application Resource Usage
2. Identify CPU/memory intensive apps
3. Check for cryptominers, malware
4. Correlate with process execution (Event 4688)

Pro Tips:

✅ Hourly Granularity: Data recorded per hour

✅ User Context: Tracks which user ran what

✅ Network Interfaces: Can identify VPN, WiFi, Ethernet usage

⚠️ SOFTWARE Hive Required: App GUIDs mapped to names via registry

📝 MRU Analysis

Overview

MRU: Most Recently Used
Purpose: Track recent file/folder access per application
Location: NTUSER.DAT (per user)
Retention: Varies by MRU type (typically 10-20 items)

Key MRU Locations

Registry Path

Description

RecentDocs

Recently opened documents (all file types)

ComDlg32\LastVisitedPidlMRU

Last folders accessed by applications

ComDlg32\OpenSavePidlMRU

Files accessed via Open/Save dialogs

RunMRU

Commands typed in Run dialog

TypedPaths

Paths typed in Explorer address bar

WordWheelQuery

Windows search terms

Office MRU

Detailed Locations

Recent Documents:
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

Last Visited (folders accessed by apps):
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU

Open/Save Dialog:
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU

Run Commands:
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

Typed Paths:
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths

Search Terms:
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery

Collection & Analysis

Using Registry Explorer:

1. Load NTUSER.DAT for target user
2. Navigate to each MRU location
3. Review entries (most recent = higher in list)
4. Export to CSV

Using RegRipper:

# Parse all MRU entries
.\rr.exe -r "C:\Users\john\NTUSER.DAT" -p recentdocs > recentdocs.txt
.\rr.exe -r "C:\Users\john\NTUSER.DAT" -p comdlg32 > comdlg32.txt
.\rr.exe -r "C:\Users\john\NTUSER.DAT" -p runmru > runmru.txt

Manual Registry Query (Live System):

# Recent documents
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs"

# Run commands
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU"

# Typed paths
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths"

# Search terms
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery"

Analysis Tips

Investigation Workflows:

1. Recent Document Analysis:

Check RecentDocs for:
- Recently accessed files
- File types accessed
- Deleted documents (MRU persists)
- External drive files

2. Application File Access:

Check LastVisitedPidlMRU:
- Which apps accessed which folders
- Unusual folder access
- Temporal patterns

3. Command Execution History:

Check RunMRU:
- Commands typed in Run dialog
- PowerShell launches
- Suspicious executables
- Network paths

4. Search Terms:

Check WordWheelQuery:
- What user searched for
- File names searched
- Potential indicators of compromise

Red Flags:

🚩 RunMRU entries for:
   - cmd.exe with suspicious parameters
   - powershell.exe -enc (encoded commands)
   - Network paths (\\server\share\)
   - Known attack tools

🚩 LastVisitedPidlMRU entries for:
   - Temp directories
   - Unusual system paths
   - External drives

🚩 RecentDocs entries for:
   - Suspicious file extensions (.ps1, .bat, .vbs)
   - Files from temp/downloads
   - Deleted files

🚩 WordWheelQuery entries for:
   - "password", "credential", "confidential"
   - Malware names
   - Company secrets

Pro Tips:

✅ MRU Order: List maintained in chronological order (most recent first)

✅ Persistence: Survives file/folder deletion

✅ Per-User: Each user has separate MRU data

⚠️ Privacy: Some applications clear their MRU

💻 PowerShell History

Overview

Feature: PSReadLine console history
Location: Per-user AppData
Format: Plain text file
Retention: Last 4,096 commands
Available: PowerShell v5+ (Win10/Server 2016+)

Location

C:\Users\{Username}\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

Key Information Available

Data Point

Description

Forensic Value

Commands

Exact commands typed

Attack reconstruction

Parameters

Full command syntax

Technique identification

Order

Chronological sequence

Timeline

Scripts

Inline scripts executed

Malware analysis

CRITICAL Understanding

✅ Logs: PowerShell console commands
✅ Logs: Commands typed interactively
❌ Does NOT log: PowerShell ISE commands
❌ Does NOT log: Scripts executed without typing
❌ Does NOT log: If PSReadLine disabled/removed

Collection & Analysis

Collection:

# Collect for all users
Get-ChildItem "C:\Users\*\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt" | 
    ForEach-Object {
        Copy-Item $_.FullName -Destination "C:\Analysis\PSHistory_$($_.Directory.Parent.Parent.Parent.Parent.Name).txt"
    }

Analysis:

# Read and analyse history
$History = Get-Content "C:\Users\john\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt"

# Count commands
$History.Count

# Find suspicious patterns
$SuspiciousKeywords = @(
    "invoke-expression", "iex", "downloadstring", "downloadfile",
    "invoke-webrequest", "invoke-restmethod", "net.webclient",
    "-enc", "-encodedcommand", "frombase64string",
    "invoke-mimikatz", "invoke-bloodhound", "invoke-kerberoast",
    "invoke-command", "enter-pssession", "new-pssession",
    "bypass", "unrestricted", "hidden", "windowstyle hidden"
)

$History | Where-Object {
    $Command = $_
    $SuspiciousKeywords | Where-Object {$Command -match $_}
} | Format-List

# Export suspicious commands
$History | Where-Object {
    $Command = $_
    $SuspiciousKeywords | Where-Object {$Command -match $_}
} | Out-File C:\Analysis\Suspicious_PS_Commands.txt

Timeline Analysis:

# Commands are in chronological order
# First command = oldest
# Last command = most recent

# View last 50 commands
Get-Content ConsoleHost_history.txt | Select-Object -Last 50

# Find commands in timeframe (requires correlation with file timestamp)
$HistoryFile = Get-Item "C:\Users\john\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt"
$LastModified = $HistoryFile.LastWriteTime
Write-Host "Last command executed: $LastModified"

Analysis Tips

Investigation Workflows:

1. Command Reconstruction:

Read history bottom-to-top for most recent activity
Build timeline of attacker actions
Understand attack progression

2. Credential Access:

# Look for credential dumping
$History | Where-Object {
    $_ -match "mimikatz|sekurlsa|lsadump|sam|credential|password"
}

3. Lateral Movement:

# Remote execution commands
$History | Where-Object {
    $_ -match "invoke-command|enter-pssession|new-pssession|wsman"
}

4. Download Cradle:

# File downloads
$History | Where-Object {
    $_ -match "downloadstring|downloadfile|iex.*http|invoke-webrequest.*http"
}

5. Obfuscation:

# Encoded/obfuscated commands
$History | Where-Object {
    $_ -match "-enc|-e |-encodedcommand|frombase64|char\[\]"
}

Red Flags:

🚩 Base64 encoded commands
🚩 Download cradles (IEX + DownloadString)
🚩 Invoke-Mimikatz or credential dumping tools
🚩 Execution policy bypass
🚩 Hidden window style
🚩 Remote session establishment
🚩 Port scanning or reconnaissance commands
🚩 Attempts to disable security features

Evasion Detection:

# Attackers may try to:

# 1. Disable PSReadLine
$History | Where-Object {$_ -match "Set-PSReadLineOption.*SaveNothing"}

# 2. Remove PSReadLine module
$History | Where-Object {$_ -match "Remove-Module.*PSReadLine"}

# 3. Clear history file
# Check file for: Clear-Content ConsoleHost_history.txt

# 4. Modify history file
# Check file timestamps vs. last logon time

Pro Tips:

✅ Plain Text: Easy to read and analyze

✅ Persistent: Not cleared automatically

✅ Comprehensive: Captures full command syntax

⚠️ Limitations: Console only (not ISE, not script files)

⚠️ Timestamps: File modification time = last command time (not per-command timestamps)

🗄️ NTFS Artifacts

Master File Table ($MFT)

Overview:

Purpose: Database of all files/folders on NTFS volume
Location: NTFS root (hidden system file)
Contains: Metadata for every file/directory

Key Information:

File name
File size
Timestamps (MACB - Modified, Accessed, Changed, Born)
MFT entry number
Parent MFT entry
Attributes (resident/non-resident data)

Collection:

# Using FTK Imager (GUI)
# Navigate to root, export $MFT

# Using RawCopy (live system)
RawCopy.exe /FileNamePath:C:\$MFT /OutputPath:C:\Analysis

# Using KAPE
.\kape.exe --target MFT --tdest C:\Analysis

Analysis:

# Using MFTECmd
.\MFTECmd.exe -f "C:\Analysis\$MFT" --csv "C:\Analysis" --csvf mft.csv

# With body file output (for timeline)
.\MFTECmd.exe -f "C:\Analysis\$MFT" --csv "C:\Analysis" --body "C:\Analysis" --bdl C

Using MFTExplorer (GUI):

1. Load $MFT file
2. Browse file system structure
3. View file metadata
4. Export to CSV

Investigation Use Cases:

✓ Timeline analysis (file creation, modification, access)
✓ Deleted file recovery (entries persist)
✓ File system structure reconstruction
✓ Anti-forensics detection (timestamp manipulation)
✓ Alternative Data Stream enumeration

UsnJrnl ($J)

Overview:

Purpose: Change journal for NTFS volume
Location: NTFS\$Extend\$RmMetadata\$UsnJrnl\$J
Contains: Records of file system changes

Key Information:

File name
Reason for change (create, delete, rename, modify)
Timestamp of change
MFT entry and parent entry
Change sequence number (USN)

Collection:

# Using FTK Imager
# Navigate: [Root]\$Extend\$RmMetadata\$UsnJrnl:$J
# Export stream

# Using RawCopy
RawCopy.exe /FileNamePath:C:\$Extend\$UsnJrnl:$J /OutputPath:C:\Analysis

# Using KAPE
.\kape.exe --target J --tdest C:\Analysis

Analysis:

# Using MFTECmd (can parse $J)
.\MFTECmd.exe -f "C:\Analysis\$J" --csv "C:\Analysis" --csvf usnjrnl.csv

Investigation Use Cases:

✓ Detect file deletion
✓ Track file rename operations
✓ Identify attacker cleanup activities
✓ Detect file encryption (ransomware)
✓ Timeline reconstruction

Red Flags:

🚩 Mass file renaming (ransomware)
🚩 Large-scale deletions
🚩 File system tunneling (timestamp manipulation)
🚩 Cleanup activities post-compromise

$LogFile

Overview:

Purpose: Transaction log for NTFS metadata operations
Location: NTFS root
Contains: Redo/undo information for transactions

Key Information:

File operations (create, delete, rename, modify)
Timestamps
MFT entry references
Operation details

Collection:

# Using FTK Imager
# Navigate to root, export $LogFile

# Using RawCopy
RawCopy.exe /FileNamePath:C:\$LogFile /OutputPath:C:\Analysis

Analysis:

# Using NTFS_Log_Tracker
.\NTFS_Log_Tracker.exe -f "C:\Analysis\$LogFile" -o "C:\Analysis\logfile_output.csv"

# Using LogFileParser
.\LogFileParser.exe -f "C:\Analysis\$LogFile" > logfile_parsed.txt

Investigation Use Cases:

✓ Recent file operations
✓ Deleted file evidence
✓ File rename detection
✓ Anti-forensics detection

Alternate Data Streams (ADS)

Overview:

Purpose: Store multiple data streams in single file
Feature: Hidden from normal directory listings
Risk: Can hide malware

Common ADS:

Zone.Identifier - Marks files downloaded from Internet
  - Zone 0: Local machine
  - Zone 1: Local intranet
  - Zone 2: Trusted sites
  - Zone 3: Internet
  - Zone 4: Restricted sites

Detection:

# PowerShell - list ADS
Get-Item C:\suspect.txt -Stream *

# Specific file
Get-Content C:\suspect.txt -Stream Hidden

# Recursively scan directory
Get-ChildItem C:\Temp -Recurse | ForEach-Object {
    Get-Item $_.FullName -Stream * | 
        Where-Object {$_.Stream -ne ':$DATA'} |
        Select-Object @{N='File';E={$_.FileName}}, Stream, Length
}

# Using dir command
dir /R C:\Temp

# Using Streams.exe (Sysinternals)
.\streams.exe -s C:\Temp

# Using AlternateStreamView (NirSoft)
AlternateStreamView.exe /scomma C:\Analysis\ads.csv

Analysis:

# Find files with suspicious ADS
Get-ChildItem C:\ -Recurse -ErrorAction SilentlyContinue | 
    ForEach-Object {
        $Streams = Get-Item $_.FullName -Stream * -ErrorAction SilentlyContinue
        $Streams | Where-Object {
            $_.Stream -notin @(':$DATA', 'Zone.Identifier') -and $_.Length -gt 0
        } | ForEach-Object {
            [PSCustomObject]@{
                File = $_.FileName
                Stream = $_.Stream
                Size = $_.Length
            }
        }
    }

Red Flags:

🚩 Executables hidden in ADS
🚩 Large ADS attached to innocuous files
🚩 Scripts in ADS
🚩 Data exfiltrated via ADS

Execution from ADS:

# Attackers can execute from ADS:
wscript C:\innocuous.txt:malicious.vbs
powershell Get-Content C:\file.txt -Stream evil.ps1 | iex

# Detection in Event Logs:
# Process creation (4688) may show stream execution

📚 Investigation Playbooks

Playbook 1: Malware Execution Investigation

Objective: Confirm malware execution and build timeline

Phase 1: Initial Identification (15 min)

□ Identify suspected malware name/path from alert
□ Check if process still running (Get-Process)
□ Document MD5/SHA1/SHA256 hash
□ Check VirusTotal/threat intelligence

Phase 2: Execution Proof (30 min)

□ Check Prefetch for executable
  - Confirm execution
  - Get run count
  - Get last 8 execution times
  
□ Check BAM/DAM
  - Confirm last execution time
  - Identify user (SID)
  
□ Check Amcache
  - Get SHA1 hash
  - Get file metadata
  - Check digital signature
  
□ Check ShimCache
  - Confirm file presence
  - Get file modification time

Phase 3: User Activity (30 min)

□ Check UserAssist
  - Confirm GUI execution
  - Get run count
  - Get focus time
  
□ Check Jump Lists
  - Files accessed by malware
  - Network locations accessed
  
□ Check PowerShell history
  - Commands executed
  - Download cradles
  - Obfuscation

Phase 4: Timeline Construction (45 min)

□ Compile timeline using:
  - Prefetch last 8 times
  - BAM/DAM timestamp
  - Timeline database
  - Event logs (4688, 4624)
  - MFT timestamps
  
□ Identify:
  - First execution time
  - Last execution time
  - Frequency of execution
  - User context

Phase 5: Persistence Check (30 min)

□ Check registry Run keys
□ Check services (7045, 4697)
□ Check scheduled tasks (4698, 106)
□ Check WMI event consumers (5861)
□ Check startup folders

Phase 6: Impact Assessment (45 min)

□ Check SRUM for network activity
  - Data exfiltration
  - Command & control
  
□ Check Jump Lists for file access
  - Sensitive documents
  - Lateral movement
  
□ Check $J for file modifications
  - Encryption (ransomware)
  - Deletion
  
□ Check ADS for hidden files

Phase 7: Reporting (30 min)

□ Document execution proof
□ Create timeline
□ Extract IOCs (hashes, paths, registry keys)
□ Assess scope
□ Recommend remediation

Playbook 2: Data Exfiltration Investigation

Objective: Detect and quantify data exfiltration

Phase 1: Indicators (15 min)

□ Review alert/indicator
□ Identify suspected timeframe
□ Identify affected user
□ Check for large file transfers (logs)

Phase 2: Network Activity Analysis (45 min)

□ Check SRUM Network Data Usage
  - Applications with high BytesSent
  - Upload vs. download ratio
  - External destinations
  - Timeframe correlation
  
□ Check Timeline
  - Cloud storage activity
  - USB drive usage
  - Network share access

Phase 3: File Access Analysis (45 min)

□ Check Jump Lists
  - Recently accessed files
  - External drive paths
  - Network share paths
  - Volume serial numbers
  
□ Check MRU (RecentDocs)
  - Document types accessed
  - Sensitive file access
  
□ Check Office MRU
  - Specific documents opened

Phase 4: USB/External Media (30 min)

□ Check Jump Lists for drive letters (E:, F:, etc.)
□ Check MFT for external volume GUIDs
□ Check Event Logs for USB insertion
□ Check volume serial numbers

Phase 5: Staging Detection (30 min)

□ Check for staging directories
  - C:\Users\Public\
  - C:\Windows\Temp\
  - User temp folders
  
□ Check $J for mass file copies
□ Check Timeline for file access patterns

Phase 6: Cloud/Email Exfil (30 min)

□ Check SRUM for browser activity
□ Check Jump Lists for cloud storage
□ Check browser history (if available)
□ Check email client activity

Phase 7: Quantification (30 min)

□ Calculate total data sent (SRUM)
□ Identify files accessed (Jump Lists, MRU)
□ Estimate data volume
□ Identify external destinations

Playbook 3: Attacker Tool Usage

Objective: Identify what tools attacker used

Phase 1: Known Tool Detection (30 min)

□ Check Prefetch for known tools:
  - PSEXEC.EXE
  - MIMIKATZ.EXE
  - PROCDUMP.EXE
  - PWDUMP.EXE
  - NC.EXE (NetCat)
  - NMAP.EXE
  
□ Check Amcache for SHA1 hashes
  - Match against known tool hashes
  
□ Check ShimCache for tool paths

Phase 2: PowerShell Analysis (45 min)

□ Check ConsoleHost_history.txt
  - Credential dumping commands
  - Lateral movement commands
  - Download cradles
  - Encoded commands
  
□ Check Event ID 4104 (script blocks)
  - Invoke-Mimikatz
  - Invoke-BloodHound
  - Invoke-Kerberoast

Phase 3: Execution Context (30 min)

□ Check UserAssist
  - GUI tools executed
  
□ Check BAM/DAM
  - Recent tool execution
  
□ Check Timeline
  - Tool usage patterns

Phase 4: Tool Downloaded (30 min)

□ Check Jump Lists for Downloads folder
□ Check browser downloads (if available)
□ Check ADS Zone.Identifier
□ Check PowerShell download commands

Phase 5: Tool Persistence (30 min)

□ Check if tools installed as services
□ Check scheduled tasks
□ Check registry Run keys
□ Check startup folders

🛠️ Tool Reference

Eric Zimmerman Tools

Download: https://ericzimmerman.github.io/

PECmd.exe - Prefetch parser
AppCompatCacheParser.exe - ShimCache parser
AmcacheParser.exe - Amcache parser
JLECmd.exe - Jump List parser
MFTECmd.exe - MFT/$J parser
RegistryExplorer.exe - Registry viewer/parser
SrumECmd.exe - SRUM parser
WxTCmd.exe - Windows Timeline parser
RECmd.exe - Registry command line tool

Installation:

# Download ZIP from GitHub releases
# Extract to C:\Tools\ZimmermanTools\
# Add to PATH

NirSoft Tools

Download: https://www.nirsoft.net/

WinPrefetchView.exe - Prefetch viewer
AlternateStreamView.exe - ADS scanner

Sysinternals Tools

Download: https://live.sysinternals.com/

streams.exe - ADS detection
strings.exe - String extraction

KAPE

Download: https://www.kroll.com/kape

# Collect all program execution artifacts
.\kape.exe --target ProgramExecution --tdest C:\Collection

# Specific artifacts
.\kape.exe --target Prefetch,Amcache,JumpLists --tdest C:\Collection

# With processing
.\kape.exe --target ProgramExecution --tdest C:\Collection --module PECmd,AmcacheParser --mdest C:\Analysis

FTK Imager

Download: https://www.exterro.com/ftk-imager

Use for:

Collecting locked files (SRUM, Amcache)
Extracting $MFT, $J, $LogFile
Forensic image mounting

DB Browser for SQLite

Download: https://sqlitebrowser.org/

Use for:

Windows Timeline analysis
Other SQLite databases

🎓 Quick Reference Cards

Artifact Comparison Matrix

Artifact

Proves Execution

Last Run Time

Run Count

Historical Times

File Hash

Retention

Prefetch

✅ Yes

✅ 8 times (Win10+)

❌ No

1,024 files

BAM/DAM

⚠️ Likely

✅ Yes

❌ No

~7 days

ShimCache

❌ No (Win10+)

❌ No

1,024 entries

Amcache

⚠️ Presence

⚠️ Modified

❌ No

✅ SHA1

Long-term

UserAssist

✅ GUI only

✅ Yes

❌ No

Persistent

Jump Lists

⚠️ Indirect

✅ Yes

❌ No

~2,000/app

Timeline

⚠️ Activity

✅ Yes

❌ No

✅ Yes

❌ No

30 days

SRUM

⚠️ Resource

✅ Yes

❌ No

✅ Hourly

❌ No

30-60 days

Collection Priority Checklist

Live System - First 15 Minutes:

□ Prefetch directory (FIRST - tools create prefetch!)
□ BAM/DAM registry export
□ PowerShell console history
□ Running process list
□ Network connections

Live System - Next 30 Minutes:

□ SYSTEM registry hive (ShimCache)
□ SOFTWARE registry hive (SRUM mapping)
□ Amcache.hve
□ SRUDB.dat
□ User NTUSER.DAT files

Live System - Next 30 Minutes:

□ Jump Lists (all users)
□ Timeline databases (all users)
□ MRU registry keys
□ Event logs

Forensic Image - Priority Order:

1. $MFT (timeline, file listing)
2. Prefetch
3. Registry hives (SYSTEM, SOFTWARE, NTUSER.DAT)
4. Amcache
5. SRUM
6. Jump Lists
7. Timeline
8. $J (change journal)
9. $LogFile
10. ADS enumeration

Use this guide as your go-to reference for program execution investigations. Combine multiple artifacts for the strongest evidence.

PreviousUser Activity Tracking with KQL NextFile and Folder Access Investigation Guide

Last updated 1 day ago