Program Execution
Prefetch
Description Prefetch is a performance optimization mechanism to reduce boot and application loading times. The cache manager can use these prefetch files like a cheatsheet to speed up the loading process. It is not enabled by default on Windows servers. Prefetch provides evidence of the execution of applications, embedded within each prefetch file is the total number of times an application has been executed, the original path of execution, and the last time of execution. It increases the performance of a system by pre-loading code pages of commonly used applications. The cache monitors "helper files", recording them in a .pf file.
Workstation operating systems (not servers) have prefetching on by default to improve performance.
It lists up to 1024 files on Win8+.
Prefetch files on win10 and 11 are compressed, with each having up to eight execution times available inside the Prefetch file. To check the status of prefetching, open the following location in the Registry editor:
Investigator Note: Lookout for multiple prefetch files with the same executable name, this would indicate two executables with the same name were run from different locations. As an example, if you were to see multiple prefetch files for cmd.exe, it might indicate a file named cmd.exe was executed from somewhere outside of the standard C:\Windows\System32 folder and that “new” cmd.exe might turn into a valuable finding!
Some exceptions to this rule are Windows “hosting” applications, such as svchost, dllhost, backgroundtaskhost, and rundll32, the hash value at the end of each prefetch file is calculated based on the full path and any command line arguments and therefore you are likely to see multiple prefetch files for each.
Pro tip: Running live response tools on a target system will cause new prefetch files to be created for those live response executables. Plus, each system has a limited number of prefetch files, so this can result in the deletion of the oldest prefetch files. Therefore, prioritise the collection of the prefetch directory to ensure important evidence isn't lost.
Location:
Naming format: (exename)-(hash).pf
Tools for Data Capture PECmd.exe, WinPrefetchView .exe Preferred tool Prefetch Explorer Command Line (PECmd): Single file analysis:
Directory analysis:
Process a directory of Prefetch fi les, including VSS, and send the results to file with higher precision timestamps
Advance Usage: Using a comma-separated list of keywords will cause any hits to be shown in red.
PECmd can extract and process files from Volume Shadow Copies by using the “--vss” option. This will process Prefetch from ALL Volume Shadow Copies. The output files will be separated by individual VSS numbers.
FTK Imager
Browse to "C:\Windows\Prefetch" Available Metadata The metadata that can be found in a single prefetch file is as follows:
Prefetch Analysis and Interpretation Date/Time .exe was first executed
Creation date of .pf file (-10 seconds) Date/Time .exe was last executed
Modification date of .pf file (-10 seconds
The last time of execution was stored inside the .pf file as well
Windows 10/11 embeds the last eight execution times in the .pf file
Pro tip: Just because a .pf was created, it does NOT mean that the program was successful in execution. Many “broken” programs that attempt execution will still be assigned a .pf file. Forensic Value
The executable's name
The absolute Path to the executable
The number of times that the program ran within the system
The last time the application ran
A list of DLLs used by the program Background Activity Moderator (BAM)/Desktop Activity Moderator (DAM)** Description BAM is a Windows service that controls the activity of background applications. The BAM entries are updated when Windows boots. Also, there is dam\UserSettings Desktop Activity Monitor (DAM), which stores similar information to BAM.
Location:
In the Windows registry, the following locations contain information related to BAM and DAM. This location contains information about last run programs, their full paths, and last execution time.
Interpretation:
Provides full path of file executed and last execution date/time
Typically, up to one week of data is available
“State” key used in Win10 1809+
Tools for investigation:
RegistryExplorer.exe, BamParser .py
Forensic Value:
Evidence of execution
The executable's name
The absolute path to the executable
The last time the application ran
ShimCache
Description Microsoft’s Application Compatibility Cache is designed to detect and remediate program compatibility challenges when a program launches. A program might have been built to work on a previous version of Windows. To avoid compatibility issues, Microsoft employs a subsystem allowing a program to invoke properties of different operating system versions. It Allows Windows to track executable files and scripts that may require special compatibility settings to run properly. It is maintained within kernel memory and serialized to the registry upon system shutdown or restart. Investigator
Note: Windows uses this database to determine if a program needs shimming for compatibility. One of the more interesting and useful aspects of AppCompatCache is each executable is checked and added to the registry regardless of whether it needs to be shimmed. From a forensic perspective, we use information from the AppCompatCache to track application execution, including name, full path, and last modification time of the executable.
Pro Tip: ShimCache in Win10 and later is not a reliable source of application execution; it does not prove execution but can be used to prove the existence or presence of a file on the system.
Location:
The shimCache artifact source file is located at C:\Windows\System32\config\SYSTEM. Registry Key is located on a live system at:
Investigator Note: To determine the most recent controlset in use, in the SYSTEM folder, click Select > Current and review the value of the control
Tools for investigation:
AppCompatCacheParser (Zimmerman Tools)
Interpretation:
Any executable present in the file system could be found in this key. Data can be particularly useful for identifying the presence of malware on devices where other application execution data is missing (such as Windows servers).
The full path of ethe executable
Windows 7+ contains up to 1,024 entries
No execution time is available
Executables can be preemptively added to the database before execution. The existence of an executable in this key does not prove actual execution.
Tools for investigation:
Shimcache Parser for a captured image:
ShimCache Analysis and Interpretation:
When reviewing the output from the AppCompatCache, note the following:
The most recent events are on top (which is very helpful since most versions don’t include execution time)
New entries are only written on shutdown. One of the most useful capabilities of the AppCompatCache is if an attacker has removed their tools from the system and was careful to also delete the corresponding prefetch (.pf) files, AppCompatCache entries might provide clues that the application existed.
Investigator Notes: the existence of an entry in the AppCompatCache registry key no longer proves execution. When investigating evidence of execution, the first challenge is getting the data. This can be accomplished by agent-based tools or via collection scripts. Analysis can begin by looking at well-known attack patterns. One or two-letter executable names, executions from unusual folders such as the $Recycle.Bin or System Volume Information and searching common malware names like pwdump or mimikatz are all good starts. When attackers perform reconnaissance and live off the land, they will use built-in tools, but those tools might be rare in certain parts of the network. Searching for psexec activity, command-line WMI with wmic.exe, reg.exe, or schtasks.exe could pay dividends.
Forensic Value
The executable or script file names and full paths
The standard information's last modified date
The size of the binary
Finally, whether the file ran on the system (just browsed through Explorer.
Amcache.hve
Description The Amcache.hve is a registry hive file that stores information related to the execution of programs when a user performs certain actions, such as running host-based applications, installing new applications, or running portable applications from external devices. It tracks installed applications, programs executed (or present), drivers loaded, and more. Amcache also tracks the SHA1 hash for executables and drivers.
Investigator Note: Amcache provides full path information, file size, publisher metadata for executables and loaded drivers, and several different timestamps. What sets this artifact apart from nearly all the others is it also tracks the SHA1 hash for executables and drivers. This is a rarity in forensic artifacts and can be of great value when trying to identify either known goods (e.g., Microsoft files) or known bad (e.g., a renamed version of mimikatz.exe).
Pro Tip: ShimCache is not a reliable source of application execution; it does not prove execution but can be used to prove the existence or presence of a file on the system.
Location:
Interpretation:
A complete registry hive with multiple sub-keys
Full path, file size, file modification time, compilation time, and publisher metadata
SHA1 hash of executables and drivers Amcache should be used as an indication of executable and driver presence on the system, but not to prove actual execution
Tools for investigation:
Registry Explorer (Zimmerman Tools)
Extract Amcache files: FTK Imager
AmcacheParser (Zimmerman Tools)
For live systems:
Investigator Note:
Tracks installed applications, loaded drivers, and unassociated executables
Full path, file size, file modification time, compilation time, publisher metadata
SHA1 hashes of executables and drivers are one of the most exciting features
Entries can also be due to automated file discovery or program installation and do NOT always indicate program execution Pro Tip: Use this artifact as an indication of executable and driver presence on the system and the metadata it tracks for each file. Other artifacts (such as Prefetch) can be used to prove execution and execution times.
Forensic Value:
The executable names and full paths
Last executed time
The size of the binary and its version
The executable hash (SHA1)
Jump Lists
Description Jump Lists allow the user to quickly access frequently or recently used items via the taskbar. In investigation, it can be used to identify applications in use and metadata about items accessed via those applications. It provides the user with a graphical interface associated with each installed application and lists files previously accessed by it.
Location:
Interpretation:
Each jump list file is named according to an application identifier (AppID). List of Jump List IDs -> https://dfi r.to/EZJumpList
Each Jump List contains a collection of items interacted with (up to ~2000 items per application)
Each entry is represented as a LNK shell item providing additional data
Target Timestamps
File Size
Local Drive | Removable Media | Network Share Info
Entries are kept in MRU order, including a timestamp for each item. Tools for investigation JLECmd – JumpList Explorer Command Line Edition Run against a single Jumplist. Output is stored on the G: drive to the “Jumplists” folder.
Run against all automatic jumplist files stored for the user “Donald”.
Forensic Value:
User activity who have interactively on the system
Recover user’s traces of recently accessed directories from the Windows Explorer jump list
History of attempted lateral movement by checking Remote Desktop jump lists, as they provide a list of recent connections
Destination IPs and ports via RDP
UserAssist
Description: UserAssist tracks every GUI-based program launched are recorded in this registry key. This key contains two GUID subkeys (CEBFF5CD Executable File Execution, F4E57C4B Shortcut File Execution). Each subkey maintains a list of system objects such as program, shortcut, and control panel applets a user has accessed. Registry values under these subkeys are weakly encrypted using the ROT-13 algorithm, which substitutes a character with another character 13 positions away from it in the ASCII table.
Digital Forensics Value of UserAssist Artifacts: Analysis of program executions is essential in cases such as tracing malware and detecting anti-forensic tools. UserAssist artifact provides valuable information that helps identify the presence and execution history of malicious programs on a system even after deletion.
Location:
C:\Users[UserName]\NTUSER.DAT. Within the NTUSER.DAT hive, the artifact data can be found at the following location:
Registry:
Investigator Note: Files are in ROT 13. Select the file of interest to decode, right-click, select Modify, copy the value, go to CyberChef, and select ROT13 recipe to decode. A better option is Registry Explorer (Zimmerman Tools)
Interpretation:
The NTUSER.DAT file is a registry hive file. The registry file format is a binary file like a filesystem with a group of keys, subkeys and values. These files are used by the operating system to store user, system, and application configurations.
GUIDs identify the type of execution (Win7+)
CEBFF5CD Executable File Execution
F4E57C4B Shortcut File Execution
Values are ROT-13 Encoded
Application path, last run time, run count, focus time and focus count Tools for investigation
Forensic Value:
The executed GUI program name
The executed GUI program path
Last executed time
Run count
Windows 10 Timeline
Description: Windows 10 Timeline info covering user activities is stored in the ActivitiesCache. db file with the following path. The ActivitiesCache. db ’file is an SQLite database. StartTime means the moment when an application was launched. EndTime means the moment when an application ceases to be used. ExpirationTime is when the storage duration for a record covering a user activity expires in the database. LastModifiedTime is when a record covering a PC user activity has been last modified (if such an activity has been repeated several times).
Windows 10 Timeline provides information about the applications executed on the computer within the last 30 days, such as the application name, the time when the application was launched, and the application usage duration. This information is of forensic value, as it can help examiners reconstruct previous events on a particular device, even if the files, documents or applications have been deleted.
Structure of Windows 10 Timeline Artifacts ActivitiesCache.db is an SQLite database containing multiple tables. To be more specific, 7 tables (Activity, ActivityOperation, Activity_PackageId, AppSettings, DataEncryptionKeys, ManualSequence and Metadata); however, only a subset of the tables contain forensically valuable information.
Location:
User activates displayed in the timeline are stored in ActivitiesCache.db, which is located at:
Interpretation:
The full path of the executed application
Start time, end time, and duration
Items opened within the application
URLs visited
Databases are still present even after feature deprecation in late-Win10
Tools for investigation:
DB Browser for SQLite:
The easiest way is to look at the data contained in ActivitiesCache.db using an SQLite viewer, such as DB Browser for SQLite, a free tool.
By switching tables in the Browse Data tab, it is possible to view their contents and record information that is potentially of interest for an investigation WxTCmd Parser for Windows 10 Timeline:
Forensic Value:
Timeline Analysis
Information about an application and file
Date /Time when started, created, modified and accessed
System Resource Usage Monitor (SRUM)
Description: SRUM is considered a gold mine of forensic information, as it contains all the activities on a system. SRUM tracks and records program executions, power consumption, network activities, and more information that can be retrieved even if the source has been deleted. The info enables the examiner to gain insights into a system's previous activities and events. SRUM records 30 to 60 days of historical system performance, including applications run, user accounts responsible, network connections, and bytes sent/received per application per hour.
Location:
Structure of SRUM Artifacts: SRUM artifacts are stored in an Extensible Storage Engine (ESE) database format. This database contains multiple tables recording all the activities on a particular system.
Interpretation:
SRUDB.dat is an Extensible Storage Engine database.
Three tables in SRUDB.dat are particularly important:
{973F5D5C-1D90-4944-BE8E-24B94231A174} = Network Data Usage
{d10ca2fe-6fcf-4f6d-848e-b2e99266fa89} = Application Resource Usage
{DD6636C4-8929-4683-974E-22C046A43763} = Network Connectivity Usage
Tools for investigation:
Windows.Forensics.SRUM artifact Copying file from the live system: FTK Imager Export both SRUDB and Software Hive:
Navigate: "C:\Windows\System32\SRU\SRUDB.dat" right-click SRUDB.dat, select Export Files, choose storage location, OK.
Navigate: "C:\Windows\System32\config\
Select: SOFTWARE, SOFTWARE.LOG1, SOFTWARE.LOG2 and export files to the same location as SRUDB.dat SrumECmd Parser:
Forensic Value:
Program executions
Power consumption
Network activities
Bytes Received & Sent
Last Visited Most Recently Used (MRU)
Description: Tracks applications in use by the user and the directory location for the last file accessed by the application.
Location:
Note: The RecentDocs key is found at:
Other items of interest are related to folders that are accessed by a Windows application using the common Open/Save dialog, which is found at:
Or files that are accessed by a Windows application using the common Open File or Save File dialog found at:
Finally, items of interest regarding commands a user runs via the Windows Run utility are found at:
Interpretation We get two important pieces of information from this key: applications executed by the user and the last place in the file system that those applications interacted with. Interesting and hidden directories are often identified via this registry key. Tools for investigation
Regedit or other registry viewer applications.
Background Activity Moderator (BAM)/Desktop Activity Moderator (DAM)
Description: BAM is a Windows service that controls activity of background applications. The BAM entries are updated when Windows boots. Also, there is dam\UserSettings Desktop Activity Monitor (DAM), which stores similar information to BAM.
Location:
In the Windows registry, the following locations contain information related to BAM and DAM. This location contains information about last run programs, their full paths, and last execution time.
Interpretation:
Provides full path of file executed and last execution date/time
Typically, up to one week of data is available
“State” key used in Win10 1809+
Tools for investigation:
RegistryExplorer.exe, BamParser .py
Forensic Value:
Evidence of execution
The executable's name
The absolute path to the executable
The last time the application ran
Commands Executed in the Run Dialog
Description: A history of commands typed into the Run dialogue box is stored for each user.
Location:
Interpretation :
It is an MRU key with temporal order via the MRUList key.
Tools for investigation
Regedit or other registry viewer application
PowerShell
Description PowerShell is a cross-platform task automation solution comprising a command line shell, a scripting language, and a configuration management framework. PowerShell in Windows 10 saves the last 4096 commands stored in a plain text file located in each user's profile.
Location:
Tool:
Forensic Value:
Evidence of PowerShell commands executed by the user
Master File Table ($MFT)
Description: A master file table is a database containing information about every file and directory on an NT File System (NTFS) volume. An MFT will have at least one record for every file and directory on the NTFS logical volume. Moreover, each record contains attributes that tell the operating system how to handle the file or directory associated with the record.
Location:
Tools For Investigation:
MFTECmd.exe, MFTExplorer .exe
Forensic Value:
Timeline Analysis
Information about a file or directory
File Type, Size
Date /Time when created, modified and accessed
$J
Description The $J data stream contains the contents of the change journal and includes information such as the date and time of the change, the reason for the change, the MFT entry, the MFT parent entry and others. This information can be useful for an investigation, for example, in a scenario where the attacker is deleting files and directories while he moves inside an organization in order to hide his tracks.
Location:
Tools For Investigation:
MFTECmd.exe
Forensic Value:
Timeline Analysis
File Activity Analysis (Open, Close and Update
Evidence of renamed and deleted files
$LogFile
Description: This file is stored in the MFT entry number 2, and every time there is a change in the NTFS Metadata, a transaction is recorded in the $ LogFile. These transactions are recorded to make it possible to redo or undo file system operations. Why would $LogFile be important for investigation? Because the $LogFile records all operations in the NTFS volume, such as file creation, deletion, renaming, and copy.
Location:
Tools For Investigation:
NTFS_Log_Tracker.exe , LogFileParser .exe
Forensic Value:
Timeline Analysis
File Activity Analysis (Open, Close and Update
Evidence of renamed and deleted files
Alternate Data Streams (ADS)
Destination: Alternate Data Streams (ADS) are file attributes only found on the NTFS file system to store different streams of data. The ability is to fork file data into existing files without affecting their functionality, size, or display to traditional file browsing utilities like dir or Windows Explorer. In addition to the default stream Zone. Identifier, which is normally used for a file.
Location:
Tools For Investigation:
Forensic Value:
Find the presence of a secret or malicious file inside the file record of an innocent file
Find hidden hacking toolkit
Find hidden files or information
Last updated