Analyzing Program Execution Windows Artifacts
As Windows has evolved over time several artifacts have appeared that can highlight when programs or applications were executed, and which user executed them. The information provided by these artifacts can illuminate a timeline of events that occurred on the Windows system answer questions such as:
- When was an application used?
- Which user account used the application?
- How many times did that user use the application?
- What files did the user access with the application?
BlackLight 2019 R3 now processes these Windows artifacts in Actionable Intel. Let’s walk through some of these artifacts.
Where Can I Find the Windows Artifacts?
The Actionable Intel tab has been redesigned to provide easier access to all of the artifacts parsed. Windows Artifacts related to Program Execution parsed by BlackLight are all listed under Program Execution.
All of the artifacts displayed in Actionable Intel from previous version of BlackLight (2019 R2 and earlier) are available, as well as the newly parsed items.
Background Activity Moderator (BAM) and Desktop Activity Moderator (DAM)
BAM controls the activity of background applications. DAM, which moderates desktop processes, was created to ensure consistent long battery life for devices that support connected standby (you know when the screen is off, but the device is still on). So, while you will find BAM entries on all Windows devices, DAM will only contain data on tablets and mobile devices. BAM and DAM entries are both located in the registry. A folder for each user (named by SID) provides the following information:
- Path of executable files
- Last execution date and time
The information is stored in registry. BlackLight displays BAM and DAM entries in the Actionable Intel tab.
Each entry provides insights into the applications run by the user identified in the SID column.
System Resource Usage Monitor (SRUM)
SRUM monitors desktop applications, services, window apps and network connections. SRUM data is stored in the registry, with historic information contained in a database. The information tracked includes:
- Network connectivity: interface type and ID, network profile ID, start connection time, and length of connection time
- Network data usage: Application (associated with user SID) consuming data, bytes uploaded, bytes downloaded, interface type and ID, network profile ID
- Application resource usage: SID of user who launched program, other information pertaining to running processes
- Windows push notifications
- Energy use
Some of this information may be of use forensically, specifically for data theft investigations or when looking for malicious applications responsible for data exfiltration. Data stored can also shed light on peer-to-peer application usage. Forensically, SRUM data can be used to determine:
- Which user launched a process
- Provide data upload and download information by network and process
- Track information about deleted and uninstalled programs
- Estimated application run times
Data is tracked in SRUM for all applications, not just those installed on the computer, like those running from external USB drives.
UserAssist allows investigators to see which programs were recently run on the Windows system. Forensically, UserAssist can help determine the following:
- Frequency of program execution for each user account
- The last time a program was launched
- Where the program was launched from (i.e. Desktop link file, Windows Start Menu, etc.)
- Information about programs that have been deleted or uninstalled from the system
- Proof of the existence data in a location that is no longer available
UserAssist data is parsed from the NTUSER.dat registry file and therefore attributes program execution to a specific user. In the example below you can see the user USSF-JKreese launched the Windows command prompt (cmd.exe) sixteen times.
This example shows the launch of the same application from two different locations: once from Program Files, another from the Start Menu. You can also see an executable launched from a removable device.
And all the others…
BlackLight 2019 R3 also processes the following Program Execution information, displayed in Actionable Intel:
- Jump Lists – Records and presents recent documents and executables along with their initiating application to users
- Last Executed – Specific executable used by an application to open the files listed in the OpenSaveMRU registry key.
- Multilingual User Interface (MUI Cache) – Tracks executables on the system.
- Notifications – A history of notifications sent to users.
- Prefetch – Speeds up application loading, contains information about applications run frequently on the system. (Sometimes turned off on systems with SSDs)
- RecentApps – Tracks applications, maintains a run count, and stores the last time the application was run. (May not be seen on Windows 10 systems)
- ShimCache – A mechanism in Windows to support older apps on new versions of Windows. Provides information about executable.
- Superfetch – Speeds up application loading based on “performance scenarios”, contains information about applications on the system associated with a timeframe. (Sometimes turned off on systems with SSDs)
- Activity Timeline (Activity Cache) – Tracks user Activities, e.g. website accesses, program executions, files accessed by programs, when particular apps were in focus.
- AmCache – Stores metadata about ShimCache executables that have been run, programs installed, and devices connected.
- ComDlg32 – Tracks when the user used the Open/Save dialog box to open or save a file.
Examining these Windows artifacts provides insights into programs executed on the computer, network activity, and ties this information to specific user accounts. This information provides you with a better understanding of activities performed on the system.
For more information about analyzing Windows systems, you can enroll in BlackBag’s Windows® Forensic Investigations course.